Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Month - Day 6 - Computer Monitoring Tools

Published: 2010-10-06
Last Updated: 2010-10-11 17:44:29 UTC
by Marcus Sachs (Version: 1)
2 comment(s)

As security professionals we all know when our computers are trying to tell us that there is something wrong.  We also have our own techniques for poking around "under the hood" looking for trouble before it gets out of hand.  Like car enthusiasts, we know what each rattle and noise means and we take steps to correct the problem early.  But what about our parents and extended family members who don't have the same skills?  Like the temperature gauge or "check engine" light in your car, how does a typical user know that something is wrong?

Most newer operating systems have a system health and monitoring capability.  For example, in Windows 7 you do this:

  • Log on as a local administrator on your computer, click Start, and then click Performance and Information Tools.
  • Under Advanced Tools, select Generate a system health report.

And in Windows XP you take these steps:

  • Log on as a local administrator on your computer, click Start, and then click Help and Support.
  • Under the Pick a task, click Use Tools to view your computer information and diagnose problems.
  • In the Task pane, click My Computer Information, and then click View the status of my system hardware and software.

But what else can a non-technical user do that is simple and easy?  We published a diary about this subject a couple of months ago and got some really cool ideas.  Take a look at the comments and see if there is anything else you are aware of.  Use the "comment" link below to add your ideas to this diary.

Marcus H. Sachs
Director, SANS Internet Storm Center

 

2 comment(s)

Cyber Security Awareness Month - Day 7 - Remote Access and Monitoring Tools

Published: 2010-10-06
Last Updated: 2010-10-11 17:35:18 UTC
by Rob VandenBrink (Version: 1)
9 comment(s)

It's 10pm, Sunday night, Anytown.   In a quiet house, a phone rings.

Ring Ring, Ring
Your Mother in Law:
"Hello Dear, I've got an XYZ error message on my screen, I've powered off and back on, and the message is still there.  Can you help?"
You (to yourself, in your inside voice):  "which means she's powered here *screen* off and on instead of her computer, here we go again!"
You (to her, in your out-loud voice); "it really sounds like i need to be there to fix this - can I stop by tomorrow after work?"
Her:  "But I'm bidding on an WXY, and the auction closes tomorrow - can't we get this fixed tonight?  Plus you know how I like to play those fun online games my friend showed me over my coffee every morning
You (inside voice again): "yeah, another XYZ, everyone needs more of those!  and don't get me started on those malware infested flash games!  how am I going to get this fixed before work tomorrow? She's an hour's drive away and I have an early start tomorrow at at work!"
You (to her, out-loud):  "Will you still be awake in an hour, I can drop by later tonight still if that's ok?
Her:  "that'd be lovely - I'll put a pot of coffee on, and I baked some cookies today.  If this is like last time you'll probably be a few hours!"

Wouldn't it be great if she had an icon on her desktop that would let you remote control her computer, right now?
Well, the good news is, there is such an app.  And like so many things in IT, the bad news is, well, the bad news is that there is such an app.

Remote control tools like gotomypc (now gotomysupport), logmein, webex, bomgar and the like used to be considered *evil* apps in many IT groups.  They pretty much allowed strangers to remote control your desktop computers over SSL or other encryption (or obfuscation or clear text) protocols, and there weren't a lot of tools out there to control how they got used.  I can remember talking to my CFO a number of years back, trying to explain why gotomypc (which was new at the time) was not a good alternative for him, that he should use the corporate VPN access.  If you look at what these remote access tools do, it sounds a lot like the ultimate goal of any pen-tester, or of any of the "bad guys" who of course also want to compromise your network security - total control of internal resources without your knowledge.

On the other hand, as these tools have matured we're seeing a large uptake in their use in corporate IT groups, to the point that most IT groups will often have such a solution in place to remotely support their own users.  We also see it routinely if we call for support on server operating systems or network infrastructure problems - almost the first thing most support techs will do is mail you a remote support link so they can see the problem first-hand and work on it themselves (using your computer).

So for all our family remote support needs, there's dozens of free tools out there that do exactly this.  For our corporate needs, similarly, there are dozens of tools out there that do exactly this, for a per-seat or per-site license fee. 

Even in this new world where we've now "blessed" these remote access tools, people are missing some of the "Securtiy 101" questions around them.  Things like - how good is the encryption on this tool?   Where exactly does the session data transit?  Am I running this through an appliance in my own datacenter, or am I being run through the provider's infrastructure on the internet (people call this "the cloud" these days, like that makes it safer somehow).   If the session data goes to the remote support tool provider, what country are they in?  How does their privacy, search and seizure legislation compare to yours?  Does the tool offer a drive map, which might allow file transfer without the user knowing?  The answers to these questions might not matter too much to your Mother-in-Law, but your CEO, CIO and Corporate Counsel should all care.

The "traditional" remote control tools like VNC or MS Terminal Services have been made a lot less effective by firewalls, especially personal firewalls turned on by default in the OS.  They can still be deployed (and controlled) in a corporate setting where you can do things like have Group Policy open workstation firewall ports when at work, and close the affected ports when away, but these tools aren't much help when your CEO is trying to VPN in from a hotel behind a firewall and 2 timezones away. 

What tools do you use for remote support?  If you run a corporate network, how do you control use of remote control tools?  Does your firewall or IPS control this stuff, do you restrict it at the desktop using Group Policy or browser settings, or have you just resigned yourself to the fact that anyone who can dial one of your end-users' extension can social engineer themselves into a remote session on your network?

Please use the comment form to discuss - this is a debate that's been around for a while, but seems like we have new answers every time !

 =============== Rob VandenBrink Metafore  ===============

9 comment(s)
Diary Archives