Yesterday I babbled for several paragraphs about how I miss the days of high-impact worms. They really were good for business not only because they permitted us to justify increased budgets but they also allowed a lot of people to cut their network security teeth (myself included).

Our worm defense where I work is top-notch, if I do say so myself. However, the best part about it is that we had no budget and not a single, dedicated security guy. All we had was our imagination and a wealth of open-source software. As a result, we have an extremely cost effective, successful worm defense system.

Now that the truly nasty worms are a few and far between, what do I plan on doing in ‘07 and ‘08? Well, for starters I’m going to keep the worm defense oiled and polished. It is great at preventing and/or catching lots of stuff, not just noisy worms. But I’m also focusing on Internet Explorer hacks. There is a big need now for enterprise-level control of Active-X (hacktive-x?). This is the vector-du-jour of spyware, adware, et al. Locking this down while allowing legitimate uses is a trick (the contortionists in asian circuses comes to mind when I think of how to permit legitimate uses while proactively blocking the malicious stuff).

Another area of focus should be hybrid IPS. ‘But Michael, IPS is dead.’ Wrong. You just aren’t leveraging it right. A good IPS that blocks malicious behavior (some vendors call this virtual patching) in addition to blocking by signature works wonders. This helps protect against adware, spyware, targeted hacks, worms, etc. And despite what some folks are saying, IPS is still getting a lot of funding for research and development. IBM’s purchase of ISS is case-in-point. IBM is funneling additional money into the X-force as well as the Proventia line, money that was scarce for ISS before the buy-out. And when NIPS and HIPS meets ADS and NAC look out. When that convergence happens, we’ll truly have network security with teeth and I’ll be there to say ‘I told ya so.’

Baseline hardening is another area I plan to continue focusing on. GPO’s are an excellent way to get consistent hardening on all your boxes enterprise wide. I base my hardening process on guides published by the NSA and NIST. Both are trusted sources of time-proven techniques. In fact, four years ago I hardened a personal web server using only the NSA guide and placed that system on the Internet without any third party security software and it survived for months until I took it offline (and that was before Windows firewall and automatic updates!).

One of the areas we’re working on is pulling in application and intranet servers to security GPO’s that do the hardening for us, cookie-cutter style. We have WWW GPO’s for all IIS servers, SQL GPO’s for all database servers, etc. This way we have consistency in our security and also when we tune the policy for one server, all servers benefit and we don’t have to worry if we updated the policy on web-server-X, Y, or Z.

So even though we no longer have to obsess over worms, we still have plenty of things to focus on.

Get your IPS on! You’ll thank me in a year.

For more information about this topic

• No Related Post