nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

SANS man lists five security things you're not doing but should

Not a lot of work can bring much better security, says Internet Storm Center boss

By Darren Pauli, 8 Apr 2016

SANS Institute dean of research and head of the SANS Internet Storm Center (ISC) Johannes Ullrich has given systems admins some some light weekend reading with a list of five neglected security controls that "nobody implements".

Ullrich reckons that if put these controls in place your security posture will improve and things will get better for all internet users.

"'Nobody' may be wording it a bit strong," Ullrich says.

"But adoption of these security features is certainly not taking off."

His favourite security orphan technology is DNSSEC, which helps eradicate spoofing by providing authentication to DNS with extensions that validate origin of DNS data and data integrity.

There are reasons why admins put it off, however; there is a "good chance" domains will go dark if the complex implementation is borked, and few breaches have been caused by a failure to deploy.

It is high risk, low gain, Ullrich says, but admins can pair with registrars who make it easy to deploy.

Outbound firewall rules are surprisingly uncommon with most networks blocking inbound connections only, and as such should be on the admin's weekend reading list.

Ullrich says blocking incoming fire only offers a marginal improvement to security compared to preventing servers from downloading malcode or shipping off data to command and control servers.

It can, however, be hard to set up if dynamic IPs are in play with connections to cloud-based web services, Ullrich says.

Administrators sin by omission yet again by reading firewall logs but ignoring DNS logs, the former being largely pulp fiction; skiddie scans from Eastern European VPNs are interesting but do not measure up to actionable DNS data from recursive name servers.

"You will find (in DNS logs) infected systems resolving command and control server host names, covert channels, and all kinds of good stuff," Ullrich says.

Another control seldom implemented is HTTPS key pinning, which Netcraft recently said it can find in only 0.1 per cent of web servers.

Key pinning bridges the chasm of broken trust that is the current certificate model by helping to stop impersonators using fraudulent certificates, an attack that is common thanks to breached and cumbersome certificate authorities.

"If anything, our statistics about revoked certs sort of tell the story," Ullrich says.

First-party-only cookies, designed to stop cookies shipping to sites other than the source of where a javascript request was made, are alien to most tech shops. This technique nixes threats like cross site request forgery and the recently-upgraded BREACH attack disclosed by El Reg this week.

Admins have a "decent excuse" for doing nothing about this, however, because the still draft attribute is unsupported at present, cannot be enabled server side, and will only become reality in the next version of Google Chrome.

Ullrich threw in a lack of digitally-signed email as a final thought, adding that admins who configure their mail servers to drop attachments from unsigned emails would go someway to de-populating the internet's rich phishing grounds. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing