What are some suggested Security Best Practices?
A Holistic approach to security on a network is only the beginning of a larger process of securing an enterprise.
The best plan is created after assets have been identified and evaluated, a vulnerability assessment has been done, an appraisal of existing countermeasures has been accomplished, postulation and analysis of threats have been performed, then a cost to benefit ratio of possible new and existing security infrastructure has been completed.
During this phase, questions like "what are we trying to protect?", "what type of attacks are most likely or possible?", "where are we vulnerable?", and "how much would an attack cost us versus how much it would cost to counter?”
Virus definitions and IPS signatures are up to date:
The virus definitions for antivirus software and IPS signatures for firewall software must be updated regularly to recognize new viruses and protect against intrusions.
Use the lowest privileged user possible:
Assigning the lowest users permissions but still allowing users to complete their job duties will also reduce the available avenues of attack.
For more information see the 'Restricted users cannot run LiveUpdate under Windows 2003/XP/2000' document listed in Appendix I.
Disconnect Mapped Drives:
It is common in a networked environment to setup mapped drives to the servers for easy access to needed files, databases, and other tools. Disconnecting these mapped drives reduce available avenues of attack. Many folks use shortcuts to map the drives to avoid threats that auto-populate all drives.
Password protect any shared folders, close open shares and enforce the use of strong passwords:
A strong password should be relatively lengthy, meaningless, and use a variety of character types. Passwords should never be words that can be found in any dictionary because those are usually the first to be exploited. Require passwords that combine uppercase characters, lower-case characters, numbers, and special characters. Passwords should never be shared, particularly on the Internet, in email, or through instant messaging applications.
Disable autorun functionality:
The "autorun.inf" file in and of itself, is not malicious. It is just a text file. However, many threats have been successful in using the Autorun features of the operating system as a vector of attack. To limit this vector, disable the Autorun feature in the Operating System.
For more information see the 'How to prevent a virus from spreading using the "AutoRun" feature' document listed in Appendix I.
Develop and maintain an Emergency Response Plan:
If your network is managed by more than one person, it is important to define and verify security policies. To have accurate information for the evaluation of the network from a security perspective, it is important to have a team of different people from different areas of your company. As not all participants will have a full understanding of security; the varied group of people should give a better picture as compared to talking with only one central or small group of individuals within your company.
Make sure that all software and hardware settings are configured as expected and that the settings are appropriate for current security threats. Re-evaluate your security policies and practices as new vulnerabilities surface. For information about the latest vulnerabilities and security advisories, visit the Symantec Security Response Web site.
Harden Operating Systems:
System hardening is a step by step process of securely configuring your systems to protect them against intrusions, while also taking steps to make the system more reliable. Generally anything that is done in the name of system hardening ensures the system is both secure and reliable.
o New operating systems have not been massively probed by hackers. Mature operating systems are a known quantity. While the risks are known, so are the fixes.
o Strip down the operating system to support only essential services
o Disable unnecessary protocols and subsystems
o Install a firewall and monitor the logs
o Validate any data inputs, both internal and external, that go into your databases.
o Ensure encryption is the appropriate type.
Educate users about network security:
Make sure your end users know the basics of safe computing, such as the following:
o Do not share passwords or store them in email or text files.
o Do not open unknown email attachments or email from unknown senders, be wary of unexpected attachments from known senders.
o Do not save, install or run software downloaded from the Internet unless it has been scanned for viruses.
o Laptop computer users: know how to use and update antivirus software. Scan the laptop computer for viruses before reconnecting to the network.
o Do not click on links to unknown websites
Patching policy (not just for Microsoft software):
o Microsoft regularly provides updates for all supported Windows operating systems. These patches are essential to a preventative approach to network security. An automatic distribution method for Windows updates is recommended for large or difficult-to-manage networks. For more information, refer to the Windows Update Web site.
o There are many tools available to help with patching needed for vulnerabilities in products or software other than Windows updates.
