Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Is "Green IT" Defeating Security? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Is "Green IT" Defeating Security?

I was reading my morning newspaper one day this past week (a real treat since my cataract surgeries) and I came upon several articles concerning a local municipality that experienced a self-imposed DOS due to a massive malware infection.  The CIO explained that "curiously, only those employees who had turned off their computers at night were infected".  Now, in security, we understand fully why this happened and it is not curious at all.  This statement causes flashbacks to all the times I have experienced many a cost-conscious "green" dept. heads, with good intentions, requesting their employees to turn off their computers at night to save money and the planet.  Hey, I'm as green as the next guy, but at some point, penny pinching and IT just don't mix.

Maybe we aren't explaining this situation well enough, (more likely CIO support for security was non-existent), but it seems to me that the IT security department at this municipality needed to explain to the CIO and advise city employees that the majority of security updating is completed during off hours as to not interfere with production.  Yes, we do have ways to kick off updates after the computer is turned on in the morning, but at the same time, we have allowed production requirements to interfere with those updates by allowing the users to stop scans or generally override any security setting which may interfere with the goal of production.  That said, our main responsibility must be to keep our domains as up-to-date as possible to combat the barrage of morphing attacks.  And we realize even that isn't enough, when that one "green guy" opens an infected PDF file or is redirected to a malware spewing site. A site directing attacks to the third-party software we can't find the budget or time to patch with any regularity.

The recent news of the ZeusBot revelations (not to us) and the whole Google/China mess shows what can happen when employees are not educated about their role in keeping the enterprise secure.   Employees must have the "big picture" to be of any help.  Counting on updating our AV program is just is not a viable methodology any more.  While it is imperative that we keep doing our jobs by keeping definitions as updated as possible, (and prevent over-ride of security settings), we are still back to the subject of application patching.  All the glorious AV definitions in the world will not prevent an employee from making that search that redirects, or opening an attachment that starts the proverbial ball rolling toward weeks of clean-up and bad press via media hype.

Maybe the publicity helps our cause.  At one point I did believe that.  Do you think we are still making in roads with the non-security folks with continuous media exposure?  Or is it just possible that the public and our CIO's have come to accept these violations as a way of life?  I'd like to hear your comments. 

Mari Nichols

Handler on Duty

Mari Nichols

76 Posts
I really don't think this incident can be blamed on 'green IT' or the (sensible?) action of turning off a computer when it's not in use. I think an IT department has a responsibility to make sure their systems stay patched. Wake-on-LAN seems a fairly obvious solution, and I'm sure there are good tools that can warn you if a system didn't get patched.

Turning off your computer at night doesn't even fit my idea of 'green IT'. I would use that to describe systems that automatically power down in some way (monitor, disks, CPU speed, peripherals) when not in use; or operate more power-efficiently when actually in use (eg. replacing inefficient hardware, or through platform and/or storage virtualisation).
Steven C.

171 Posts
I essentially agree with Steven. While this article is a good reminder about something that could be easy to overlook, you seem to present the two options as mutually exclusive. They oughtn't be. Client maintenance, as well as power on/off, can be scheduled. Why not patch and scan systems at 6PM after employees have left, and then schedule systems to power down at 8PM, or once daily maintenance and patching is complete? Or, run compliance checks on the system when they first connect to the network in the morning, to check patches and antivirus definitions? What about using Wake-On-Lan or WoWLAN when patches arrive? I see little reason that systems on the average corporate LAN need to be left on 24/7 to facilitate day-to-day maintenance.

Shutting down systems after hours is not simply beneficial to the environment. It is also saves companies money - which is critical to those ever-present layers 8 and 9.
hacks4pancakes

48 Posts
How many IT dept have been forced into this though without the other options being in place or even an option? I have experienced being in security and being told that to be "Green" we are going to start powering off PCs at night. The group driving that didn't want to hear that we did not have full Wake-On-Lan working yet with all of our various updating systems. Then the user complaints start rolling in since when they power on their PCs in the morning, they get abused horribly by various patches and other updates. Then there are other applications which don't play nicely with WOL systems (think AV vendors) so trying to get those updates out during non-business hours becomes a difficult task.
hacks4pancakes
1 Posts
It seems like these violations have become so common they're planned for. In some circles it's considered acceptable to lose, say, 20% of the workstations to an infection while the rest remain operational. Or budgeting an extra couple of megabits for a facility's network link to take into account malware traffic.

