We're losing the battle against vulnerabilities and viruses. A computer model created by a Hewlett-Packard researcher demonstrates that viruses are getting far more efficient than the processes in place to protect against them. And the window between publicly announced vulnerabilities and successful exploitation has been reduced to a matter of days. All this suggests that a change in our behavior may be in order. We should be looking at ways to minimize the number of services that the average PC leaves open and available to only the ones that are critical to execution of our jobs and by default 'deny' the rest.
Though firewalls, IDSes and AV software are all important components of a layered security approach, they still don't provide complete protection.
End users are sometimes a part of the problem. They can't be expected to disable unused ports and services. In fact, most wouldn't have a clue about the volume of TCP and UDP ports available on their machines, do you? (A listing of ports is available here.
By running seemingly innocuous applications like KaZaA, fax software, etc., users unwittingly open the door for crackers and viruses alike.
Most enterprises have policies in place that limit what applications their end users can install and use, but even with management's commitment, it's extremely difficult to enforce.
Applying the concept of 'default deny' has strong appeal. By default, any unused port or service should be disabled, and only enabled if required. Consulting services are available that statically apply this concept to the enterprise. They can drastically improve the enterprise's overall security posture in what's come to be the most vulnerable entry point -- the end user's PC.
Security products are available that can enable enterprises to administer a 'default deny' policy. They have proven highly effective at minimizing the enterprise's overall IT security risk in a world full of new laws governing confidentiality and privacy. Such products have helped companies to demonstrate the due care required by these laws.
It makes far more sense to look at such products than to expect the OS vendors to provide them--enterprises will always be too heterogeneous an environment, and the security challenges will constantly change. Desktops and laptops are perhaps the largest gap in enterprise security; PC security is one of those places where just saying 'no' goes a long way.
Dennis Szerszen is a principal for Judith Hurwitz Associates, focusing on infosecurity and systems management.
