Being Pro-active vs. Post Mortum (tending to the corpse) or a whole
other direction... which is effective and costs less (time/Money)?
So the following may be to long but I need to say it. You may end up
asking "what's my point". It is simply that is part of the job you - you
might as well make it as easy as possible for yourself.
The last messages I have seen are leading in the same direction --- How
do we do this better & smarter (faster, cheaper, spend less time on a no
added value task). There is value added here (although it seems like a
waste)- it is maintaining the status quo so everyone (the non-IT people)
can do their computer based work/job.
Today I don't see THE technology (only) solution that can do this and I
rarely ever see a silver bullet in this line of work.
You need a guard that will protect the front door, back door, side door,
Windows, Roof, floor, inside door to the bathroom... also needed is a
rapid response system to identify a breach and quickly remove it with
minimum damage and lost time (an it will always will as change is the
name of this game).
My Top 5:
1. Educating users definitely makes a huge difference if you have the
time or money to do so. If not - you lose the power of those brains
working for you vs. neutral or against you (hurting themselves and you
at the same time). Also this takes consistent reinforcement, refreshing
as the 4th of July fireworks that are brilliantly stunning and clear at
the moment of the incident fade from memory quickly... Making people
smarter (brown bag lunch presentation (with free pizza) going over do's
and don'ts) is a good thing in general. You need to "deputize" every
computer user so they are working with you/for you.
Remember - a lot of the problems experienced over the past 5+ years have
happened because of social engineering - someone did something that
started the ball rolling. People are 95 percent of the problem - they
are going to have to be 95 percent of the solution. You need to stop it
from happening to stop having to fix it
2. Use Up-to-date tools that are refreshed daily (multiple times a day
sometimes) will help reduce the chance and opportunities, mitigate and
resolve a present problem and give the responsible person the ability to
monitor and react be it a 5 system network or a 50,000 system network.
Ten years ago people layered antivirus programs because one did not
catch everything this changed (you had to pick one) after AV became to
big to fit on a floppy and programs became so deeply embedded a computer
(network) could be crashed if you ran two different ones. Spyware will
probably follow this well worn trail in a year or two - it's not going
away. There are behavior based tools out but they have their own issues.
3. Back up key data to a central source (vault) in case a rebuild is
needed. I agree that it can be simpler and faster to just rebuild the
box - a ghosted image with core applications that can be restored
quickly is great (if your hardware allows keep a couple of already
ghosted drives in the storage cabinet ).
4. Put AV & AS on your mail server
5. Use a filtered proxy for internet traffic (like BlueCoat) with a
monthly update subscription. Scrub the incoming and outgoing internet
traffic (this has multiple benefits).
Other things --
Go to thin client - citrix
Move everyone to dumb terminals and a mainframe or AS400
Use an outside mail service to scrub and deliver your mail (this can
have multiple benefits).
Regards,
Bruce Klein
-----Original Message-----
From: Nathan Kline [mailto:nathank (at) borisch (dot) com [email concealed]]
Sent: Wednesday, October 26, 2005 10:53 AM
To: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: RE: Microsoft AntiSpyware falling further behind
What about the proactive spyware treatment? Everything that's been said
here is reactive. I'd rather it not even get on my machine in the first
place. A couple practices that I personally use are:
1. Turn on the option to ask me about all cookies, say "yes" only to
the ones needed (most browsers are capable of this in privacy settings).
This can be a little annoying at first because you feel like you're
saying yes and no to every website that you go to ... But after a while,
you don't have to worry about it nearly as much because it remembers
your choices.
2. Using Firefox instead of IE (I've found this to be one of the most
helpful anti-spyware measures). Actually READ the EULAs for "free"
software that you install to see if they come bundled with adware /
spyware (sometimes they actually tell you!).
3. Not saying that reactive treatment is bad, because I do use those
measures as well ... MSAS running and scanning my computer daily as well
as Spybot S&D ... But using the proactive methods that I use, I will
MAYBE get 1 tidbit of adware on my machine a month or so and it's almost
always been easily removed by one of the afore mentioned reactive
programs.
Nathan
IS Admin
-----Original Message-----
From: Kieran Murphy [mailto:Kieran.Murphy (at) powerscreen.co (dot) uk [email concealed]]
Sent: Wednesday, October 26, 2005 11:05 AM
To: Bruce Klein; Quark IT - Hilton Travis; focus-virus (at) securityfocus (dot) com [email concealed]
Subject: RE: Microsoft AntiSpyware falling further behind
We take the same layered approach.
Trend IWSS at gateway with Trend OfficeScan inc Firewall / Anti-Spy on
desktops, complimented by either Spybot / MS AntiSpyware, and we do find
that one system will detect stuff the others don't.
Trend especially appears to detect lots more problematic cookies than
any of the others. The layered approach is the best, as you can not
depend upon one vendor getting updated dat files out quicker than the
others, but by having multiple layers you increase your chances of
getting a update for one of your range of products quicker.
And Spybot and MS are both free, so it should be feasible for everyone
to have a layered approach.
Rgds, K.
-----Original Message-----
From: Bruce Klein [mailto:bruce.klein (at) iovation (dot) com [email concealed]]
Sent: 25 October 2005 22:20
To: Quark IT - Hilton Travis; focus-virus (at) securityfocus (dot) com [email concealed]
Subject: RE: Microsoft AntiSpyware falling further behind
There will never be a perfect solution - don't wait.
For the moment think of Spyware as cold weather and you want to be
protected (warm); put on layers to protect yourself.
Symantec has updated themselves to add Spam and Spyware to their
antivirus product. We are using Symantec, Websweeper, MS anti-spyware,
and Whole Security (behavior based AS).
You might say this is overkill but who knows for sure - while they all
play nice together I feel like I am at home by the fireplace with a good
supply of logs.
Regards,
Bruce Klein |Director of IT
O:503-943-6750
C:971-645-7304
F:503-224-1581
www.iovation.com
-----Original Message-----
From: Quark IT - Hilton Travis [mailto:Hilton (at) quarkit.com (dot) au [email concealed]]
Sent: Friday, October 21, 2005 1:51 PM
To: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: Microsoft AntiSpyware falling further behind
Hi All,
It seems that not only does Microsoft AntiSpyware recommend that
Claria's spyware is ignored, but it also misses a significant amount of
cookies that are placed on a system - I have a VPC environment where I
browse the Internet so that anywhere I go won't affect my regular
Windows session/installation. Regularly CounterSpy is detecting cookies
(such as Cok.ad.yieldmanager, CGI-Bin, Cok.AssassinTrojan2.0 and Zedo
(from yesterday's browsing)) that Microsoft AntiSpyware simply does not
know about.
Now, this is not only disappointing, but potentially dangerous. Any
customer or end user running Microsoft AntiSpyware or CounterSpy is not
being protected from these cookies, and MSAS doesn't even detect them -
that's right, neither program's active monitoring is stopping the
installation of these cookies, but at least CounterSpy is detecting them
post-installation.
AntiSpyware is far, far from the accuracy of antivirus, especially
something like NOD32. I wonder how long it will be before a decent
AntiSpyware application is released that, like NOD32 does with viruses,
actually stops spyware *before* it is installed?
http://www.threatcode.com/ <-- its now time to shame poor coders into
writing code that is acceptable for use on today's networks
War doesn't determine who is right. War determines who is left.
This document and any attachments are for the intended recipient
only. It may contain confidential, privileged or copyright
material which must not be disclosed or distributed.
The information contained in this email message may be privileged,
confidential and protected from disclosure. If you are not the intended
recipient, any dissemination, distribution or copying is strictly
prohibited. If you think that you have received this email message in
error, please notify the sender by reply email and delete the message
and any attachments.
This email is private and confidential and may contain legally
privileged information. If you are not named as an addressee it may be
unlawful for you to read, copy, distribute, disclose or otherwise use
the information contained in this email. If you are not the intended
recipient of this email please destroy this communication and contact:
itsecurity (at) terex-irl (dot) com [email concealed]
Any views or opinions presented are solely those of the author and do
not necessarily represent those of the company unless otherwise stated.
The contents of any attachment to this email may contain software
viruses which may damage your computer system. The Terex Group has taken
all reasonable precautions to minimise any risk, but cannot accept
responsibility for any damage which may be sustained as a result of any
such viruses. The recipient should conduct their own virus checks before
opening any attachment to this email.
other direction... which is effective and costs less (time/Money)?
So the following may be to long but I need to say it. You may end up
asking "what's my point". It is simply that is part of the job you - you
might as well make it as easy as possible for yourself.
