Research

Not to bring politics into a security blog, but I think it’s time we sit down and discuss the state of education in this country… I mean industry. Lance over at HoneyTech went off on the economics/metrics paper from Microsoft we recently discussed. Basically, the debate is over the value of security awareness training. The paper suggests that some training isn’t worth the cost. Lance argues that although we can’t always directly derive the desired benefits, there are legitimate halo effects. Lance also points out that the metrics chosen for the paper might not be the best. I’d like to flip this a little bit. The problem isn’t the potential value of awareness training – it’s that most training is total crap. When we improperly design the economics, incentives and/or metrics of the system, we fail to achieve desired objectives. Right, it’s not brain surgery. Let’s use the No Child Left Behind act here in the US as an example. This law requires standardized testing in schools, and funding is directly tied to test results. Which means teachers now teach to do well on an exam, rather than to educate. Students show up at universities woefully unprepared due to lack of general knowledge and possession of a few rote skills. It is the natural outcome of the system design. Most security awareness training falls into the same trap. The metrics tend to be test scores and completion rates. So organizations dutifully make sure employees sit through the training (if that’s what you want to call it) and get their check mark every year. But that forgets why we spend time and money to perform the training in the first place. What we really care about is improving security outcomes, which I’ll define as a reduction in frequency and severity of security incidents. Not about making sure every employee can check a box. Thus we need outcome-based security awareness programs, which means we have to design our metrics and economics to support measurable improvements in security. Rather than measuring how many people took a class or passed a stupid test, we should track outcomes such as: For a virus infection, was user interaction involved? User response rates to phishing spam. Results from authorized social engineering penetration tests. Tracking incidents where the user was involved can determine whether the incident was reasonably preventable, and whether the user was (successfully) trained to avoid that specific type of incident. Follow the trends over time, and feed this back into your awareness program. If all you do is force people to sit through boring classes or follow mind-numbing web-based training, and then say your training was successful if they can answer a few multiple choice questions, you are doing it wrong. So we have not given up hope on the impact of security awareness training. If we focus on tracking real world outcomes, not auditor checklist garbage like how many people signed a policy or sat in a chair for a certain number of hours, it can make a difference. Are taking too many hits off the peace pipe? Have any of you had a measurable impact of training in your environment? Speak up in the comments. Share:

Popular perception of endpoint security revolves around anti-malware. But they are called suites for a reason – other security components ship in these packages, which provide additional layers of protection for the endpoint. Here we’ll talk about firewalls, host intrusion prevention, and USB device control. Firewalls We know what firewalls do on the perimeter of the network: selectively block traffic that goes through gateways by port and protocol. The functionality of a host firewall on an endpoint is similar. They allow an organization to enforce a policy governing what traffic the device can accept (ingress filtering) and transmit (egress filtering). Managing the traffic to and from each endpoint serves a number of purposes, including hiding the device from reconnaissance efforts, notifying the user or administrators when applications attempt to access the Internet, and monitoring exactly what the endpoints are doing. Many of these capabilities are available separately on the corporate network, but when traveling or at home and not behind the corporate perimeter, the host firewall is the first defense against attacks. Of course, a host firewall (like everything else that runs on an endpoint) takes up resources, which can be a problem on older or undersized machines. It also bears consideration that alerts multiply, especially when you have a couple thousand endpoints forwarding them to a central console, so some kind of automated alert monitoring becomes critical. Although pretty much every vendor bundles a host firewall with their endpoint suite nowadays, the major operating systems also provide firewall options. Windows has included a firewall since XP, but keep in mind that the XP firewall does not provide egress (outbound) filtering – remedied in Windows Vista. Mac OS X 10.5 Leopard added a ‘socket’ firewall to manage application listeners (ingress), and deprecated the classic ipfw network firewall, which is still available. As with all endpoint capabilities, just having the feature isn’t enough, since the number of endpoints to be managed puts a real focus on managing the policies. This makes policy management more important than firewall engine details. Host Intrusion Prevention Systems (HIPS) We know what network intrusion detection/prevention products do, in terms of inspecting network traffic and looking for attacks. Similarly, host intrusion detection/prevention capabilities look for attacks by monitoring what’s happening on the endpoint. This can include application behavior, activity logs, endpoint network traffic, system file changes, Windows registry changes, processes and/or threads, memory allocation, and pretty much anything else. The art of making host intrusion prevention work is to set up the policies to prevent malware infection, without badly impacting the user experience or destroying the signal-to-noise ratio of alerts coming into the management console. Yes, this involves tuning, so you start with the product’s default settings (hopefully on a test group) and see what works and what doesn’t. You should be able to quickly optimize the policy. Given the number of applications and activities at each endpoint, you can go nuts trying to manage these policies, which highlights the importance of the standard builds (as described in Controls: Secure Configurations). Starting with 3-4 different policies, and then you can manage others by exception. Keep in mind that tuning the product for servers is totally different, as the policies will need to be tailored for very different applications running on servers. Currently, all the major endpoint suites include simple HIPS capabilities. Some vendors also offer a more capable HIPS product – typically targeting server devices, which are higher profile targets and subject to different attacks. USB Device Control Another key attack vector for both data compromise and malware proliferation is the USB ports on endpoint devices. In the old days, you’d typically know when someone brought in a huge external drive to pilfer data. Nowadays many of us carry a 16GB+ drive at all times (yes, your smartphone is a big drive), so we’ve got to control USB ports to address this exposure. Moreover, we’ve all heard stories of social engineers dropping USB sticks in the parking lot and waiting for unsuspecting employees to pick them up and plug them in. Instant pwnage 4U! So another important aspect of protecting endpoints includes defining which devices can connect to a USB port and what those devices can do. This has been a niche space, but as more disclosure is required for data loss, organizations are getting more serious about managing their USB ports. As with all other endpoint technologies, device control adds significant management overhead for keeping track of all the mobile devices and USB sticks, etc. The products in the space include management consoles to ease the burden, but managing thousands of anything is non-trivial. Right now device control is a discrete function, but we believe these niche products will also be subsumed into the endpoint suites over the next two years. In the meantime, you may be able to gain some leverage by picking a device control vendor partnered with your endpoint suite provider. Then you should at least be able centralize the alerts, even if you don’t get deeper management integration. Management Leverage Though we probably sound like a broken record at this point, keep in mind that each additional security application/capability (control) implemented on the endpoint devices increases the management burden. So when evaluating technology for implementation, be sure to assess the additional management required and the level of integration with your existing endpoint management workflow. We’ll wrap up our discussion of Endpoint Controls in the next post, as we discuss full disk encryption, which disclosure laws have shifted from nice-to-have to something you need deployed – immediately. Other posts in the Endpoint Security Fundamentals Series Introduction Prioritize: Finding the Leaky Buckets Triage: Fixing the Leaky Buckets Controls: Update and Patch Controls: Secure Configurations Controls: Anti-Malware Share: