Daily Security Tips from Ed Skoudis - Week of August 19, 2002
Security Tip for Friday, August 23rd, 2002
To help stop viruses in their tracks, use anti-virus tools on desktops, file servers, and mail servers. With new, highly virulent strains, it's not enough just to install them on desktops only anymore. If you just install desktop anti-virus, some of your user base will not receive the latest downloads. Therefore, file server and mail server anti-virus acts as another line of defense.
Security Tip for Thursday, August 22nd, 2002
On all machines connected to your mission-critical networks, such as your DeMilitarized Zone (DMZ), hard-code the ARP cache tables. These tables map the IP address to the physical MAC address of each machine on a LAN. On each one of your Internet-accessible firewalls, routers, DNS servers, web servers, and mail servers, include the IP-to-MAC address mapping for all systems on the LAN. Hard coding this table will prevent attackers from launching an ARP cache poisoning attack, which would let them sniff your traffic, hijack sessions, or otherwise intercept data.
Security Tip for Wednesday, August 21st, 2002
When managing your systems remotely across a network, utilize connections that provide strong authentication and encryption. For management access, use Secure Shell (SSH, commercially available at www.ssh.com or freely at http://www.openssh.org), Virtual Private Networks (VPNs), or other strongly authenticated, encrypted connections. Never, ever telnet to your firewall, directory server, certificate authority, or other critical systems, because telnet sessions can be easily sniffed and hijacked.
Security Tip for Tuesday, August 20th, 2002
To prevent attackers from running backdoors on your machines, you must keep track of what processes are running on your mission critical systems. Pay special attention to those processes running with root or system privileges and those that are listening on the network. Make sure your system administration team periodically uses a tool to check running processes, such lsof for UNIX (at freshmeat.net/projects/lsof) or Foundstone's fport for Windows (at http://www.foundstone.com/knowledge/proddesc/fport.html). Beware of suspicious processes with innocuous-sounding names, like WIN, SCSI, or UPS.
Security Tip for Monday, August 19th, 2002
To keep up with the latest security issues, subscribe to a vulnerability mailing list. These lists offer a forum for the disclosure of security problems, and discussions about patches and other countermeasures. Bugtraq is the best free vulnerability mailing list, and is one of the most valuable resources in the information security business. You can find details for subscribing to Bugtraq at www.securityfocus.com.