What do we do if we have a few thousand Excel spreadsheets with critical business processes and information in them? How do I "whitelist" only the good spreadsheets and macros? (i.e. is that level of granularity supported?) and secondly, what is the overhead in maintaining this - especially when is it analysts/traders etc (i.e. effectively end users and their IT support) that are developing these - something would be changing on a daily basis?
Cheers Ken From: Ziots, Edward [mailto:[email protected]] Sent: Wednesday, 17 April 2013 11:33 PM To: NT System Admin Issues Subject: RE: Dropsmack Malware C&C via Dropbox Agreed, same solution I am using, does the same function and if there is any blocks, its dealt with quickly before going live. Z Edward E. Ziots, CISSP, CISA, Security +, Network + Security Engineer Lifespan Organization [email protected]<mailto:[email protected]> Work:401-444-9081 This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. [Description: Description: Lifespan] From: [email protected]<mailto:[email protected]> [mailto:[email protected]] Sent: Tuesday, April 16, 2013 11:47 PM To: NT System Admin Issues Subject: Re: Dropsmack Malware C&C via Dropbox The software I use has an "endpoint analysis" mode, kinda like a passive mode, that creates whitelists for you. Using this, you should be able to ensure everything works before going live. Add to this the alerting is very good so false positives get quickly dealt with. Sent from my Blackberry, which may be an antique but delivers email RELIABLY ________________________________ From: Ken Schaefer <[email protected]<mailto:[email protected]>> Date: Wed, 17 Apr 2013 00:27:19 +0000 To: NT System Admin Issues<[email protected]<mailto:[email protected]>> ReplyTo: "NT System Admin Issues" <[email protected]<mailto:[email protected]>> Subject: RE: Dropsmack Malware C&C via Dropbox What happens when the business relies a lot on Access DBs, Excel spreadsheets etc.? Do I have to whitelist every macro? Am I still at risk of data loss/corruption/exfiltration? Cheers Ken From: James Rankin [mailto:[email protected]] Sent: Wednesday, 17 April 2013 12:54 AM To: NT System Admin Issues Subject: Re: Dropsmack Malware C&C via Dropbox Whitelisting can be a lot of work, if you haven't got a flexible technology. There are various vendors in the space and some of them take a lot of the donkey-work out of it for you, whilst still maintaining (as far as I've seen) decent security. But I totally agree that it's still at the whim of the person with their fingers on the controls - if the admin allows a bad executable, then you're in trouble. That can only be mitigated by belt-and-braces approaches, really, relying on old-style reactive AV or IDS/IPS or whatever to catch the bad executable that's somehow bypassed your processes and controls. There is another load of tech springing up around MDM, MIM, MAM or whatever TLA you choose to describe it. It's another big set of challenges though. At the moment I am concentrating on extending the agents I have to MacOS devices rather than worrying about tablets and mobiles yet. I can avoid some of the pain at the moment by deploying Windows apps and desktops via Citrix to the mobile devices rather than letting users manipulate corporate data directly, but it's something I will no doubt get asked to get involved in sometime in the future :-) But it's all so fun keeping up with user trends, isn't it? Maybe if we try really hard to get on top of the possibilities right now we can approach BYOD from a security perspective rather than just getting bullied into making it happen too quickly and having to catch all the security issues while firefighting :-) Cheers, JR On 16 April 2013 15:36, Ziots, Edward <[email protected]<mailto:[email protected]>> wrote: James, I agree on the application whitelisting front. But its a lot of work and its still based on trust. ( If you trust something bad) then you have still let the determined attacker in the door, but the caveat is if you control the code execution on your endpoints, then you change the game into your favor. Other aspects to think of: Will application whitelisting work for mobile devices: (Iphone, Android, Tablets, all of which can act like storage devices in a way. Questions to be answered: Which devices do you allow to be attached to your systems to transfer data? (Policies, procedures, enforcement with technical controls and auditing and followup with administrative controls for compliance? (Do we allow the Apple devices, but not the Android, or do we allow just Ironkey devices, and whom should have them and what data should they be able to take ( DLP/DRM etc etc) And we all should know by now that AV is next near worthless against current malware trends, so why does the compliance regulations still require this ( PCI-DSS especially). Working on App whitelisting right now, its been interesting and complex at the time, but at the end I feel it will be worth it. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<inline: image001.jpg>>
