Whitelisting can be a lot of work, if you haven't got a flexible technology. There are various vendors in the space and some of them take a lot of the donkey-work out of it for you, whilst still maintaining (as far as I've seen) decent security. But I totally agree that it's still at the whim of the person with their fingers on the controls - if the admin allows a bad executable, then you're in trouble.
That can only be mitigated by belt-and-braces approaches, really, relying on old-style reactive AV or IDS/IPS or whatever to catch the bad executable that's somehow bypassed your processes and controls. There is another load of tech springing up around MDM, MIM, MAM or whatever TLA you choose to describe it. It's another big set of challenges though. At the moment I am concentrating on extending the agents I have to MacOS devices rather than worrying about tablets and mobiles yet. I can avoid some of the pain at the moment by deploying Windows apps and desktops via Citrix to the mobile devices rather than letting users manipulate corporate data directly, but it's something I will no doubt get asked to get involved in sometime in the future :-) But it's all so fun keeping up with user trends, isn't it? Maybe if we try really hard to get on top of the possibilities right now we can approach BYOD from a security perspective rather than just getting bullied into making it happen too quickly and having to catch all the security issues while firefighting :-) Cheers, JR On 16 April 2013 15:36, Ziots, Edward <[email protected]> wrote: > James, **** > > ** ** > > I agree on the application whitelisting front. But its a lot of work and > its still based on trust. ( If you trust something bad) then you have still > let the determined attacker in the door, but the caveat is if you control > the code execution on your endpoints, then you change the game into your > favor. **** > > ** ** > > Other aspects to think of: **** > > ** ** > > Will application whitelisting work for mobile devices: (Iphone, Android, > Tablets, all of which can act like storage devices in a way.**** > > ** ** > > Questions to be answered: **** > > ** ** > > Which devices do you allow to be attached to your systems to transfer > data? (Policies, procedures, enforcement with technical controls and > auditing and followup with administrative controls for compliance? (Do we > allow the Apple devices, but not the Android, or do we allow just Ironkey > devices, and whom should have them and what data should they be able to > take ( DLP/DRM etc etc)**** > > ** ** > > And we all should know by now that AV is next near worthless against > current malware trends, so why does the compliance regulations still > require this ( PCI-DSS especially). **** > > ** ** > > Working on App whitelisting right now, its been interesting and complex at > the time, but at the end I feel it will be worth it. **** > > ** ** > > Z**** > > ** ** > > ** ** > > Edward E. Ziots, CISSP, CISA, Security +, Network +**** > > Security Engineer**** > > Lifespan Organization**** > > [email protected]**** > > Work:401-444-9081**** > > ** ** > > ** ** > > This electronic message and any attachments may be privileged and > confidential and protected from disclosure. If you are reading this > message, but are not the intended recipient, nor an employee or agent > responsible for delivering this message to the intended recipient, you are > hereby notified that you are strictly prohibited from copying, printing, > forwarding or otherwise disseminating this communication. If you have > received this communication in error, please immediately notify the sender > by replying to the message. Then, delete the message from your computer. > Thank you.**** > > *[image: Description: Description: Lifespan]* > > ** ** > > ** ** > > *From:* James Rankin [mailto:[email protected]] > *Sent:* Tuesday, April 16, 2013 10:21 AM > *To:* NT System Admin Issues > *Subject:* Re: Dropsmack Malware C&C via Dropbox**** > > ** ** > > Way to beat that nasty...whitelisting.**** > > **** > > I guess that vector would work for a lot of these synchronization clients, > so I guess good whitelisting is the only way. Luckily as I've started using > AppSense DataNow instead of DropBox for mine, I get AppSense Application > Manager along with it, which is probably the best whitelisting product I've > seen.**** > > **** > > Very interesting read though, just shows that traditional AV can't really > fend off a determined hacker.**** > > **** > > Cheers,**** > > **** > > **** > > JR**** > > On 16 April 2013 15:07, Ziots, Edward <[email protected]> wrote:**** > > Here is the slide deck on this:**** > > > https://media.blackhat.com/eu-13/briefings/Williams/bh-eu-13-dropsmack-jwilliams-slides.pdf > **** > > **** > > Good reading, scary thought but a lot are using Dropbox and not thinking > about the consequences….**** > > > http://www.techrepublic.com/blog/security/dropsmack-using-dropbox-to-steal-files-and-deliver-malware/9332?tag=nl.e036&s_cid=e036&ttag=e036 > **** > > **** > > Food for thought, especially from regulatory compliance standpoint. **** > > **** > > Z**** > > **** > > **** > > Edward E. Ziots, CISSP, CISA, Security +, Network +**** > > Security Engineer**** > > Lifespan Organization**** > > [email protected]**** > > Work:401-444-9081**** > > **** > > **** > > This electronic message and any attachments may be privileged and > confidential and protected from disclosure. If you are reading this > message, but are not the intended recipient, nor an employee or agent > responsible for delivering this message to the intended recipient, you are > hereby notified that you are strictly prohibited from copying, printing, > forwarding or otherwise disseminating this communication. If you have > received this communication in error, please immediately notify the sender > by replying to the message. Then, delete the message from your computer. > Thank you.**** > > *[image: Description: Description: Lifespan]***** > > **** > > **** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > > > > -- > *James Rankin* > Technical Consultant (ACA, CCA, MCTS) > http://appsensebigot.blogspot.co.uk**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > -- *James Rankin* Technical Consultant (ACA, CCA, MCTS) http://appsensebigot.blogspot.co.uk ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image001.jpg>>