In addition to enforcing security policies, you must protect the network from many kinds of attacks at all entry points to your network. This requires protection at the network perimeter, the servers, and at each client computer.
Perimeter level: Install a perimeter firewall:
A firewall protects the network perimeter by allowing only specific types of access from outside the network. Firewalls block many types of attacks, including but not limited to Denial of Service attacks and many types of viruses. Perimeter Firewalls can provide proactive security and protect the network from blended threats.
Client level: Install and maintain antivirus and firewall protection on each computer:
While perimeter and server protection stops the majority of threats from entering the network from the Internet, client firewalls with current IPS Signatures protects each computer by blocking many types of attacks, including but not limited to Denial of Service attacks and many types of viruses.
Antivirus software with current virus definitions protects each computer from all known virus threats regardless of the point of entry. A strong antivirus solution scans everything that reaches the computer's hard drive, regardless of where it came from and how it got there.
Vulnerability scanning tools such as ESM or Nessus are can test for open holes.
Host and Network based IPS/IDS
Network and Host based IDS/IPS systems monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, can operate in-line to monitor all network traffic for malicious code or attacks. When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass
Make regular backups of critical data:
Having current data backups available eliminates the need to try to restore data from possibly compromised or corrupted files.
Take steps to reduce email threats:
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses and other threats.
o Educate users about the different types of email attacks and what to do with unsolicited or suspicious messages.
o Consider limiting access to personal email accounts on your network.
o Consider having your email servers strip attachment types listed under the "Attacks by attachments" section of this document. Read your email server's documentation for information.
o Use an antispam program to reduce the number of phishing scams and similar threats that reach your users.
o Consider disabling or uninstalling the Windows Scripting Host.
o Make sure that all patches and security updates have been applied.
o Define a procedure for reacting to a suspected infection.
1. Identify the Threat:
In order for an outbreak to be dealt with it is important to identify the threat and understand its capabilities.
In order for us to assist you it is important that we know all of the threats that may be present on the computer as well.
To identify potentially malicious programs:
o Run our Load Point Analysis tool. This generates a report with an extensive list of programs that are loading on the computer.
o Create a Technical Support ticket for the situation and we will review the resulting report to assist in determining the legitimacy of each program or process that is loading.
o If we identify a potentially malicious program that is not being detecting by Symantec AntiVirus, we should be able to tell you what file(s) to submit for analysis.
o Submit suspicious files directly to Symantec via the Web Submit tool. www.symantec.com/docs/TECH102419
o If the threat is spreading and it seems like an outbreak, you can request a more detailed analysis of a submitted file so we can look for vectors of attack, removal instructions, payload, and basic functionality of the threat.
Other threats may be detected with current virus definitions.
Do not rely on file names to identify a threat. Many threats use the same file name but may have completely different characteristics and attack vectors.
2. Identify the Computers Infected:
Once the threat is identified it is necessary to identify the infected computers.
o If the threat has been identified, the easiest way to identify the infected computers is to update the entire network with virus definitions that will detect the threat and then to run a scan. This may be done through a scheduled scan or a virus sweep.
o A network audit may also be used to determine what computers may not have anti-virus installed and up to date.
o A check of the firewall logs for any computers generating a lot of network traffic on the port or ports used by the threat may also be a way to detect infected computers.
o A check of the threat logs can also give you the source files coming from another infected computer.
3. Quarantine the Infected Computers:
Quarantining the infected computers is critical to prevent the further spread of the infection and to prevent the threat from continuing to affect other computers remotely, either through open shares or unpatched vulnerabilities.
There are several ways to quarantine affected computers
A. Generally the best way to quarantine an infected computer is to remove it from the network physically. This would involve manually removing the connection to the network and internet.
B. In some cases, completely removing a computer from a network is not possible. Some customers, depending on the infection, have created quarantine subnets that have very restricted communications. This has given their infected users some limited productivity and still allows remote management.
