Web Browser
Arguably, the most popular and frequently used client application is the web browser. A web browser allows a user to access content from web servers across a network. In most cases, users access resources and applications using the Internet. Web browsers are attractive targets because they are the primary client of web applications. A compromised web browser can make it easy for an attacker to access stored server connections by means of stored credentials. Hackers can even compromise your organization’s data without attacking the web browser directory but by intercepting the information your web browser sends to the web server.
Web browsers are attractive targets for several types of attacks, including:
Infect with malware—Several default web browser settings allow web browsers to run helper programs, such as JavaScript or Flash, to enhance the user experience. Although many such extensions are useful, attackers can provide substitute programs that are actually malware.
Intercept communication—Authorized users can access sensitive organizational data, often using a web browser. Any device or computer that sits between the client and the server sees all traffic passing back and forth between the two. An attacker who places a proxy server between a web browser and a web server can see and collect all of the traffic, including sensitive data that are intended only for the authorized user. This type of attack is often called a man-in-the-middle attack.
Harvest stored data—Some versions of web browsers have vulnerabilities that allow webpages to collect information stored on the client computer. This information includes usernames, passwords, account numbers, and local copies of sensitive data. This stored information can appear in cookies, application files, and settings. Criminals can look for this type of information and tell your web browser to send it to any location.
These are just a few of the many types of web browser attacks. You can, however, harden each web browser to resist attacks. Some of the hardening suggestions may reduce the web browser’s flexibility and functionality, but it will be more secure. Change settings in any web browser by opening the settings or options page. Most of the following suggestions apply to all web browsers, but the actions in the following table are specifically oriented toward Internet Explorer. TABLE 12-1 lists steps to secure a web browser.
TABLE 12-1 Securing a Web Browser |
|
|---|---|
| ACTION | DESCRIPTION |
| Set the security level of the Internet zone to High from the Security tab. | Setting the security zone to High in Internet Explorer (IE) automatically enables many features that block most known vulnerabilities. Setting the security zone to High will also likely reduce the web browser’s functionality. |
| Add specific sites you trust as Trusted Sites from the Security tab. | When you are visiting sites defined as trusted, IE relaxes the restrictions placed on general Internet sites. This setting allows more helper programs to execute, such as Flash and JavaScript components. |
| Change the cookie settings from the Privacy tab. On the Advanced dialog box, select to prompt for first-party and third-party cookies. | This setting will alert you any time a website attempts to access any cookies. This requires user interaction each time a website wants to access a cookie. It gives you the chance to deny cookie access. You can also add any sites from which you want to accept all cookies to the list of allowed sites. You won’t be prompted for cookie access from the listed sites. You can also select the Delete Browsing History on Exit checkbox on the General tab to have IE delete all cookies and other browsing history each time you exit IE. |
| Uncheck Enable Third-Party Browser Extensions from the Advanced tab. | This setting limits the potential of browser helpers from disclosing private data. |
| Check Always Show Encoded Addresses from the Advanced tab. | This setting makes it harder to spoof Internet addresses. |
| Uncheck Play Sounds in Web Pages from the Advanced tab. | This setting prevents an attacker from infecting your computer using a sound file. |
© Jones & Bartlett Learning. |
|
FIGURE 12-1 shows the Internet Options dialog box for Internet Explorer.
FIGURE 12-1
Internet Options dialog box. Security tab, in Internet Explorer 11.
Courtesy of Microsoft Corporation.
Many more settings are available, but the settings in Table 12-1 will harden your web browser and will limit the damage an attacker can do using your web browser.
Email Client
Email clients are another popular type of client software. Most of today’s email clients connect to a mail server and either display or download email messages. One of the most popular email clients is Microsoft Office Outlook. As with web browsers, there are other popular email clients.
Generally, the key to hardening email clients is to limit any malicious code that may be attached to email messages. Next, take steps to ensure email message privacy. The first step requires additional software. You should already have anti-malware software installed on each computer. Select anti-malware software that integrates with your email client. Many current anti-malware software packages work with email clients to scan all incoming and outgoing messages for malware. It is important to scan incoming messages to detect any malware before it infects your computer. It is also important to scan outgoing messages to ensure your computer is not sending malware to other destinations.
