Security as a business enabler

I often talk about security as a business enabler but very rarely hear others saying the same things. So I was pleased to read recently in Computer Weekly Etienne Greeff’s article Security sceptics should ‘just say yes’.

Greeff talks about taking a strategic approach to IT security to enable adoption of new technologies. Well worth a read.

“All too often, senior managers see IT security as a necessary evil or - worse still - as an inexorable cost that inhibits the growth of their business. When managed properly, however, the opposite is true: IT security can be a highly effective business-enabler.”

PACKT Microsoft Monday

Great discounts on books, including Least Privilege Security for Windows 7, Vista and XP, over at PACKT’s website on Monday 24th January. Click here for more details.

The Global State of the Endpoint

A recent survey commissioned by Lumension doesn’t reveal many surprising results, but one interesting point was that only 44% of those surveyed thought that application whitelisting was an effective technology.

Maybe those surveyed are expecting too much. It’s not a replacement for antivirus, but even in its own right is very effective at preventing malicious software from running, especially when used in conjunction with a standard user account.

Zero-day flaw allows an attacker to impersonate the system account and bypass UAC

Here’s a good example of why implementing standard user accounts isn’t enough to secure your desktop systems. Occasionally bugs are found in Windows that allow privilege escalation – or in other words, permit a standard user to elevate to a higher set of privileges.

One such flaw has recently been disclosed and is outlined by Sophos on their Naked Security blog. Additional layers of security, such as application whitelisting and antivirus should help to mitigate the threat, or alternatively you can implement the workaround outlined in the blog post.

Hopefully it won’t be too long before Microsoft provides a patch. Looking at the workaround outlined by Sophos, it looks like this hole should be relatively trivial to plug.

End-users with admin-level access put your network security at risk

Security Adviser columnist, Roger Grimes, has another article on Least Privilege Security at InfoWorld. Not only does he speak about standard user accounts, but also about the advantages of application whitelisting software.

Roger also mentions that Least Privilege Security can help reduce support costs on desktop computers:

Locked-down desktops have few support issues since users aren't installing buggy, unapproved apps, slowing down their systems, and throwing up blue screens all the time. Plus, they require less troubleshooting and fewer rebuilds.

I would also concur with the following statement:

Of course good, updated antimalware defenses are needed. I may not be a huge fan of the increasingly less-accurate antivirus software, but it's worth installing and using in most scenarios. They may not be 100 percent accurate, but they catch bad elements.

AV software should not be your first line of defence, it’s simply not effective enough to protect users in today’s threat environment.

Something I’ve also written about myself at Windows IT Professional in the past is domain isolation. Desktops shouldn’t need to talk to other desktops for instance, and creating security domains can help to prevent the spread of malware in the case of an outbreak:

I am a strong advocate of security-domain isolation, restricting workstations and servers so that they connect to only what they need. It can be accomplished using myriad methods, including routers, firewalls, VLANs, IPSec, and other avenues of logical separation.

Adobe quietly updates Flash Player

Not much fanfare accompanying the latest update to Flash Player (version 10.1.102.64), which includes a security fix, so make sure that your systems are patched as quickly as possible.

The MSI version can be downloaded here for deployment using Group Policy or SCCM.

Don’t want to use a heavy-weight virtualization solution to run IE6 on Windows 7? Take a look at UniBrows

While Microsoft has its own solutions for running IE6 apps on Windows 7, see their whitepaper Solutions for Virtualizing Internet Explorer, they can be somewhat overkill and expensive to manage.

Dependence on IE6 for legacy web applications is often cited as a reason preventing an upgrade from XP to Windows 7, which provides improved security and easier implementation of least privilege.

Unibrows, currently in beta, is a product that runs as an add-in for IE8 and is triggered automatically according to rules configured by a system administrator in Group Policy to use IE6 code and display the page in the current tab.

Unibrows will cost $5 per user a year and is due for release at the end of November. Definitely a solution worth looking at if you want to upgrade to Windows 7 but can’t relinquish support for IE6.