The kind that puts banks your size out of business.

Is there anything you can do other than worry? Isn’t this stuff so complicated only grad students in computer science can understand it? People say that nothing is truly secure—isn’t that true?

You can do something about it, because hackers have adopted a relatively uniform mass-production approach to attacking computers. And yes, you can understand it.

How Malware Works

Hackers don’t pick your name out of a hat and then decide to attack you; that’s so 1999. Their desire to make a profit has driven them to use highly efficient and highly effective techniques designed to maximize the number of breached systems rather than maximizing their ability to breach a specific target. Their chosen approach is actually quite clever. Here’s how it rolls out:

1. A hacker penetrates a legitimate web site and modifies it so that a visiting web browser also pulls data from the hacker’s web site. The Google Anti-Malware Team recently found 3 million such URLs in a survey of Google’s stored copies of web sites.
2. A normal person visits one of these infected web sites, causing the web browser to also make a request to the hacker’s web site. The hacker’s web site determines which operating system and which browser the innocent web surfer is using, then sends back a series of specially crafted HTML, PDF or other file types that contain exploit data for commonly found missing patches. An exploit is typically a pattern in the returned data that causes the targeted software to misbehave in some way due to a bug introduced accidentally by the program’s author when he wrote it. The exploits are specifically aimed at the user’s operating system and browser in order to maximize the likelihood of a breach.
3. If the user’s computer is running some amount of unpatched software, and if at least one of the attacker’s chosen exploits matches up exactly with one of the user’s missing patches, then the hacker’s malicious pattern of data causes the user’s buggy program to actually execute software the hacker himself wrote and included as part of the malicious data pattern.
4. Typically the first thing the hacker’s software does is to issue more requests to hacker web sites, downloading and installing more malicious software.  It is rare to be infected by a single virus; malware usually arrives more as a malicious throng than a single stealthy intruder.
5. Once the hacker’s programs are installed on the user’s computer, his software runs and begins to carry out his wishes. Sometimes this means sending Spam e-mail messages to millions of people.  Other times it may mean spraying a specific web site with huge amounts of bogus web requests, a so-called Denial of Service attack. But the scenario that terrifies us is the one where the software on the infected machine makes a network connection to one of the hacker’s servers that doesn’t download software, but instead stays connected. The purpose of this long-term connection is instead to provide two-way communication. This gives the hacker a direct path from his server on the outside right through your firewall, a so-called backdoor into the heart of your company’s computer network.

Once inside, the hacker can do whatever he’d be able to do if he had free reign of your office. He can search through computer files, he can listen for passwords, he can record information displayed on customer account screens. He can also probe other machines on your network looking for more unpatched systems. Note that this is no longer an impersonal piece of automation running; now you have a real, live hacker rummaging through your data looking for something he can sell. And if it was that easy to get inside in the first place, it’s usually even easier to get access to the machines that contain all your customer data and ship it off to Russia. Or China. Or Cleveland.

According to the Verizon 2010 Data Breach Investigations Report, the U. S. Secret Service reports that, although insider attacks are up 26% over last year, 96.5% of all stolen customer records occurred through external attacks. 95% of those external attacks were attributable to malware, the kind we just described. 80% involved malware that was explicitly designed to provide remote access to the hacker, the kind that lets him steal all your customer data.

Traditional Defenses

Most anti-malware strategies involve trying to stop it from infecting you in the first place. Reputation-based browser features compare the link you clicked on against a database of sites that have been reported to contain malware, popping up a warning if it finds a match. So-called UTM (Unified Threat Management) appliances or next-generation firewalls look inside the web browser data stream searching for data patterns that look like exploits, or they examine the entire returned web page, making sure it adheres strictly to the HTML standard. Sometimes they even can figure out what web application you are running, tailoring their activities to the specific site or function.

The best known defense, though, is anti-virus. A few years ago, the leading anti-virus systems would catch 99% or more of all malicious software.  Today, the best anti-virus systems detect and block perhaps half of all infections, but if an infected web site launches twelve exploits at you, and if, say, four of them match up with patches you are missing, then you’d still have a probability of 1 – 0.5⁴ = 94% of being infected because of that one click.

It may not be the best known, but the most effective defense against malware in common use today is simple. Keep your systems patched! This has gotten much easier since Microsoft introduced Automatic Updates ten years ago. Unfortunately, the summer of 2009 saw Adobe break Microsoft’s long run as King of Vulnerable Software. Even more unfortunately, Adobe and the other commonly attacked desktop software vendors have not come close to matching the effectiveness of Microsoft’s efforts to provide patching tools (Automatic Updates and WSUS) and patch scanning tools (MBSA). See my article Keeping Windows Patched for more on this topic.

