I was thinking about the way that the concept of a “perimeter” has changed in the time I have been in information security. (Obviously, I need some better hobbies…)
Back in the day, we security people could react to threats and vulnerabilities by closing ports, disabling services, and sticking a firewall in front of our resources. We built our castles, each with their own little moat and told the King that all would be well.
Today, when I think of network perimeters, my first thought goes to user workstations and their associated humans. It seems like the workstation is the place where the most dangerous elements of the outside world and our networks converge.
For this reason, while we still need our firewalls and secure server configurations, it seems like we get the most bang for our security buck from a new set of tools:
Web filtering – if you don’t have some sort of intelligent threat driven proxy between your users and the Internet, you should. Stop reading this silly blog post and go get that done now! When people think about web filters, they think about keeping porn off their networks and stopping people from wasting time on www.catsthatlooklikehitler.com. While these are worthy goals, the real value of a web filter is blocking your users from known bad malware and scam sites. Your filter has to be paired with realtime threat intelligence which keeps it up to date – this costs money, but is an excellent investment.
Email filtering – most attacks these days start with a phishing email. If you can stop most of these from making it to user inboxes, you have eliminated a huge threat. Email filters should be tuned to catch spam, malware, phishing and impostor emails. Extra credit for automatically putting a prominent indicator on messages which have originated outside of the corporate network. Again, the filter needs to be intelligence driven and you’ll have to pay for this, but again, the costs are dwarfed by the potential cost of an incident.
Workstation anti malware – today, signature based anti virus software just does not cut the mustard. (I wonder where that idiom came from… oh, thanks Internet). It is stunningly easy to wrap malware in polymorphic disguises which will confound signature based scanning. For Pete’s sake, *I* can do it! Your workstation protection solution has to be behavior based, looking for programs which do things that are suspicious rather than looking for specific strings of 1s and 0s. More budget to ask for… sorry.
Patching – finally something you don’t have to pay extra for… keeping your workstations updated with the latest patches and fixes for the operating systems, browsers and key programs like Adobe Reader, Flash, Java and the like is really important. On the day after “Patch Tuesday,” update a few workstations, let them run for a few days to be sure all is well and then get those workstations patched. Make sure your users reboot after patching – this will also ensure their browsers are restarted so that the auto updates are applied.
Inventory of workstation hardware and software – you cannot protect what you can’t see. Knowing about that Windows XP box in Facilities is the first step in getting rid of it! Watch for new software installations (ideally, your users don’t have local admin privs on their machines, but this can be problematic in some environments like software development.)
Now, go take a look at your network and see which of these steps needs work… in part 2 of this post, I’ll talk about the MOST important thing you can do to secure this new perimeter (cliff hanger, eh?)