How to stop intruders without knocking out the workers

Sysadmin blog For a sysadmin, fighting malware feels like an uphill battle that you are never going to win.

Security software vendors are in a constant catch-up game, trying to create definitions to protect their customers from the latest round of malware. Sysadmins have the tough job of using their various security software and devices, while trying to allow users to still be productive and do their job.

It is a cat-and-mouse game that never seems to end. You lock down the systems so much that users can't do anything, causing a productivity loss, but then you whitelist too much, leaving yourself vulnerable to attacks.

Wrap up in layers

One infected file can spread from a user’s desktop to a file share on a server in a matter of minutes, crippling any business. The cleanup process can take hours or even days, costing possibly thousands of pounds along the way.

The knee-jerk reaction to an outbreak is to do a complete lockdown of all systems. You end up enforcing the strictest antivirus policies known to mankind, across all systems. You run scheduled virus scans every day, along with on-access scans that slow down systems.

You implement every known antivirus agent. When users try to work, their systems are so slow that they can't do their jobs, and in some cases the strict policies in place prevent them from running any programs at all.

How do you find the balance between security and allowing users to do their job?

The answer lies in a layered approach using multiple tiers of protection, combined with encouraging end-user awareness.

While this won’t provide 100 per cent protection against malicious activity, it is the best you can do.

First steps

Users work regularly with tools such as the web and email, so we need to use security tools that can protect each of those.

The average IT department is almost always strapped for cash, and security is often the first budget that gets stripped when the call comes for cost cutting. It is not easy for sysadmins to protect the systems without the funds to buy software.

If you have no budget for fancy endpoint security software suites, at a minimum you need to install antivirus software on end-user systems.

Some software vendors even have anti-spyware bundled with the anti-virus software, allowing you to kill two birds with one stone.

You want to look for software that has a low overhead on the systems and has the following capabilities:

• Real-time scanning
• Scheduled scanning
• Heuristic scanner
• On-access scanning
• On-demand scanning
• Script blocking
• Automatic updates

A lot of malware is spread through email so implementing some sort of spam filtering is important to help prevent malware entering your network.

Spam filtering can be software installed on a server or a device on your gateway; either way, its job is to protect your email.

Guard the doors

While most kinds of filtering software allow for whitelisting of falsely identified email, it is wise to limit how much you whitelist. What is the point of filtering email if you are going to whitelist everything? Let the software do its job and whitelist only in moderation.

If you have the cash, you can look at additional products such as a host intrusion prevention system (HIPS) in conjunction with an intrusion detection system (IDS).

HIPS is software that is installed on a host and looks for malicious activity, logs the activity and then tries to prevent it, while IDS is a device or software that monitors your network rather than the host level.

Deploying a combination of signature-based HIPS and statistical anomaly-based IDS you can apply policies to prevent malicious attacks before they happen.

A good education

Endpoint security can involve many types of software and devices but that is only part of the picture.

Think of the business as your house: you can have the most high-tech alarms and locks in place to protect it but that is no good to you if you don’t know how to use the system.

The same concept applies to threat prevention in the business. You can deploy all the latest and greatest security products to protect your systems but they will be useless if your users are not well trained in safe practices.

User awareness is key to securing the network. Educating users on how to browse the internet safely and avoid opening unknown files can go a long way.

Make sure users know that spam filtering and whitelisting everything can be an easy option, but it has no value if everything can get through.

It is a two-way street: our users should be more aware of their actions on the internet and their email usage, while IT provides the tools to protect them.

Although we can’t be 100 per cent winners in this game of cat and mouse, providing several layers of protection will help keep us safe from malicious activity. ®