4

Our company is having a real problem with spam, phishing, and sophisticated viruses (ones that are brand new at time of first download, and not recognized by any virus scanners for at least a few hours after being downloaded, sometimes days). We have needed to wipe a few machines as a result, users have been caught by phishing scams, and we even had one virus that captured some of our info from a file share.

I am wondering how other companies guard against these types of threats. We've tried educating users about what to click or not click, but no amount of education seems to eliminate the problem (particularly for non-tech users). Do companies set up secure browsing/e-mail environments (e.g. as a separate Virtual Machine)?

FWIW, we're running an Astaro Firewall and have two anti-virus programs (ESET and TrendMicro)

Beep beep
  • 1,843
  • 2
  • 18
  • 33
  • Have a look at OpenDNS which you could use restrict the access to dangerous sites, that could be a part of your solution. A local DNS with your own blacklists can do the same though (but keeping them up to date will cost you more thant OpenDNS). – Shadok Jul 26 '11 at 14:11
  • I just thought of openDNS while editing my answer, didn't see your comment until afterwards @Shadok. :-) I thought they offered some protection at the lookup level but wasn't sure. Thanks for the confirmation! – Bart Silverstrim Jul 26 '11 at 16:03
  • @Bart Silverstrim, no problem at all, given the quality of your answer I can't complain, I don't want to anyway :) – Shadok Jul 27 '11 at 09:22

5 Answers5

4

In addition to what others have said, here are a few things we do.

Have your firewall block .exe, .msi, .vbs, .bat, etc. You can easily google for a complete list of executable file types. On a day-to-day basis, these is no legitimate business case for end-users to be downloading and installing programs.

Also, do not allow users to admin level access. Give them only user level access instead.

Does the Astaro Firewall have subscription based IPS and web filtering? If so, you should subscribe.

Create a plan to ensure that Windows is always up-to-date as well as Java, Flash, and Acrobat Reader.

Remove any P2P, file sharing programs, etc. from end-user computers. In fact, remove any non-business related software.

jftuga
  • 5,572
  • 4
  • 39
  • 50
  • 1
    +1 for not allowing users to have local administrative. This is IMPERATIVE if you want to stop the never ending flood of malware. – pauska Jul 26 '11 at 14:23
  • Thanks - we do all of those things except for the admin level access on our XP machines. As we upgrade to Win7 we've been restricting access. – Beep beep Jul 26 '11 at 15:37
  • We know the pain of software that is so poorly designed that it "requires" admin access for users. For the most part we mitigate it with systems that use the commercial Deep Freeze product; they can get higher level access or we set full permissions to certain directories, so they can "destroy" the machine or infect it...but on reboot, it goes back to the "known good" state. The only thing they corrupt/infect are their profiles unless they're very clever. – Bart Silverstrim Jul 27 '11 at 11:46
4

Yikes.

Okay, some of this is redundant, but here's the best I could recommend.

Limit user access on their systems to user accounts. Use the lowest privileges possible. This helps limit installation of applications.

Use only software that you have approved in the IT department. No cute kitten screensavers, no stuff from home, no cool games, nothing that isn't known to you. Install auditing software that can check on installed software of your client systems.

Block incoming attachments that are over a particular size. Saves disk space, saves bandwidth, saves your mailboxes from getting corrupted.

Block incoming attachments that are executable. That's a big one. .exe, .com, .bat, etc.

See if you can filter mail with proper anti-spam checks. SPF checking. You can configure black hole lists if necessary. An antivirus on the mail server that is kept up to date. I don't know what mail server you're using so I can't help there, but on Linux/UNIX systems ClamAV is excellent on the server because it's a plugin that works with a range of MTA's and it catches not only viruses/malware but phishing attempts and is updates as if their team has OCD.

Install antivirus software on the clients, keep it up to date, sounds like you do that already. Make sure they stay up to date, though. We have software that sometimes just "stops" updating.

Are you centralizing storage? Keep the AV up to date on that, have it notify you of infections. Lets you stay no top of potential issues from the file server. The more you centralize your information, the easier it is for you to manage it (and back it up); your users are your users because they expect you to handle technology details. They don't want to have to care about viruses and the like so expecting them to do much involving "technical stuff" will lead to more infections and problems.

One thing we have in our setup because we have a large percentage of systems that keep their configuration pretty static (and we use user profiles on a network server) is a product called Deep Freeze; you configure the system to a state you want it in and then "freeze" it, and any changes made to the system are wiped at reboot. Delete the Windows directory, reboot, restored like nothing happened. Very cathartic to do that sometimes. BUT it means having to schedule updates (due to needing to thaw it) and we don't run antivirus on it due to update issues (plus you don't want it to update every time it reboots and says "I'm out of date!" Yes, systems can get infected, but a reboot will clear it up. We once purged an infection by essentially rebooting our building. Worked surprisingly well for a Star Trek plotline.

Do you keep up to date backups of your servers for recovering from malware?

Do you block outgoing ports on the firewall that your users shouldn't need? Especially your mail server port; only your mail server should be allowed outgoing port 25. Some malware will send messages on port 25 from workstations and will get you on black hole lists.

Set up your mail server for additional spam stop methods like tarpitting, and verify through external checkers that it doesn't relay mail.

Install malware checkers. Don't double up on antivirus. AV's tend to not play well with each other. By malware checkers, I mean something like MalwareBytes and Spybot Search and Destroy. Run them periodically. Update them frequently.

Keep all your software up to date. Adobe software, Java, Windows updates...consider installing a WSUS server locally if the number of clients warrants it.

Create images of your systems if they're standard. Makes recovery a bit easier if you can just roll out a clean image of the system. Standardize your hardware as much as possible.

Monitor your network traffic. Use SNMP on your border routers, check for unusual activity, get acquainted with "normal" network usage patterns. If something odd shows up you can investigate proactively. If you're playing with VM's it isn't too hard to set up a honeypot system that can check for unusual activity and email you if there's trouble; look up Intrusion Detection Systems for info.

Depending on the environment you could use policies to enforce whitelisting executables so only particular exe files can run on client machines, but this can quickly garner backlash from users. Use that one with care.

There are plenty of documents out there on anti-spamifying your mail servers, some of it implementation specific so you'd have to google for your particular MTA. There are also testers for remotely testing your configuration. Use them. There are appliances for spam filtering like Abaca and such as well, to help cut down on your learning curve...again, depends on your situation as to how you want to do it. At one time we had a proxy mail system in place so the first system got the email, processed it for spam scoring/blocked executable attachments/etc. then forwarded it to our mail server, so you can link incoming mail to multiple scanning methods. Document everything you do though or you can have a spaghetti blob of dependencies on the charts when you're trying to troubleshoot an issue.

And while they often ignore it, continue with the end-user education. Make or get posters. Email reminders (not boilerplate or they'll ignore them. It's like stop signs. You see them all the time, they end up blending in, honest officer I don't know what you're talking about...same thing with IT notifications. You need to tailor them and alter them so you trick the user into learning something from your notes) about new viruses and malware.

Oh, and work on your policies in the company. Ban personal storage if necessary, and personal devices, or approve them in the department. Outline what is acceptable use. Malware can and does travel on USB drives and disks.

(EDIT) You could look at putting in a proxy server for web browser traffic as well. Depending on how elaborate you want to get, you could go as simple as Squid + plugins or purchase an appliance to handle the traffic for you. Appliances are of course more turn-key and have pretty manager interfaces, reports, etc. while Squid is free and slams you with a learning curve. But there are proxies out there with neat features like blocking particular file types and of course blocking access to sites, or at least you can use it to audit access to sites. Sometimes blocking isn't a means of censoring as much as it is a way to protect your users from themselves. If you find a way to properly configure it or an appliance with the right features you could block all sorts of bad traffic, and you can track how your company resources are being used.

Make sure all of this is in your policies as well. You have a right to monitor how company assets are being used, but your users have a right to know how you're monitoring them. And you want to be careful with the whole "how far to go before I'm too draconian thing." Your company's ethical borders are up to your company.

Also be aware that when searching for web proxy stuff there may be issues with https traffic. We had issues with that in our Squid filtering; there wasn't a simple way to block websites that were encrypted, because that's kind of the point of it. There are ways to do it, though. Appliances may be better suited to the task.

I believe you can also get some measure of protection through using OpenDNS servers as your DNS upstream provider. I haven't done this, so you might have to look into it, but I think they provide some services for things like blocking lookups to malware domains and such. If they do offer that service it may be trivial to add to your setup with a good measure of protection as a benefit.

Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87
  • Wow, great ideas! Deep Freeze sounds interesting. Many of the other things we do (except for standard user rights on all machines - we only do that for non-XP boxes until we can upgrade everyone). Our servers have never been infected, but we've had sensitive data on the server pulled via shares by infected clients and auto-transmitted online. Almost 100% of our issues are caused by e-mailed links. Oftentimes the links are to innocuous sites like wouldn't be blacklisted. – Beep beep Jul 26 '11 at 15:43
  • You can't block everything unless you're running an environment so draconian your users will openly rebel (or you're working for a US Government three-letter agency.) Your servers can be an infection vector, so you'll want to still take care to protect them. – Bart Silverstrim Jul 26 '11 at 15:51
  • Also your shares are as secure as the users that access them. That's the idea behind locking down access. Restrict your shares to only those people that need to access it. Otherwise you will have cases where a user's PC can access sensitive information and upload it. If your HR information is accessible to anyone in the office, even if they don't actively work with the data, it's trivial for malware to iterate through shares and grab things. – Bart Silverstrim Jul 26 '11 at 15:52
  • If you *really* want to work on the cutting edge (as in your users wanting to cut you on occasion), you could see about setting up a mail filter that strips HTML messages and/or force users to use text-based email when viewing things. That could make it more difficult for link-based messages to be clicked on and followed. Also...I'll add an edit above...take a gander in a few moments. – Bart Silverstrim Jul 26 '11 at 15:53
  • Unfortunately we run a service bureau where all users need access to our most secure share. The software we have requires that they have read access on everything. We're in the process of writing our own software to replace it, but for the next year we're stuck ... it's definitely our biggest hole. – Beep beep Jul 26 '11 at 16:21
  • We do have a firewall appliance with proxy server and pretty good filtering. I like the idea of stripping html messages. – Beep beep Jul 26 '11 at 16:23
0

I'm assuming you have something like ClamAV installed on your Mail Server (this would be for a linux mail server). That would be a first port-of-call to catch infected mail before they even get to the users.

What ive found is its all about catching it before it gets to the user, solve this, and you have solved the problem.

Brad Morris
  • 241
  • 2
  • 12
  • 1
    Not a bad idea, but the OP specifically refers to viruses "that are brand new at time of first download, and not recognized by any virus scanners for at least a few hours after being downloaded", ie zero-day stuff. Any suggestions specifically for that? – MadHatter Jul 26 '11 at 13:05
  • Our firewall scans all inbound/outbound mail, and we also have full virus scanners on the servers. But these don't capture emergent threats. For example - there was a PDF bug that allowed a hacker to install a Master Boot Sector virus via a PDF file a little while back. We received a PDF with this exploited before any of the virus scanners even picked up on it. – Beep beep Jul 26 '11 at 13:10
  • How does he keep attracting so many 0-days? Yikes... – Bart Silverstrim Jul 26 '11 at 13:15
0

In my experience (and i know you've said you've tried this already) the best defense is education of your end users, especially when it comes to zero days. Zero days are inherently difficult to protect against and you can have all the scanners in the world, but if they don't recognize the malicious code in the exploit then they won't do you a lot of good. Changing the code of these exploits is relatively easy to do if you know what you're doing. Education of your users is something you really need to drive home. I think it's safe to say that no matter what actions you try to take to mitigate these threats, you'll always have a few e-mails that slip through the cracks.

You can try running e-mail clients in a sandboxed VM environment, but that can be costly, time consuming to set up, and there are plenty of documented exploits that allow for malicious content to break free of the sandboxed environment and access the host machine.

I would recommend taking a look at how the spammers are getting e-mail addresses of your employees as well. Do you have email addresses on your website(s)? If so, take those down and try to reduce the volume of e-mails you receive. Consider setting up a honey pot test as well for e-mails when they arrive (we've had great success will Vamsoft ORF's honeypot test). Take a look at your filtering rules on your filter as well to make sure that you're getting the most out of your software.

We've had a lot of success in mitigating malicious e-mail compromises by educating the users, consistently auditing our filtering policies and by following the Rule of Least Privilege.

If you're not familiar with the 8 rules of security, I'd suggest checking them out. They're some good food for thought and they'll really help you keep your network secure.

http://silverstr.ufies.org/blog/archives/000468.html

DKNUCKLES
  • 4,028
  • 9
  • 45
  • 60
0

From the sounds of it you are doing most things already and the main problem is with users being emailed links to dodgy sites.

The best way to tackle this would be to use a real-time DNS blacklist on your mail server. Check out http://www.spamhaus.org/ - using this will stop the vast majority of these.

Jon Reeves
  • 438
  • 2
  • 7