A Simplified Firewall Architecture for Combating Malware

It is certainly painful to have to deal with an infected machine. In most environments, the machine must be reformatted and reinstalled by hand, a job which can take anywhere from half a day by an experienced IT professional to as long as two days if a lot of software installation and reconfiguration must be performed. Using a disk imaging system can bring that time down to 20 minutes, but such a solution has its own costs. But the cost of recovering an infected machine never exceeds a thousand dollars or so. The real cost is in the risk of breach. That is where we should be putting our effort—making it as difficult as possible for an infected machine to establish a backdoor connection.

The funny thing is, this is the part that isn’t all that hard. The last few years have seen an explosion in the growth of cloud-based security products, especially filtering web proxies. A web proxy is a special server that acts as a mediator between a web browser and a web site. The addition of filtering capabilities, including all those features listed above for advanced firewalls, makes this a very attractive service. But we at Lithik Systems believe that the greatest benefit of such a service comes from what it allows you to do to your firewall configuration.

The reason the hacker’s malware can build that backdoor connection so easily is that nearly everyone has their firewall configured to allow outbound web browser connections to an unlimited number of destinations. If the firewall allowed web browsers to only go to a short list of places, the backdoor could never be set up. Many if not most corporate firewalls are configured to allow e-mail traffic only to a short list of e-mail servers. The same is true of many other services. If all Internet traffic originating from behind the firewall was only allowed to go to a fixed list of destinations, no backdoors could ever exist. This is easy except for web traffic, and if a web proxy service is used, web traffic can be controlled in exactly the same way.

You may say, though, that a backdoor can indeed exist. Even though it would be tricky, even though the malware would have to somehow figure out that you were using a web proxy, and even though it would have to figure out where it was and how to authenticate with it, the malware could go through the web proxy. That’s why it’s important that you choose a service that has a really good filter. That’s also why you probably shouldn’t simply install a cheap, non-authenticating web proxy server just outside your firewall. Future-proof your solution now.

But wait, there’s more.

Utilizing the above approach can eliminate (or nearly eliminate) the likelihood of an outsider stealing your data. But once your firewall is configured with no unlimited destinations in any rules at all, you have a new option in front of you. If the firewall is then set up to trigger an alarm whenever any kind of traffic is blocked trying to go to an unauthorized destination, you have an IDS (Intrusion Detection System) that can almost perfectly detect external breaches. An alarm means that the offending machine is infected. Now, it could also mean that someone just misconfigured some application, or someone just installed a program that didn’t know about the web proxy and tried to auto-update itself, but those situations will only happen when you should expect them, and the cause should be obvious. But if your firewall sends you a text on your cell phone when no IT people are making any changes, you almost certainly have an infected machine.

Cost-Benefit Analysis

Costs:

• $5 per month per desktop computer for a top quality web filtering service
• $50 per desktop for a permanent license to a good remote disk imaging system so you are never motivated to avoid reinstalling an infected machine
• Time and effort to configure the new setup

Benefits:

• A good filtering proxy will substantially reduce the number of infections you incur
• No fancy firewall features are required
• Infected machines can be cleaned in about 20 minutes
• Infected machines are brought to your attention immediately
• Patch management becomes easy (this is a side benefit of using a disk imaging system)
• A breach involving information theft is nearly impossible

Take Action

The above approach can dramatically reduce your risk of a serious breach.  The cost is moderate, and the side benefits are attractive. Do not put this off; talk about it with your IT staff and with your senior management, then make a decision. Choose wisely.

Click here for the slides.

It doesn’t have to be that way.

There are some tried-and-true, basic steps you can take to dramatically reduce the cost to your organization of data loss due to laptop theft or malicious penetration when using your computer in a public place. Implement them all and you can come close to eliminating the possibility of a data breach. The following steps are organized by the threat they mitigate.

Theft

The best way to deal with the risk of laptop theft is to ensure that the thief cannot possibly get any of your information off of the computer. If you work for a real business, the cost of having private information (proprietary data, HIPAA Protected Health Information, PCI records, etc.) fall into the hands of the bad guys is immeasurably greater than the value of the physical laptop. Insurance will probably pay for new equipment anyway. Fortunately, good technology is available to protect your information at a reasonable price. My favorite price is free.

TrueCrypt is a free, open-source, high-quality Full Disk Encryption (FDE) product. It supports a wide variety of modern encryption algorithms that are sure to foil any information thief. But remember that once somebody has possession of your computer, it would be a very simple thing to boot it from a CD-ROM containing an FDE password cracker, a tool that would make short work of a simple boot-time encryption password like “letmein“. So choose a really good password, where really good means really long. Something like “till the end of time” (20 characters) will keep any current password cracker hunting for a few hundred years, or until someone adds phrases from popular songs or the Bible to the word lists employed by these hacker tools. You can mix it up with strange capitalization or a misspelling (say, “@ the end of Time”) to make it even harder, but the best way to make it better is to make it longer.

Packet Sniffing

You may have confidence in your WPA2 wireless G network at work, but what about when you’re on the unencrypted wireless network at Starbucks or plugged into the Ethernet at your hotel? This is where the Virtual Private Network (VPN) shines, and there’s a really nice one out there at my favorite price.

