The problem with preventing or blocking malware exploits is two-fold. The first issue, frankly, is that the opponents and the tools they are deploying are just so damn good. This is distressing, and has changed the defensive game from blocking and tackling (prevention) to one of constant vigilance, early detection, and quick recovery. Basically, we have conceded the network edge, and are fighting the battle from inside the network perimeter.
Why is this? This brings us to the second and largest part of the problem – the leaky human. Most exploits begin with a cleverly crafted email sent in a phishing or spear-phishing campaign; an email that is designed to trick or persuade the recipient into clicking on a link or opening an attachment that will result in the installation of a Trojan horse program. The Trojan horse allows for remote access and control of the affected computer, and provides an entry point into the network that the edge security will permit. This is because most security software and systems will not block what a user has permitted.
The solution to this issue just may be something called application whitelisting. Basically, the application whitelist software is created by your system admin, and specifically permits approved, validated applications, while blocking everything else. This is a deny always unless explicitly approved system. A system like this would prevent a malware installation in the scenario described above. In fact, it would prevent an employee from installing malware intentionally from a USB key or other means.
It also will prevent network users from clogging up the network with personal use software such as WeatherBug, iTunes, and the like.
The problem with whitelisting systems, of course, is that the list has to be maintained, and this can create an additional burden for the IT staff, and potential workflow delays as required new software installations are held up by whatever the approval and installation process is. Fortunately, modern software based whitelisting systems can automate the process to a significant degree. For a more detailed look at whitelisting, you may be interested in this article by John Fox on the InfoSec Institute website, 10 Common Misconceptions About Application Whitelisting.
If this is something that interests you, and you are looking for a place to start, here are three applications you can look at: Bit9 Security Platform, Lumension Application Control , Savant Protection. Ideas like this one can sometimes be met with resistance by your internal IT staff, so you may find that this is a project that would be best performed by an outside security consultancy as well.Share