Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Tip of the Day: Be unpredictable and diverse

Published: 2006-08-06
Last Updated: 2006-08-06 17:23:53 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Many of today's attack, including most of the targeted attacks depart from the premise that there is a monoculture in the software most users use to do a given task.

The trick to get there is not to enforce a single specific alternative platform, as you will still be very predictable to the targeted attackers. The trick is to embrace openness and allow a set of solutions to be used and try to get the users to make the choice individually.
Yes, the helpdesks will not like it at first, but they might like it a lot more after you point out that the peaks in problems they face when all users break down will also be spread out a lot better.

Using very uncommon hardware is a way to get rather unpredictable, but unfortunately it's hard to get away from a typical Intel x86 architecture now that Apple has switched to hardware that can actually run windows natively. There are luckily still unix platforms that don't use the Intel x86 architecture. So it's an option in high security environments, but less so in most general office environments.

For operating systems the alternatives on a desktop in a corporate environment are generally limited to Mac OS X or some Linux distribution. On servers there is a wider choice of very viable operating systems. Personally I really like OpenBSD on servers as a security conscious choice.

For Browsers there is Firefox, Opera, Netscape, Safari and for added bonus: mozilla compiled from source.  That sounds like plenty of choices, but there are more than those as well to choose from.

For email clients I personally prefer pure text based clients as they tend to have far less vulnerabilities and won't try to load e.g. an image or accidental click to confirm a live mailbox to a spammer, or worse. But you might need a GUI and then OS X's Mail.app or Thunderbird might be one of the choices.

Office productivity tools are the hardest to get away from the monoculture, but there is OpenOffice and StarOffice to create some diversity aside from the less compatible choices.

So how do you use e.g. Firefox? We'd suggest to add a few add-ons:
  • noscript (blocks javascript and java by default, but allows them to be enabled on a site-by-site bases as needed)
  • netcraft toolbar or google toolbar (warn for known phishing sites)
  • If you need business-wise access to sites that aren't working in anything but MSIE: IE view can be used to set a number of sites that will be opened in IE by default.
It becomes even more important to be less predictable when dealing with known bad content, so keep lynx, wget, curl and your openssl and telnet skills in shape if you analyze malware every so often.

If you have more tips on how to be less predictable and less of a monoculture, please let us know and we'll expand this story as needed. Remember it's about sharing tips and making them work for  you, much less about debating why the tips don't work for you.

--
Swa Frantzen - Section 66
Keywords: ToD
0 comment(s)
Diary Archives