In other words, it's become easier to account for and accept a certain amount of damage because it's seen as too costly or difficult to operate in a proactive manner.
No Love.

37 Posts
We have a small network, setup with a WSUS server and a standing policy that systems are turned off at night and over the weekend. Through Active Directory our workstations install updates first thing Thursday morning and Servers on Sunday evening. The shutdown policy ensures (if people follow it) that the updates that require restarts get applied no later then the end of work day that they were pushed out.

Our stuff is off when not in use and patched in a timely manner. Any impact on peoples ability to get their work done is negligible if noticed at all.

Obviously, larger networks would have to stagger when updates are applied differently, but the majority of Windows patches are small enough that you don't really have to only do them at night.
No Love.
5 Posts
If the different groups of the firm could work together (and yes I know how next to impossible that really is), there is a solution. Deploy a program to the desktop that will do all the necessary updates and then power down the system. Users are told to run this before going home for the day. The updates would get run, you could combine it with pc backup software, and at the end the system would power off to save money.
Therefore the updates get done while the user is not impacted, and power is saved in the long run. You will want the program to either wait a random time before running, or queue the updates through a central scheduler to avoid congestion when everyone leaves. The only downside are those updates that need to do a reboot and then continue the updates.
Kenneth

11 Posts
All of you have missed one major fail. Even if the PC is on all of the time your patches could still fail. Who will know? The end-user?

In a hospital where the computer may never be turned off, patching may never be completed, and when a patch is half-applied the computer may be at a higher risk of infection than before.

Anti-Virus programs with central-distribution can also fail due to a compromise that takes place on that local workstation. Once compromised the computer may appear to be filtering malware but in reality it may be loading more by the minute.

There is no way to blame green-computing for the failures of a poor budget (no upgrade because there may not be enough memory) or a lazy IT staff (I will get around to it after we test it a year or so and I do it all remotely. I never have to see the computer). Green computing can slow deployment, but in many cases the infection happens months after a patch is available anyway.

Still, the fault is basically on us all, but IT will always get the blame. That can be assured..

-Al
Al of Your Data Center

80 Posts
KDN - you are suggesting to let the users choose to install the updates? That is a recipe for an epic failure. While it seems harsh, remember that these are the same users who ask if the viagra email is legitimate. You want to TRUST those users with choosing WHEN to install the updates? I say that only buys you more problems.

Al - you need something to verify the updates worked. Something has to report on the updates and if the systems are up-to-date. Installing the patches/updates is only part of the problem.

No matter what time you choose, someone will be upset with it. Overnight, the "green" people say we are burning up the planet. Morning and people complain how slow it is when they log on. Over lunch and you are interfering with Ebay, Farmville, or ESPN surfing time. You can only make some of the people happy most of the time and most of the people some of the time. Never all of the people all of the time.

Most admins choose overnight to install the patches because that is the time when the least amount of people would be impacted by any potentially bad patch and hopefully remedy the situation...wait, Microsoft doesn't do that any more. ;)
Al of Your Data Center
1 Posts
No, what I am saying is exactly what you are saying.. never trust the user to tell you anything. They only call if the computer doesn't boot.. If then. You need to test that an update was applied with network tools, and visually inspect workstations from time to time. Using reporting tools doesn't always give you the whole picture.

On the AV side.. Symantec update has a lot of flaws that allow an update to take place, but not be used. The report to the server will be the correct version, and that it is working but even then your end-user may be hijacked 100%.

Just pointing that out. I am sure a lot of other AV vendor programs are just as weak, but this one hits home LOL..

-Al
Al of Your Data Center

80 Posts
JB: If enabling the end users to (a) not have to wait while patches install, (b) follow the firm directive of running the patches, and (c) follow the other firm directive of turning off the systems at night can be done by them just double clicking on an icon, I think at least half the audience will do so. The other half will put up with the pain of waiting for the updates to happen the next time they boot the machine. There will be some who disable the patch on boot process, but that is what you run compliance checks for.

Al: at best reporting tools show you which systems you don't need to check and some of the systems you need to check. The trick is finding the rogue systems who don't show up in the reporting tools. What I used to do is compare inventories from different tools like software update, DHCP, AV and personal firewalls, and see what systems show up in some but not in others.
Kenneth

11 Posts

Sign Up for Free or Log In to start participating in the conversation!