WARNING: This may take preparation, and should only be done once the infection vectors are well mapped out and the proper preventions are put into place.
4. Clean the Infected Computers – Virus Removal:
Once the computers are removed from the network and updated with current definitions, the virus should be removed and the changes affected by the threat reversed. Here are the steps to clean a virus once virus definitions are up to date.
A. Stop the viral process, or boot the computer to a state where the process is not loading as some threats may prevent this.
a) Start Windows in Safe Mode or Safe Mode Command Prompt only
b) Newer versions of Symantec AntiVirus (version 10.x) or Symantec Endpoint Protection may be able to stop the process as part of a full system scan.
B. Remove the viral files
a) In Safe Mode, run a full system scan – Recommended
b) Manually remove the files by finding and deleting them
c) Check if there is a removal tool available for the particular threat variant.
C. Reverse the changes to system settings. It is important to make changes to the registry before rebooting the computer. Many viruses change boot settings so the user may be unable to log in once the virus is removed, if the registry changes are not undone.
a) Undo Registry Changes
b) Undo any changes made to the following files:
§ sfc.dll – may need to be replaced with new copy
c) Anti-virus and Firewall programs – may need to be reinstalled.
D. Do not reconnect any machines back on the network until all have been verified as clean.
- E. Reboot the computer into normal mode, before reconnecting it to the network. This is to determine that no additional viruses are detected and the cleaning was successful.
- F. If a rootkit or backdoor is detected it maybe necessary to re-image the computer to ensure security of the network.
5. Determine Infection Vector and Prevent Recurrence:
This last step is often overlooked but may be considered the most important. Most network wide infections may use three possible methods to propagate:
A. Known vulnerabilities:
- These are generally OS vulnerabilities, but may also include other software vulnerabilities that allow code to be remotely executed on the computer. An index of common vulnerabilities can be found at the end of this document.
a. Only after computers are patched and verified as clean should they be reintroduced to the production network
B. Open Shares:
- Because viruses often load at start up they may be running with the current users credentials. This means that any share that a user can reach without providing a user name and password is vulnerable to this type of attack. This includes the Admin$ and IPC$ shares.
a. To ensure security of the network going forward the Administrator password may need to be changed with a new “strong” password
C. Email Vectors:
- Some threats have mass mailing routines or are manually seated via email.
Title: 'Restricted users cannot run LiveUpdate under Windows 2003/XP/2000'
Web URL: http://www.symantec.com/docs/TECH98932
Title: 'How to prevent a virus from spreading using the "AutoRun" feature'
Web URL: http://www.symantec.com/docs/TECH104447
Title: 'Email security practices'
Web URL: http://www.symantec.com/docs/TECH99372
Title: ‘Common loading points for viruses, worms, and Trojan horse programs on Windows NT/2000/XP/2003’
Web URL: www.symantec.com/docs/TECH99331
Known vulnerabilities that current bot infections may use
The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026). Port 135-137
The Microsoft ASN.1 Library Multiple Stack-Based Buffer Overflow vulnerabilities (as described in Microsoft Security Bulletin MS04-007).
The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011). Port 445
The RealVNC Remote Authentication Bypass Vulnerability (as described in CVE-2006-2369). Port 5900 - Default
Symantec Client Security and Symantec AntiVirus Elevation of Privilege (as described in Symantec Advisory SYM06-010). Port 2967
The Microsoft SQL Server 2000 or MSDE 2000 audit (as described in Microsoft Security Bulletin MS02-061) using UDP port 1433.
The Microsoft Windows Message Queuing Remote Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS05-017)
The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS05-039)
The Workstation Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-049) Port 445
The Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS06-040) Port 445
Multiple Vendor FTPD realpath Vulnerability (as described in CVE-1999-0368) Port Range 1024-1029
Symantec Client Security and Symantec AntiVirus Elevation of privilege (as described in Symantec Advisory SYM06-010)