My Thoughts on Zero Day by Mark Russinovich

Posted on March 28, 2011 by chentiangemalc

image

As a long time fan of Mark Russinovich – his brilliant Windows Internals Series, his life saving SysInternals Utilities (esp. ProcMon), always intriguing blog, and numerous high quality technical education videos – it was nice to see him take a go at a novel. I will say this is the first book by Mark I’ve completed in under 3 months (i finished it in 2 days) and without the usual post-reading migraines.

The book is a high-paced thriller in which the Western world is under a sophisticated & targeted virus attack for the pure evil purpose of destruction. It may sound far fetched but much of what the book highlights already is happening, albeit in not such a large scale. Despite increasing threats from malware written by organized gangs for the pure purpose of financial gain there seems to be little progress in stopping these groups derive profits from their work. Many organizations remain slack at security – still using out-dated software, out-of-date anti-virus products, poor security practices.

Mark covers the topic in a down-to-earth yet technically accurate style. It is rare to get a book where you can go from a steamy love making scene to “operating system not found” followed by an IA-32 assembly code listing. The IRC chats throughout the book are written in an authentic l33t speak, and brings back memories of my teenage days hanging out in IRC chat rooms. Actually almost made me want to go logon again and watch some of these hacker conversations Winking smile

In the book we also see highlighted how much reliance we have placed on our computers and the internet. Many organizations and people can barely function without it. (OMG Twitter is over capacity *scream* somebody get me a ventilator) Often manual backup methods are being lost and forgotten as distant memories of quaint activities our grandparents performed.

Zero Day is a great read, although it paints a bleak picture of what our world could look like, it’s also nice to know we can do something to prevent something like this occurring, because right now it is just fiction.

Zero Day is available from Amazon here http://www.amazon.com/Zero-Day-Novel-Mark-Russinovich/dp/031261246X

While there is no totally fail-safe method to be secure without disconnecting your computer from networks and placing it in 12 feet of concrete, there are certainly things we can do to reduce our risks within organizations and home:

  • Ensure users/family-members are trained on secure computing (i.e. caution opening attachments, downloading .exes, etc) In the end 100 security checks in your technical solution can be broken in a second by a careless user
  • Use the latest Wireless encryption methods available for your wireless systems
  • Use secure passwords (Welcome1 and P@ssw0rd! are not secure)
  • Use HTTPS where possible (and make sure the certs are from a trusted certification authority)
  • If you run a website please don’t make it open to SQL Injection attacks (hint hint hint MySql.com)
  • Have up-to-date Anti-Virus/Malware software active on your machines, and KNOW that it is up-to-date and active on said machines (don’t assume) If you don’t have any existing monitoring software consider a product like Windows InTune (http://www.microsoft.com/windows/windowsintune/pc-management-how-to-try-and-buy.aspx)
  • If run Linux or MacOS don’t assume you are immune to attacks
  • Keep your operating system AND software on it patched and up to date. (Hint: Microsoft we need less painful way to update the software part)
  • Don’t rely just on corporate firewalls, attacks can occur/spread within – keep firewalls enabled for machines even on your internal network
  • Use Tools such as Microsoft Security Compliance Manager (http://technet.microsoft.com/en-us/library/cc677002.aspx) and Microsoft Security Base Line Analyser (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=02BE8AEE-A3B6-4D94-B1C9-4B1989E0900C)
  • Monitor network traffic to identify suspicious trends (i.e. why do i have 10 connections to IP addresses in China despite the fact I have no internet applications open)
  • Disable unnecessary applications/services/drivers on your system
  • Limit use of local administrator accounts as much as possible
  • If you are on Windows 7 consider use of AppLocker in a “white list” mode
  • Know tools that can help you identify ‘zero day’ viruses – ProcMon, ProcExp, AutoRuns, WinDbg, RootKitRevelear. HijackThis, WinPE boot disk with offline analysis tools (i.e. DART or BART PE)
  • You can use freely available tools such nmap to identify vulnerable machines on your network, or tools such as MetaSploit to easily test published exploits against your systems to see how they stand up. Just by disabling unnecessary services and local admin access you will find you prevent the large percentage from being effective. (make sure you have appropriate approvals before running these tools in your environments Winking smile )

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in Book Review, Security and tagged . Bookmark the permalink.

Leave a comment