Ken, If you have a rootkit, GAME OVER PERIOD, we both accept that. NO control discussed is going to save you from that.
Malware/Malcode, basically same thing, you say tomato, I say tomato. We both agree on if the box is rooted then it doesn't matter what you have in controls, they are all bypassed and thus box is suspect, can't be trusted, DBAN the system and start over. I think we also both agree prevention is the best strategy, but which approach/approaches are best? Depends on the environment, and the business. I am arguing from experience, and running a large network for 10+ yrs, that the failures of signature based AV have been full apparent in my eyes, the only thing that has saved us more pain in the last 6+ yrs has been a HIPS (CSA). With the number of virus/malware samples that are produced daily its making DAT updates get larger and larger, deployed more frequently, to the point you can't keep up and one bad DAT takes down an entire network, I lived this pain less than 2 weeks ago. Whitelisting: If you control the execution of the code you are running on the machine and you are working from a validated image ( full patched, signifigantly hardened) and the appropriate detective controls are applied and monitored (Auditing,Eventlog management,Patching, VA Scanning, Configuration management) you can add whitelisting in as another preventative control to ensure only code that you know to be good runs on your systems. I do see some faults in it tho, that I am not entirely comfortable with: Web Application Attack scenario's: If you trust IE/Firefox etc etc then the configuration or lack thereof of the security controls is the only thing preventing you from suffering from these attacks, it's a little better with firefox due to security extensions but to centrally manage them is not really plausible. Malcode inside DOC's, PDF's, EXCEL: This is where I really worry about, so if we trust say Adobe 9.3.2 as the latest deployment of adobe suite, and there is a new 0 Day, and someone comes up with a way to embed another malware exploit inside the PDF with Javascript, or other method, does the APP whitelist stop the code execution inside the PDF, in which you just allowed the PDF view to run accordingly. ( I like the HIPS method, via CSA more in this light because it would stop the code execution inside the document and show it in the logs, again with CSA going bye bye as discussed before need to look at other solutions that will meet the needs) But my belief that AV alone is simply not enough, and its getting almost next to useless as a preventative control, when dealing with signatures, and its heuristics engines aren't that great either. I also don't think Blacklisting is viable and is basically administratively prohibitive in some organizations, due to the time and effort just to keep up with it. Also with whitelisting just like HIPS there is a lot of heavy lifting up front to understand how to properly configure and deploy it accordingly. Plus there needs to be security metrics measuring the effectiveness of the control before the control is implemented and after its implemented, and how its affect over time as increased the security posture of the business/organization without being unduly administratively burdensome. I do like the fact that even if you are an admin the whitelisting basically blocks the execution and records what you have attempted, for further review, sometimes a little administrative action is a nice duo with a technical set of controls when trying to get secure computing through to the users. ( Again referencing BIT9 which I have demo'ed and we are seeking as a replacement to our CSA) Is whitelisting the "silver bullet" nope, but is AV enough, NOPE, and its getting worse, not better. HIPS is defintely an alternative, but it also has its issues, sometimes reading the CSA logs, I'd basically have to take a course in assembly language just to understand the jargon spit out in the logs about what some piece of code just tried to do or not, now you can't tell me that a all purpose Sys-admin couldn't or wouldn't make a mistake by misinterpreting the HIPS logs and allow something that should have never been allowed to execute in the first place. But this all comes down to a risk-management exercise, what works for one, won't for another, nor am I even going to condone that you forego other approaches and just go with App Whitelisting, follow the gartner bandwagon and "CALGON take me away" free yourself of the security concerns that plague us all. Maybe this closes the loop, or maybe it muddies up the waters a little further. If you have the solution that is a one-size fits all or a framework that can benefit the masses in this reguard please let us all know. I am sure in your experience both in business and in consulting, that you defintely might have some better insight than I do looking at it from healthcare standpoint over a 10+ yr timeline. Thanks, Will be my last comments on the subject, I need to get back to reading up on HITECH, NIST guidelines, and doing system classification and controls here accordingly. That and the fun of my Win2k8 R2/Exchange 2010/SQL 2008 upgrades accordingly. Sincerely, EZ Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