The second step to securing an email client is to safeguard message privacy. Require the use of Secure Sockets Layer/Transport Layer Security (SSL/TLS) when connecting to your mail server to make certain that all message exchanges are encrypted. This option will work only if your mail server supports it and is properly configured to handle encrypted connections. The main drawback is that once your message reaches your mail server, the message is decrypted and sent on its way. Alternatively, you can encrypt each message to guarantee your message stays encrypted all the way from your email client to the recipient’s email client.
Unfortunately, there is no automatic method to encrypt email messages for generic recipients. Microsoft Office Outlook includes Secure/Multipurpose Internet Mail Extensions (S/MIME) encryption as long as the recipient has your public key. Several add-on products work with most email clients to encrypt messages as well. For example, OpenPGP, GPG, and S/MIME are all examples of email message encryption methods. Before using any of the methods or software, confirm that the recipient of your email message uses the same method. Additionally, his or her email client must be capable of receiving and decrypting the message. Since you have to take special steps for each recipient to whom you send email, encrypting email messages is not used extensively for sending messages to large groups of people. It does work very well in situations where you know you’ll be sending several private messages to the same person or a small group of people.
Most general hardening recommendations are appropriate for other email clients. The following specific recommendations apply directly to Microsoft Office Outlook. TABLE 12-2 lists steps to make your email client more secure.
TABLE 12-2 Securing an Email Client |
|
|---|---|
| ACTION | DESCRIPTION |
| Install anti-malware software that integrates with your email client. | Integrated anti-malware software should scan each incoming and outgoing message. Have a plan to keep all anti-malware software and data up to date. |
| Enable the junk filter function. | Configure your email client to filter suspicious messages and put them in a junk messages folder. Keep them separate from your regular messages. |
| If your mail server supports secure connections, force your email client to use only secure connections when retrieving or sending email. | Although this setting will encrypt all email messages between your email client and the mail server, messages that travel beyond your mail server will be transmitted in the clear. |
| Do not preview messages. | Many attackers embed malicious code in images or other email content. Train users to never open an email message from an unknown source. Since many types of malware send email messages using the sender’s address book, users shouldn’t open any attachment they aren’t expecting. |
| Change the default mail format to plaintext. | Plaintext does not contain embedded commands that could result in malware infections. HTML messages are much more visually appealing but more dangerous as well. |
| Use an Encrypting File System (EFS) or BitLocker to encrypt the folder or drive that contains your email data files and attachments. | Keeping your email messages and attachment folders encrypted makes it harder for attackers to access the contents of your email messages without encountering operating system access controls. |
| If you need to exchange private email messages with a number of recipients, either use Microsoft’s email encryption or acquire additional software to use another solution. | Ensure both sides of the email exchange use the same encryption method. Also, each recipient must have the sender’s public key. In most cases, this is accomplished by first sending a digitally signed message to the recipient. The recipient receives the message and adds the public key to the address book. The recipient can now receive and decrypt encrypted messages from the sender. |
© Jones & Bartlett Learning. |
|
Even if you install and use the most advanced layers of protection for email clients, most successful attacks depend on the user. One important step in securing email is to properly secure the email users. That means you’ll need to provide sufficient security awareness training to all users. Many attacks, such as phishing or ransomware attacks, start with an email message that looks enticing enough for a user to follow a bad link. The ultimate success of securing email is to stop users from carrying out actions that result in attack success.
Productivity Software
Most workstations and even mobile devices have some type of productivity software installed. Productivity software is any software enabling users to accomplish general work more efficiently. Productivity software may be installed as several separate programs or as a collection, or suite, of software. Common productivity software programs include the following, along with Microsoft’s product for each solution:
Word processing—Microsoft Word
Spreadsheet—Microsoft Excel
Lightweight database—Microsoft Access
Presentation—Microsoft PowerPoint
Project scheduling/management—Microsoft Project
Publishing—Microsoft Publisher
Productivity software packages are also targets for attackers, especially the more popular programs. The main goals for compromising productivity software are malware infection and private data disclosure. Many types of malware infect computers when users open infected files. Infected documents, spreadsheets, presentations, and databases can exploit vulnerabilities in your productivity software and launch malware that infects your computer. Many successful attacks still introduce malware to computers using productivity software document types that appear to be harmless.
The standard file extensions also identify potential content types to attackers. If a criminal is looking for private data that are likely stored in an Access database, any files with the extension .accdb are good candidates. TABLE 12-3 lists the general steps to help secure your productivity software.
TABLE 12-3 Securing Productivity Software |
|
|---|---|
| ACTION | DESCRIPTION |
| Install anti-malware software that integrates with your productivity software. | Integrated anti-malware software should scan each file before opening it. Make sure you have a plan to keep all anti-malware software and data up to date. |
| Use EFS or BitLocker to encrypt the folder or drive that contains your productivity software documents and databases. | Keeping your document folders encrypted makes it harder for attackers to access the contents of your documents without encountering operating system access controls. |
| Never open a file unless you trust the source. | Many malware infections depend on a user opening an infected file. |
| Ensure your productivity software has the latest security patches installed. | New vulnerabilities are discovered daily. Unpatched software is at risk. |
© Jones & Bartlett Learning. |
|
File Transfer Software
One of the earliest uses of networks was to transfer files from one computer to another. Users still transfer files routinely between computers, sometimes over large distances. Every file download or upload is a file transfer. Unfortunately, the protocols most commonly used to transfer files send the contents of each file in the clear, which means unencrypted. The reason for sending data in the clear is that it is much faster than encrypting the data first. However, security is a greater concern than efficiency for private data. Do not use standard file transfer methods for any files that contain private data. Use a secure transfer method.
The most common method of transferring files across a network is the File Transfer Protocol (FTP). FTP uses the Transmission Control Protocol/Internet Protocol (TCP/IP) suite to decompose a file into small messages and send the file to a recipient where the file is reassembled. The process is solid but insecure. As security has become more and more important, additional methods have been introduced, including FTP over a Secure Shell (SSH) and Secure FTP (SFTP). Virtual private networks (VPNs) are also a good choice for transferring files. Use unencrypted FTP within a secure VPN to achieve very good privacy.
Regardless of the specific choice you use, both ends of the network connection must agree on the methods. The main point of securing file transfer software is to ensure all files that contain private data are transferred using some type of encryption.
AppLocker
Microsoft includes a feature in Windows that allows you to restrict program execution using Group Policy. This feature, called AppLocker, is included with Windows Server and Enterprise editions of Windows workstation versions. AppLocker provides the ability to whitelist applications, telling the operating system which applications are OK to run. Prior to AppLocker, Microsoft provided basic software restriction capabilities through the Software Restriction Policies (SRP) in previous Windows versions. SRP are still in newer Windows versions but is harder to use in a larger enterprise than AppLocker. Define rules using Group Policy to restrict which applications computers can run using these types of rules:
Path rules—SRP and AppLocker allow you to define specific paths from which users can execute applications. Any application located in paths not approved by these Windows features cannot run. Unless you carefully restrict users from common installation folders, they can just copy new applications into a common folder and essentially bypass the path rule restriction.
Hash rules—SRP and AppLocker allow you to create a cryptographic hash for each executable to distribute to workstation computers. Windows validates that the executable program matches the approved hash value each time you run a program. This type of rule is more secure than a path rule, but it requires that you update the hash value each time you distribute a program update.
Publisher rules—AppLocker makes application security easier than SRP by introducing a new type of rule. Publisher rules use digital signatures provided by application publishers. Use these signatures with additional criteria, such as minimum version to define allowable applications. For example, you could allow Microsoft Word to run on a workstation only if it has a valid publisher certificate and is at least version 12.0. Although AppLocker publisher rules are slightly similar to SRP certificate rules, AppLocker has added a lot of features and made defining rules much easier.
Besides the additional features AppLocker provides with Publisher Rules, AppLocker makes it easy to define rules for any number of users employing Group Policy.