When's 'denial-of-service' a good thing?

In order to combat the increasing number of viruses and attacks, companies should consider 'denying' users of any and all applications that aren't absolutely essential.

This Content Component encountered an error

We're losing the battle against vulnerabilities and viruses. A computer model created by a Hewlett-Packard researcher demonstrates that viruses are getting far more efficient than the processes in place to protect against them. And the window between publicly announced vulnerabilities and successful exploitation has been reduced to a matter of days. All this suggests that a change in our behavior may be in order. We should be looking...

at ways to minimize the number of services that the average PC leaves open and available to only the ones that are critical to execution of our jobs and by default 'deny' the rest.

Though firewalls, IDSes and AV software are all important components of a layered security approach, they still don't provide complete protection.

End users are sometimes a part of the problem. They can't be expected to disable unused ports and services. In fact, most wouldn't have a clue about the volume of TCP and UDP ports available on their machines, do you? (A listing of ports is available here.

By running seemingly innocuous applications like KaZaA, fax software, etc., users unwittingly open the door for crackers and viruses alike.

Most enterprises have policies in place that limit what applications their end users can install and use, but even with management's commitment, it's extremely difficult to enforce.

Applying the concept of 'default deny' has strong appeal. By default, any unused port or service should be disabled, and only enabled if required. Consulting services are available that statically apply this concept to the enterprise. They can drastically improve the enterprise's overall security posture in what's come to be the most vulnerable entry point -- the end user's PC.

Security products are available that can enable enterprises to administer a 'default deny' policy. They have proven highly effective at minimizing the enterprise's overall IT security risk in a world full of new laws governing confidentiality and privacy. Such products have helped companies to demonstrate the due care required by these laws.

It makes far more sense to look at such products than to expect the OS vendors to provide them--enterprises will always be too heterogeneous an environment, and the security challenges will constantly change. Desktops and laptops are perhaps the largest gap in enterprise security; PC security is one of those places where just saying 'no' goes a long way.

Dennis Szerszen is a principal for Judith Hurwitz Associates, focusing on infosecurity and systems management.


This was first published in November 2003

Dig deeper on Denial of Service (DoS) Attack Prevention-Detection and Analysis

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close