Yesterday I read that NASDAQ’s systems were hacked, today that the Canadian government was hacked. This news as such is nothing new. Read R. Clarke and R. Knake’s book ‘Cyber war’ and you know that this has been going on for more than a decade. What surprises me more is that it is still newsworthy and people are (or act?) so surprised. On CircleId Terry Zink, a program manager at Microsoft, gives four tips for security officers whether public or private. As they sound sensible, I repeat them here for those interested:
Terry Zink’s tips
1.At the start of it, the government needs a good spam filter to keep phishing messages out of the inbox. It is very difficult to do this, and reputation technologies like SPF and DKIM don’t do much to prevent spoofing (there are workarounds). However, a filter that is up-to-date with the latest blocklists, URL blocklists, and even some more clever technologies is a good place to start.
2.Once the original accounts are compromised, the game is almost over. However, as a basic line of defense (or shall I say, defence), internally organizations should be scanning all email attachments even on internal mail with 2 or 3 pieces of A/V software. Yes, there are plenty of zero-day attacks but make things difficult for malware authors.
3.Make sure software is all up-to-date. If phishing messages were not the original source of these credential thefts, then applying the latest patches (OS, web browsers, 3rd party plug ins like Flash) is crucial.
4.One thing that isn’t in email security but has been implemented by companies like Comcast is network inspection technology. By analyzing where URLs are resolving to (i.e., bad IP space), organizations can block people from browsing to malicious sites at the network layer. Comcast does it by maintaining a list of known bad IPs where domains point to bad A-records and quarantine people that way. The government could do the same. Bad A-record IP space is one thing, maintaining a database of known bad registrars and/or name servers is yet another step forward. If where the user is trying to navigate to is hosted in a bad neighborhood, then don’t let them do it. Users have to click links that go somewhere; if that somewhere can be short circuited then it throws a wrench in the attackers plans. The one exception to this is a legitimate web site that has been compromised (and there are lots). That’s tougher to mitigate.
I hope with these tips your IT environment can become a little safer, but it appears that the human factor remains the weakest link. Even smartest at the top.
Here’s the link to the whole article.
Wout de Natris
Haarlem, 19 February 2011