I need your help again. I think that either my google-fu is dead or I am just not using the right terms in English while searching.
I need to find information about how to secure a computer/network from Crimeware. I need to find information about:
- proactive defense - securing it before it gets infected, preventing from getting invecting
Basic concept in proactive defense is to reduce points of entry, and to provide additional defenses to those points that must remain open.
So this has to do with disabling various unnecessary programs that are installed (unused libraries can also be a possible point of entry, though this is a rather rare vector lately), making sure that additional programs can't be run without permission, and ideally, to have a good understanding of what programs do get run on the machine.
This is also where the firewall is placed, both to prevent against incoming attacks, and to prevent a program that would have otherwise compromised the machine to be able to communicate back to an attacker.
Once the points of possible entry have been reduced to a known list (e.g. your web browser), you can focus on securing those points of entry, things like Noscript for Firefox, making sure plugins like Java and flash are up to date, code-auditing general server code, etc.
It can also involve replacing 'typical' programs with more secure variants, like replacing Adobe's pdf reader with Sumatra PDF or similar.
So, on Elliquiy's server, I have a full understanding of every running service that provides 'points of entry'
- sshd (SSH)
- Dovecot (IMAP)
- Postfix (SMTP)
- nginx (HTTP)
- MySQL (only connected to the slave server)
- Scripting processes (PHP mostly, have some Python and Ruby at various points, though).
A custom IPTables script works as my firewall, which prevents connections to unauthorized ports, has some fun with scan attempts (random drops, tarpitting and rejecting, etc), and secures the ports used by the above against abuse.
Because scripting processes are themselves points of entry, I also make sure that the users they run under are also similarly restricted. The /home, /var, /var/tmp, /data, /tmp, and /staff directories are all mounted nosuid, nodev, preventing them from exploiting setuid or device exploits. I have a tiny whitelist of programs that are allowed setuid root, the others get setuid turned off.
Similarly, on my Windows machines, I go through the Add/Remove Programs/Programs and Features to get rid of anything I don't need. Then anything that I need that autostarts at startup, I keep from autostarting unless it has to. I also disable extraneous services (this is less necessary in Windows 7 than it was previously, but pre-loaded bloatware is a common terror of the home user purchase). When securing a customer's machine, I usually try to train them on Flashblock and similar features, though it doesn't always work.
Virus protection is more useful on Windows than it is on Linux, but even on Windows, a good, up to date antivirus will only catch new malware about half the time (based on retrospective testing). This means that your best defense is really about having behavior that doesn't let you get infected. It also means that people who abandon their antivirus of choice just because 'it failed them' are probably going to repeat that betrayal until they learn.
Another aspect of proactive defense is being aware of spearphishing and other social engineering techniques.
- active defense - how to secure it, save it, what to do if it's already infected
Well to me 'active defense' involves monitoring and logging. For Elliquiy's server I run logcheck and Tiger to check for suspicious changes (though they pump out lots of dirty data) and ninja to autokill unauthorized processes that have somehow escalated to root. I get mailed when the user that can su to root logs in, and again on root logins. But almost all of these are various monitoring situations - learning what is going on as fast as possible.
'Reactive defense' usually involves an assessment of the sort of threat I'm facing. With 'nuke and pave' becoming more common, a lot of malware authors have given up and are just letting their malware get uninstalled normally.
Others take to ground in the system, and get more and more clever about hiding themselves. The result is 'nuke and pave'-
- Disconnect the hard drive
- Make sure whatever you're plugging it into doesn't autorun
- Plug it into another machine
- Back up what you need to
- Erase the infected drive's MBR
- Format infected drive
Sometimes I can get away with utilities like Combofix, but I never do this on any system where I can't be sure I know the threat has been eliminated.
- postactive defense - what to do afterwards to make sure it won't get infected again.
If this happened to -me- (and it hasn't for roughly a decade and a half at this point), I'd evaluate where I fucked up, and take measures to ensure it didn't happen again.
Usually, I perform the basic security steps on the client's computer then consult with them about 'good Internet practices'. Unfortunately, these change.
Hopefully that helps provide a starting point for additional terms to look for.