So, you watch for advisories, deploy countermeasures (e.g., change firewall and IDS rules) or shut down vulnerable services, patch applications, restore services. You detect compromises, limit damages, assess the damage, repair, recover, and attempt to prevent them again. Tomorrow you start again, and again, and again. Is it worth it? What difference does it make? Who cares anymore?
If you’re sick of it, you may just be getting fatigued.
If you don’t bother defending anymore because you think there’s no point to this endless threadmill, you may be suffering from learned helplessness. Some people even consider that if you only passively wait for patches to be delivered and applied by software update mechanisms, you’re already in the “learned helplessness category”. On the other hand, tracking every vulnerability in the software you use by reading BugTraq, Full Disclosure, etc…, the moment that they are announced, and running proof of concept code on your systems to test them isn’t for everyone; there are diminishing returns, and one has to balance risk vs energy expenditure, especially when that energy could produce better returns. Of course I believe that using Cassandra is an OK middle ground for many, but I’m biased.
The picture may certainly look bleak, with talk of “perpetual zero-days”. However, there are things you can do (of course, as in all lists not every item applies to everyone):
Use the CIS benchmarks, and if evaluation tools are available for your platform, run them. These tools give you a score, and even as silly as some people may think this score is (reducing the number of holes in a ship from 100 to 10 may still sink the ship!), it gives you positive feedback as you improve the security stance of your computers. It’s encouraging, and may lift the feeling that you are sinking into helplessness. If you are a Purdue employee, you have access to CIS Scoring Tools with specialized features (see this news release). Ask if your organization also has access and if not consider asking for it (note that this is not necessary to use the benchmarks).
Use the NIST security checklists (hardening guides and templates). The NIST’s information technology laboratory site has many other interesting security papers to read as well.
Consider using Thunderbird and the Enigmail plugin for GPG, which make handling signed or encrypted email almost painless. Do turn on SSL or TLS-only options to connect to your server (both SMTP and either IMAP or POP) if it supports it. If not, request these features from your provider. Remember, learned helplessness is not making any requests or any attempts because you believe it’s not ever going to change anything. If you can login to the server, you also have the option of SSH tunneling, but it’s more hassle.
Watch CERIAS security seminars on subjects that interest you.
If you’re a software developer or someone who needs to test software, consider using the ReAssure system as a test facility with configurable network environments and collections of VMware images (disclosure: ReAssure is my baby, with lots of help from other CERIAS people like Ed Cates).
Good luck! Feel free to add more ideas as comments.
*A small rant about privacy, which tends to be another area of learned helplessness: Why do they need to know? I tend to consider all information that people gather about me, that they don’t need to know for tasks I want them to do for me, a (perhaps very minor) violation of my privacy, even if it has no measurable effect on my life that I know about (that’s part of the problem—how do I know what effect it has on me?). I like the “on a need to know basis” principle, because you don’t know which selected (and possibly out of context) or outdated information is going to be used against you later. It’s one of the lessons of life that knowledge about you isn’t always used in legal ways, and even if it’s legal, not everything that’s legal is “Good” or ethical, and not all agents of good or legal causes are ethical and impartial or have integrity. I find the “you’ve got nothing to hide, do you?” argument extremely stupid and irritating—and it’s not something that can be explained in a sentence or two to someone saying that to you. I’m not against volunteering information for a good cause, though, and I have done so in the past, but it’s rude to just take it from me without asking and without any explanation, or to subvert my software and computer to do so.
Well, we’re all pretty beat from this year’s Symposium, but things went off pretty well. Along with lots of running around to make sure posters showed up and stuff, I was able to give a presentation called Web Application Security - The New Battlefront. People must like ridiculous titles like that, because turnout was pretty good. Anyway, I covered the current trend away from OS attacks/vandalism and towards application attacks for financial gain, which includes web apps. We went over the major types of attacks, and I introduced a brief summary of what I feel needs to be done in the education, tool development, and app auditing areas to improve the rather poor state of affairs. I’ll expand on these topics more in the future, but you can see my slides and watch the video for now: