Host Security: Pop Ups and Patch Management

Host Security: Pop Ups and Patch Management

Host Security: Pop Ups and Patch Management Table of Contents Pop-ups ........................................................................................................................................... 2 Pop-up Blockers -1 .......................................................................................................................... 3 Pop-up Blockers -2 .......................................................................................................................... 5 Patch Management ......................................................................................................................... 7 Application Patch Management ................................................................................................... 12 Patch Management ....................................................................................................................... 14 Approved Application List ............................................................................................................. 15 Hardware Security ........................................................................................................................ 17 Notices .......................................................................................................................................... 18 Page 1 of 18 Pop-ups Pop-ups Pop-ups (and popunders) refer to a class of images which appear on a user’s screen without the user performing any action to deliberately invoke their appearance. • Pop-ups are not directly an attack on a system, though large amounts of pop-ups effectively become a ‘denial of service’ attack on the user. • Not all pop-ups are bad. Web e-mail reply windows or spell- checklers, for instance, are often generated as pop-ups after a user request. • A number of tools can launch pop-ups, including Java and Active-X scripts, Adobe Flash, and Dynamic HTML. 53 **053 Next thing that we want to protect against is pop-ups. Now I have told you about I use something called Firebox as my browser. Google Chrome has got some of the similar or same things. You can turn on disable and enable pop-ups. There are certain sites that I go to that I need that pop-up. That pop-up is an authentication mechanism that's separate from this environment right here and it's valid. So it's not really an attack on the system. When it's an attack on the system is when we go to some site and that site has a whole bunch of advertisers on it and those advertisers want to get in your face and they pop up a separate Page 2 of 18 window that says "Act now, buy this thing." And they can do it with all sorts of different techniques out there, Java, Active-X, Adobe Flash, Dynamic HTML, it does not matter. They can do it a whole bunch of different ways. Pop-ups and pop- unders is also the other term because it goes underneath. So when you close your browser there's the advertising that they got from you. Pop-ups are a problem and so we can filter and say we won't allow any pop-ups but then that kind of breaks some of the sites that we go to. Pop-up Blockers -1 Pop-up Blockers -1 Usually activated in web browser settings • Pop-up blockers can be set to block all pop-ups, but can also be tuned to ‘trust’ designated sites (such as your web e-mail account, etc.). • Web browsers can also prompt to allow pop-ups on a per-session basis, permitting pop-ups only during a particular visit to a web site. • Third-party ‘plug-ins’ can also install pop-up blockers. This can create confusion when a user wants to allow a pop-up and it is being blocked by multiple pop-up blockers. 54 **054 So this is a setting in most of Page 3 of 18 your browsers to disable that. You can disable that universally. You can disable that for certain sites. You can white list certain sites that okay they can always give me pop-ups this is one for me. I have an Adobe Connect account that checks for that and when it actually tries to instantiate my Adobe Connect, it says "Hey, you want to white list this?" and I always say yes. So we can be granular about our protection mechanisms for pop- ups. But that means that if we're doing it for somebody else, we need to tell them that we're blocking pop-ups. We need to make that a part of the policy and end users aren't going to remember that so we have to continually train them on that. That goes into our awareness for the end users to say pop-ups are bad. We stop them but every once in a while you may need them and if we are producing an application internally for our users, we have to enable pop-ups for our application. If we are producing an application for other users out there on the in the rest of the planet, we have to say "When you buy this service, you got to enable pop-ups for our site so make sure that you do that now." And it's even better, this is what I do for my users is I actually show them if you have Chrome click here and you can see how you can do it. If you have Safari, do this. If you have Opera, do that. If you have IE do this. And walk them through the steps of enabling pop-ups for our one sight. Page 4 of 18 Unfortunately and fortunately same, it could be that they are not allowed to do that. That their configuration has been locked down by you as the security administrator so that they don't have the permission to do that. That happens quite often, even with security people because we all have to follow the same policy. So what do you do? Well you don't do pop-ups. Well I need pop-ups for this authentication mechanism to make it more secure so now we are kind of fighting back and forth from an availability standpoint. Pop-up Blockers -2 Pop-up Blockers -2 Not 100% effective, and some pop-ups will still appear even with pop-up blockers enabled • Excessive uncontrolled pop-up activity is usually the result of some other system compromise, and not merely the failure of a pop-up blocker. • Not all pop-ups come from web browsers. A popular attack against Windows machines was to send pop-ups via the Windows messenger service (which led to the service being disabled by default). 55 **055 Pop-up blockers are not 100 Page 5 of 18 percent effective. I want to figure out which ones are-- I want to find out which ones can always get through because that's the mechanism that I want to use so that I don't have to train you on how to turn off pop-up blocker and also have to fight your configuration. But that's not a topic for here but you realize the problem that we're running into or that I'm running into. It's not 100 percent effective but we'll take what we can get. Now there are tools and plug-ins for different browsers out there that will allow you to tune the pop-ups back and forth. And I really like those tools. Page 6 of 18 Patch Management Patch Management Anti-virus deals with known threats as they enter your environment over the wire, but not errors and vulnerabilities that exist in software, these system and software vulnerabilities must be patched. Patch management should follow same process as change control procedures, including approval testing and confirmation that the changes were successful. Patch management software • Centralized repository • Means to view and test patches before deployment • Control the required versions that are in the environment 56 **056 Patch management is upgrading versions of software correctly to a new version that does not have the old version's vulnerability. But then when we move forward in time, eventually evil doers will find a vulnerability in this version of the software and the people who write the software will have to create a new version of this that will move forward to in time. And what we're doing is we are going from one known good to a bad to the next known good and then it becomes bad to the next known good. We are moving from one known good to another. Page 7 of 18 I believe that patch management should not be done by the vendor of the application because they are not going to consider your environment. I believe it should be done by you in a centralized management way for all the computers under your control. That means that we're going to have to have some sort of agent-based system. Now there are agentless-based systems that are out there for patch management. The problem with agentless systems is they don't respect the end users' need to do work. If you say "We're going to push out a patch at midnight tonight because nobody is there and an end user is working on their machine because they've got to get done and they have a deadline that is midnight," you're going to stop them in the middle of the work. With an agent-based system it queries the local machine and it says "Hey, look, we're going to roll out some patches. Can you delay this thing?" And you say "Dan, my operating system does that for me already. It allows, it pops up and says can I do this later? Can you try this later? What can you do as an end user when it says try later? You keep on hitting that try later button and you just get it out of your way. Whereas when we do this in an enterprise way what we say is okay, when is an appropriate time for you, your group or your organizational unit for us to roll out this patch? And if you want to keep on delaying that Page 8 of 18 patch because you have a critical business application that's going on, you hit the delay button and it reports back to us that they've done a delay.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    18 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us