The last messages I have seen are leading in the same direction --- How
do we do this better & smarter (faster, cheaper, spend less time on a no
added value task). There is value added here (although it seems like a
waste)- it is maintaining the status quo so everyone (the non-IT people)
can do their computer based work/job.
Today I don't see THE technology (only) solution that can do this and I
rarely ever see a silver bullet in this line of work.
You need a guard that will protect the front door, back door, side door,
Windows, Roof, floor, inside door to the bathroom... also needed is a
rapid response system to identify a breach and quickly remove it with
minimum damage and lost time (an it will always will as change is the
name of this game).
My Top 5:
1. Educating users definitely makes a huge difference if you have the
time or money to do so. If not - you lose the power of those brains
working for you vs. neutral or against you (hurting themselves and you
at the same time). Also this takes consistent reinforcement, refreshing
as the 4th of July fireworks that are brilliantly stunning and clear at
the moment of the incident fade from memory quickly... Making people
smarter (brown bag lunch presentation (with free pizza) going over do's
and don'ts) is a good thing in general. You need to "deputize" every
computer user so they are working with you/for you.
Remember - a lot of the problems experienced over the past 5+ years have
happened because of social engineering - someone did something that
started the ball rolling. People are 95 percent of the problem - they
are going to have to be 95 percent of the solution. You need to stop it
from happening to stop having to fix it
2. Use Up-to-date tools that are refreshed daily (multiple times a day
sometimes) will help reduce the chance and opportunities, mitigate and
resolve a present problem and give the responsible person the ability to
monitor and react be it a 5 system network or a 50,000 system network.
Ten years ago people layered antivirus programs because one did not
catch everything this changed (you had to pick one) after AV became to
big to fit on a floppy and programs became so deeply embedded a computer
(network) could be crashed if you ran two different ones. Spyware will
probably follow this well worn trail in a year or two - it's not going
away. There are behavior based tools out but they have their own issues.
3. Back up key data to a central source (vault) in case a rebuild is
needed. I agree that it can be simpler and faster to just rebuild the
box - a ghosted image with core applications that can be restored
quickly is great (if your hardware allows keep a couple of already
ghosted drives in the storage cabinet ).
4. Put AV & AS on your mail server
5. Use a filtered proxy for internet traffic (like BlueCoat) with a
monthly update subscription. Scrub the incoming and outgoing internet
traffic (this has multiple benefits).
Other things --
Go to thin client - citrix
Move everyone to dumb terminals and a mainframe or AS400
Use an outside mail service to scrub and deliver your mail (this can
have multiple benefits).
Regards,
Bruce Klein
-----Original Message-----
From: Nathan Kline [mailto:nathank (at) borisch (dot) com [email concealed]]
Sent: Wednesday, October 26, 2005 10:53 AM
To: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: RE: Microsoft AntiSpyware falling further behind
What about the proactive spyware treatment? Everything that's been said
here is reactive. I'd rather it not even get on my machine in the first
place. A couple practices that I personally use are:
1. Turn on the option to ask me about all cookies, say "yes" only to
the ones needed (most browsers are capable of this in privacy settings).
This can be a little annoying at first because you feel like you're
saying yes and no to every website that you go to ... But after a while,
you don't have to worry about it nearly as much because it remembers
your choices.
2. Using Firefox instead of IE (I've found this to be one of the most
helpful anti-spyware measures). Actually READ the EULAs for "free"
software that you install to see if they come bundled with adware /
spyware (sometimes they actually tell you!).
3. Not saying that reactive treatment is bad, because I do use those
measures as well ... MSAS running and scanning my computer daily as well
as Spybot S&D ... But using the proactive methods that I use, I will
MAYBE get 1 tidbit of adware on my machine a month or so and it's almost
always been easily removed by one of the afore mentioned reactive
programs.
Nathan
IS Admin
-----Original Message-----
From: Kieran Murphy [mailto:Kieran.Murphy (at) powerscreen.co (dot) uk [email concealed]]
Sent: Wednesday, October 26, 2005 11:05 AM
To: Bruce Klein; Quark IT - Hilton Travis; focus-virus (at) securityfocus (dot) com [email concealed]
Subject: RE: Microsoft AntiSpyware falling further behind
We take the same layered approach.
