firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Securing email by inhibiting urls (Paul D. Robertson)
----------------------------------------------------------------------
Message: 1
Date: Sat, 13 Aug 2011 00:07:05 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] Securing email by inhibiting urls
To: chughes@l8c.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.1108122357400.25089-100000@bat.clueby4.org>
Content-Type: TEXT/Plain; charset=US-ASCII
On Thu, 11 Aug 2011, Chris wrote:
> 3. We have Brightmail, Juniper IDS, ISS IDS and Symantec Antivirus
> protecting all mail servers.
>
The mail server isn't the target, the desktop is- that's where your
protection needs to be.
> We don't have issues with executables etc in mail as attachments. We mostly
> see encrypted .zip or Ms Excel/Word attachments in emails made to look like
> they are coming from someone friendly. The well trained employee with a
> short memory or bad recall clicks the attachment or url linked to a file and
> game is over. These are zero day payloads that are not detected by anyone.
Which is it? Attachments, or links? Those are two different issues.
Seems to me like not letting encrypted attachments through would be a
good start. It also seems that not letting most MIME types through the
HTTP proxy would be a good second step. Exceptions on a by-domain basis
tend to take about a week to get cleared up if you do it during
end-of-month cycles.
> We have spent lots of money getting them reverse engineered and the security
> firms are impressed. We can block all attachments but that doesn't stop a
> user clicking a link to a hacked ford.com page that delivers payload (making
> this up but its not far from true). With business constraints etc, our best
> option now is to strip/modify urls/links in emails but our current systems
> don't have that feature.
>
The other option is to simply control what's run at the client. I've got
a customer with complete software restriction policies on that's had so
few malcode outbreaks in the last five years that I can think of three
that I had to respond to. Everything in %windir% is either a path or a
hash rule, as is everything in %programdir%. Nothing else is allowed to
run. DLL monitoring isn't on, as the performance hit isn't worth the few
times a decade a DLL injection may happen. The best thing is that things
that do get executed can't plant a Trojan, so most "infections" end up as
a zero sum game. Once you've got the bulk of the Windows and
vendor-specific rules in, maintenance is less than an addition a month.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://www.PaulDRobertson.net/
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 61, Issue 7
***********************************************
No comments:
Post a Comment