Tip

When's 'denial-of-service' a good thing?

We're losing the battle against vulnerabilities and viruses. A computer model created by a Hewlett-Packard researcher demonstrates that viruses are getting far more efficient than the processes in place

    Requires Free Membership to View

to protect against them. And the window between publicly announced vulnerabilities and successful exploitation has been reduced to a matter of days. All this suggests that a change in our behavior may be in order. We should be looking at ways to minimize the number of services that the average PC leaves open and available to only the ones that are critical to execution of our jobs and by default 'deny' the rest.

Though firewalls, IDSes and AV software are all important components of a layered security approach, they still don't provide complete protection.

End users are sometimes a part of the problem. They can't be expected to disable unused ports and services. In fact, most wouldn't have a clue about the volume of TCP and UDP ports available on their machines, do you? (A listing of ports is available here.

By running seemingly innocuous applications like KaZaA, fax software, etc., users unwittingly open the door for crackers and viruses alike.

Most enterprises have policies in place that limit what applications their end users can install and use, but even with management's commitment, it's extremely difficult to enforce.

Applying the concept of 'default deny' has strong appeal. By default, any unused port or service should be disabled, and only enabled if required. Consulting services are available that statically apply this concept to the enterprise. They can drastically improve the enterprise's overall security posture in what's come to be the most vulnerable entry point -- the end user's PC.

Security products are available that can enable enterprises to administer a 'default deny' policy. They have proven highly effective at minimizing the enterprise's overall IT security risk in a world full of new laws governing confidentiality and privacy. Such products have helped companies to demonstrate the due care required by these laws.

It makes far more sense to look at such products than to expect the OS vendors to provide them--enterprises will always be too heterogeneous an environment, and the security challenges will constantly change. Desktops and laptops are perhaps the largest gap in enterprise security; PC security is one of those places where just saying 'no' goes a long way.

Dennis Szerszen is a principal for Judith Hurwitz Associates, focusing on infosecurity and systems management.


This was first published in November 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.