What's on your network?
I was looking though my Spam folder this evening to see if there was anything interesting in there. Of course I found some of your "standard" phishing attempts that we have come to accept as "normal". While looking at these I got to thinking about how some of them, just from viewing the email (if using html like many do), would serve you content pulled from websites you never clicked on. In essence, unsolicited requests, would be leaving your network. This led me to think about software that "phones home" and I realized it had been a while since I had heard about any.
I thought I must be missing something, but sure enough my Google search turned up empty for anything in the last few months. So now the real question comes to my mind. Is that because there is nothing "phoning home" or is it because our networks are so large with so much traffic that no one knows what is on their network anymore? I subscribe more toward the latter. I think majority of people (and their management) feel there is simply not enough time to figure out what all the traffic really is and they have tools to automate things so they don't have to know cause the tools do it all for them.
This really concerns me because software products are being released constantly. How much testing really goes on for them? How much hidden functionality really exists? How do you know if your software is doing what it should do? Egress filtering is more important than ever to securing your network. Too often you find people know enough to get the software up and running but that is about it.
So I have a couple questions I'd like to get feedback on:
- Is there no software phoning home anymore or are we just missing it?
- What steps do you take to ensure the software on your network is only talking to and doing what its documented to do?
Comments
Once we achieve this goal, we focused in the applications:
1. which is the business case that justify their use?
2. what they do?
3. what privileges they need to work? what network traffic must be enable?
Meanwhile we are on this tasks, we made some arrangements in the previous policy about software utilization, by adding a corporative restriction and an approval workflow to allow any application or new software (including operative systems).
vmforno
Mar 16th 2009
1 decade ago
Mark McDonagh, NetFort Tech
Mark McDonagh
Mar 16th 2009
1 decade ago
Here are a few of what I found:
- People configured goto meeting on their pc's because the firm provided SecurID card was just too heavy for them to carry.
- A printer was contacting the vendor. Someone left the remote diagnostics enabled on a printer.
- One of our air conditioners was contacting the vendor. No one knew until I started asking.
- MS remote desktop protocol is not allowed out. But SSL is, so someone moved RDP to port 443.
- Skype: they like running on port 443. Nmap is pretty good at identifying the protocol.
So far I have not found any malware using this technique. But plenty of compliance issues. Your milage will vary.
ArticPuppy
Mar 16th 2009
1 decade ago