Trend IWSS at gateway with Trend OfficeScan inc Firewall / Anti-Spy on
desktops, complimented by either Spybot / MS AntiSpyware, and we do find
that one system will detect stuff the others don't.
Trend especially appears to detect lots more problematic cookies than
any of the others. The layered approach is the best, as you can not
depend upon one vendor getting updated dat files out quicker than the
others, but by having multiple layers you increase your chances of
getting a update for one of your range of products quicker.
And Spybot and MS are both free, so it should be feasible for everyone
to have a layered approach.
Rgds, K.
-----Original Message-----
From: Bruce Klein [mailto:bruce.klein (at) iovation (dot) com [email concealed]]
Sent: 25 October 2005 22:20
To: Quark IT - Hilton Travis; focus-virus (at) securityfocus (dot) com [email concealed]
Subject: RE: Microsoft AntiSpyware falling further behind
There will never be a perfect solution - don't wait.
For the moment think of Spyware as cold weather and you want to be
protected (warm); put on layers to protect yourself.
Symantec has updated themselves to add Spam and Spyware to their
antivirus product. We are using Symantec, Websweeper, MS anti-spyware,
and Whole Security (behavior based AS).
You might say this is overkill but who knows for sure - while they all
play nice together I feel like I am at home by the fireplace with a good
supply of logs.
Regards,
Bruce Klein |Director of IT
O:503-943-6750
C:971-645-7304
F:503-224-1581
www.iovation.com
-----Original Message-----
From: Quark IT - Hilton Travis [mailto:Hilton (at) quarkit.com (dot) au [email concealed]]
Sent: Friday, October 21, 2005 1:51 PM
To: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: Microsoft AntiSpyware falling further behind
Hi All,
It seems that not only does Microsoft AntiSpyware recommend that
Claria's spyware is ignored, but it also misses a significant amount of
cookies that are placed on a system - I have a VPC environment where I
browse the Internet so that anywhere I go won't affect my regular
Windows session/installation. Regularly CounterSpy is detecting cookies
(such as Cok.ad.yieldmanager, CGI-Bin, Cok.AssassinTrojan2.0 and Zedo
(from yesterday's browsing)) that Microsoft AntiSpyware simply does not
know about.
Now, this is not only disappointing, but potentially dangerous. Any
customer or end user running Microsoft AntiSpyware or CounterSpy is not
being protected from these cookies, and MSAS doesn't even detect them -
that's right, neither program's active monitoring is stopping the
installation of these cookies, but at least CounterSpy is detecting them
post-installation.
AntiSpyware is far, far from the accuracy of antivirus, especially
something like NOD32. I wonder how long it will be before a decent
AntiSpyware application is released that, like NOD32 does with viruses,
actually stops spyware *before* it is installed?
--
Regards,
Hilton Travis Phone: +61 (0)7 3344 3889
(Brisbane, Australia) Phone: +61 (0)419 792 394
Manager, Quark IT http://www.quarkit.com.au
Quark Group http://quarkgroup.com.au/
Microsoft Small Business Specialists
http://www.threatcode.com/ <-- its now time to shame poor coders into
writing code that is acceptable for use on today's networks
War doesn't determine who is right. War determines who is left.
This document and any attachments are for the intended recipient
only. It may contain confidential, privileged or copyright
material which must not be disclosed or distributed.
The information contained in this email message may be privileged,
confidential and protected from disclosure. If you are not the intended
recipient, any dissemination, distribution or copying is strictly
prohibited. If you think that you have received this email message in
error, please notify the sender by reply email and delete the message
and any attachments.
**********************************************************************
CONFIDENTIALITY NOTICE.
This email is private and confidential and may contain legally
privileged information. If you are not named as an addressee it may be
unlawful for you to read, copy, distribute, disclose or otherwise use
the information contained in this email. If you are not the intended
recipient of this email please destroy this communication and contact:
itsecurity (at) terex-irl (dot) com [email concealed]
Any views or opinions presented are solely those of the author and do
not necessarily represent those of the company unless otherwise stated.
The contents of any attachment to this email may contain software
viruses which may damage your computer system. The Terex Group has taken
all reasonable precautions to minimise any risk, but cannot accept
responsibility for any damage which may be sustained as a result of any
such viruses. The recipient should conduct their own virus checks before
opening any attachment to this email.
www.powerscreen.com
**********************************************************************
[ reply ]