OpenVPN is a free, open-source VPN tool that runs on Windows, Linux, and even wireless access points. When using TLS (the successor to SSL) to negotiate 256-bit AES encryption authenticated with 1024-bit RSA certificates, this is a solid protocol with excellent credentials. When carried over UDP, it has none of the difficulty traversing NAT routers or firewalls that bedevils IPSec users. We set it up so that it’s always on, staying out of the way when no network is attached or when accessing public web sites, but connecting automatically when possible to allow secure access to corporate internal systems. It’s especially secure if all your traffic goes through the VPN, even when performing such mundane tasks as browsing public web sites. Setting up OpenVPN, however, is not for the faint of heart, so hire a professional to do it for you.

Network Attacks

Being sniffed is not the only threat you face on public networks. You are also open to direct attack from other network dwellers, so don’t make it easy on them by leaving your file shares open to the world. The best configuration is termed “stealth”, where your computer refuses to respond to any incoming traffic at all. No file sharing, no iTunes sharing, no remote desktop and no ping. Only ARP remains operational, but it has to because you need it so that other devices can respond to your outbound web and other requests.

Fortunately, you can probably have your cake and eat it too. Windows XP has two separate sets of firewall configuration rules, one for when you’re attached to a corporate Active Directory domain and one for when you’re not. If you use Active Directory at work, you can set up the “domain profile” to allow management by your IT staff and configure the “standard profile” to be stealth when you’re on the road.

If you use Vista, you have even more choices. There are three different firewall profiles: domain, public and private. With Vista, you can have one set of rules for work, one for your home, and one for Starbucks and other dangerous places.

But what if you work at a small place that doesn’t use Active Directory? You still have options. On Vista, you can use your private firewall profile for work and the public one for everywhere else. If you’re running XP, though, it’s a little tougher. Have your IT folks set up rules in your standard firewall profile that are very tightly fitted to their setup. Perhaps allow Remote Desktop and remote administration only from the corporate server’s IP address. It’s not perfect, but an attacker will never know the difference unless you just happen to be on a public network with the same IP network number as your office and he happens to have the same IP address as your corporate server. Not perfect, but pretty darn good.

Passive Attacks

Nearly all successful penetrations of home or corporate desktops occur through passive attacks such as visiting an infected web site or opening an infected e-mail attachment. We’re so familiar with this kind of attack that it should come as no surprise that the mitigation is also familiar. Keep your computer up-to-date with all the latest Windows and other patches, and use a good antivirus system. Set your computer to update automatically with Windows as well as other applications: Adobe Reader, Flash, Apple QuickTime, etc. Not all antivirus systems are created equal, either. Check out AV-Comparatives.org to find out which are the best.

“Drive-by” Attacks

Someone plugs a hacked USB drive into your computer. Or they load a CD-ROM while you’re in the bathroom. Or you leave it unattended and someone reads your e-mail or steals a file by e-mailing it to himself. These scenarios tend to be more paranoid than the ones above because you typically leave your computer unattended only in environments where the people are trustworthy. Or so you think.

We keep hearing the statistic that 80% of all data breaches are perpetrated by insiders, but we can’t think of anyone where we work who would ever do that. But they must exist, and, of course, any such person would keep such evil thoughts very, very private. So let’s make a few changes that keep easy access to your computer just out of reach.

The first and easiest step is setting up a locking screensaver. On nearly ever screensaver, there is an option to have it prompt for a password before returning to normal operation. Some computers also allow you to set up a quick and easy way to engage the screensaver, such as moving the mouse pointer to one of the corners of the screen. Or you can press the Windows logo key (if you have one) plus the L key to immediately engage the screensaver.

Sometimes the Windows autorun feature is handy, but just as often I find it annoying. But it can be positively dangerous if inserting a USB drive or CD-ROM automatically runs software from the device, especially if you think your computer is safe because the screen is locked. Get rid of this behavior by disabling autorun (not autoplay—that’s different and not dangerous). Just google for the phrase “disable autorun” and you’ll find dozens of step-by-step recipes.

Finally, any malicious person or software will find it much more difficult to infect your computer if you log in under an account that does not have administrative powers. You need to be an administrator to do things like install new software, but that’s best done in a separate account. Go to Control Panel -> User Accounts and create a new login with account type set to Computer administrator, then change the type of your regular account to Limited. This is what Apple recommends its users do on OS X, and it plays a significant role in making Macs more secure than Windows computers.

Summary

You can carry a secure laptop, and it doesn’t have to be painful or expensive. Here’s the list again:

• Use Full Disk Encryption (FDE)
• Choose a long FDE password
• Use a VPN to connect to your company’s systems
• Set Windows firewall to stealth
• Configure Automatic Updates
• Install a good antivirus system
• Use a locking screensaver
• Disable autorun
• Use a non-privileged account for normal computer uses