You just can’t cut corners today. In fact you need to be very careful about even “optimizing” your security efforts because it’s so easy misjudge what needs to be secured and what doesn’t; what deserves your attention and what doesn’t. In fact in a recent discussion with a colleague we concluded that basically, “Today, you have to do everything right”. I’ll use Flame to demonstrate what I mean.
Every computer matters
These are wide generalizations but basically in the 90’s we focused on external facing systems: firewalls, web servers, vpn servers, email servers and gateways. Then, we started the last decade by moving deeper in to the network with more attention on internal servers. But a widely held mindset persisted that end-user PCs weren’t that important. You wouldn’t believe how many times I had IT auditors and security folks says they basically don’t worry about endpoints because of a policy that all critical applications and databases are hosted on servers. Some even relied on a policy forbidding storing confidential information locally on PCs. (Yes, I know, ludicrous.) Anyway, today most folks “get it” that endpoints are just as important as servers. But there’re so many of them and there are so many more threat vectors on endpoints than on servers.
Anyway, even with the recognition of the importance of endpoint security, I hear some folks talking about “endpoints of high-value employees” deserving more attention than the run of them mill PC down in the mail room. I understand the concept but it scares me and Flame proves my point.
Flame had this awesome (and I mean that out of professional regard for the technology – not necessarily it’s purpose) method of spreading to other PCs. Flame leveraged Windows’ default behavior of automatic discovery of web proxy and posed as a proxy server. Any PC within the same broadcast NetBIOS namespace with default settings would graciously start routing web requests through a Flame infected PC. That inturn allowed Flame to intercept requests to the Windows Update service by PC’s configured to connect directly to Microsoft for Windows Updates. In an ironic twist of fate PCs were compromised by their efforts to remain secure. Anyway, Flame intercepted those update requests and through a fairly amazing feat of cryptography sent back bogus security patches which the PCs willingly installed because they passed validation intended to ensure they were signed by Microsoft. And thus Flame spread to more PCs.
My point the attackers only needed to infect a single system belonging to a low-level user and they had a chance to infect other, so-called “high-value” systems assigned to users with access to the information they wanted. So you can’t just protect your important systems because, well, they’re all important.
Every setting matters
The above infection vector worked because of 2 obcure settings that pretty much no one but an extremely paronoid infosecurity pro would have worried about. First, the hash algorith used to sign certicates for Terminal Services Client Access Licenses which was MD5 instead of SHA1? The basic MD5 weakness that Flame’s authors exploited had been published a long time ago but who cared? After all, certificates issued by that CA were only used to sign licensing certificates. It was unlikely that anyone would want to steal some TS CALs badly enough that they would go to the trouble and computing expense required to effect a chosen-prefix collision attack on the MD5 based signatures of those certificates. Furthermore it was only a risk to Microsoft not to their customers. Right? Not so much. Turns that the certificate authority used for TS licenses had the same root CA as the CA used for signing Windows patches; and the Windows Update client gladly accepted certificates signed (or seemly so) by the TS Licensing CA. Multiple mistakes were made by Microsoft but one of them was a simple setting on an insignificant Certificate Authority no one considered a “high-value” target.
The other setting was the one in Internet Explorer that defaults to automatically broadcasting a request for the local web proxy. Disabling this setting and using one of several other centralized configuration methods for those organizations that do have a web proxy would have thwarted this particular infection vector. Of course it would also have made life a little more difficult for folks travelling to other networks where a proxy was present but like an old system security officer I new once said, “If you can get your job done then I’m not doing mine.”
Don’t miss my core point here. It’s not about these 2 particular security settings. It’s about all security settings on every system and application. There’s no way to know what the bad guys will think of next. Ergo, everything matters.
Every security technology matters
Security vendors would probably pay me to say that but it’s the truth. There are definitely a lot of “one-off” security products that come along that have little value but are designed to exploit all the hype of concerns like cloud security and mobile device risks. Those are both areas that are perilous but a lot of products aren’t real solutions yet. But in the area of endpoint security, there are so many threat vectors and they all need to be addressed. Again, Flame proves my point. First, patch management. Organizations who were centrally managing patch deployment sidestepped the infection vector described above. Second, configuration management. Guess what the very first setting in the United States Government Configuration Baseline for Internet Explorer is? “Disable changing Automatic Configuration settings.” Why? “To prevent machines from automatically acquiring proxy server settings from malicious servers.” Nuff said. Third, removal storage control. Flame had built-in logic for spreading via USB storage devices. Fourth, device and port control. Flame could exfiltrate data via Bluetooth and infected smart phones. Fifth, good ole antimalware. Flame specifically looked for the presense of common AV products and if detected refrained from certain actions that would trigger the behavior analysis logic of those products. Sixth, application whitelisting. Today’s intelligent whitelisting enables you to limit what runs on endpoints to programs you have reason to trust – without creating a management nightmare. Effective application whitelisting would have stopped initial infections of Flame cold in its tracks.
So, that’s why I say everthing matters and why you have to do everything right. Because the bad guys are capable of anything and they are trying everything.