Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: The off switch - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
The off switch

The holidays are upon us and that means fixing all the trouble ridden IT equipment belonging to all those we visit. Family IT security consultancy is a full time occupation, as those of us that will be providing ad-hoc technical support to friends, family and random neighbours during the holiday break will find out or know already.
 
Being that interface between them, their online gadgets and the internet means that they miss protecting online systems is like a full contact sport; well, at least in a digital sense. Anyone who looks at logs or watches packet captures can see the sharp elbow of a bunch of crafted packets, a wickedly aimed knee of drive by downloads or the full on head butt of a port scan on all 65353 - UDP and TCP!

The average person, like those near and dear to you, isn’t going to be aware of this non-stop, unrelenting pitched battle our connected, online devices face from being part of a global network. Sure they have been told about firewalls, anti-virus and this newfangled thing called patching, which is a bit like being encasing the in body armour to ward off the blows, but why not opt for something  a simple, clean, environmental-friendly and cost saving method approach?

I submit this holiday break we suggest something radical to offer an unparalleled level of protection from online attacks to our less technically aware family, friends and even the crazy neighbour across the road that like using WEP.

Tell them to:

Switch off your router at night.
 
Then turn off your computer.

Only turn them back on when you need to use them.

I realise this may be an insane statement to make to the multitude out there reading this, those need no sleep and capture every bit that enters or leaves their systems but does the rest of humanity’s really need to be a target while they sleep or are out at the shops? Flipping the off switch or having a timer killing the power on the IT gadgets before going to bed is going to provide the normal person a base of eight hours of being off the internet, and that equates to eight hours of not being pinged, poked, prodded, and outright attacked. Best fights are the ones we avoid [1].
 
We still need tell people to not click on links, to keep everything patched, check credit card statements and up to date any anti-malware software but sometimes applying common sense and offering the simple option is the best option. Turning off the computer and then the home router is something everyone can do, is easy to introduce to the bed time routine and is a great security principle of reducing the attack surface without any technical ability required [2].


 
Remember: This is only aimed at home users. If you decide to turn off your corporate router serving a couple of thousand staff when you go to bed, well, I guess that’s one way reducing the company’s attack surface. This will probably lead to increasing your free time by a sudden ejection from your day job.

 

[1] Mr. Han, Karate kid 2010 – Mr Miyagi’s “Wax on... wax off. Wax on... wax off.” just didn’t cut it here.

[2] The off switch. It's like a free security gift to all and it's already built in. No extra charge or upgrades required!

Chris Mohan --- Internet Storm Center Handler on Duty

Chris

105 Posts
ISC Handler
Wha? Isn't that like advocating driving with out a seatbelt, but only on the 'slow' roads?
Anonymous
I think it's more akin to not driving around at all when you're not going anywhere.
Anonymous
Although this sounds like a good idea what happens when they turn the devices back on. The devices will start automatically (hopefully) doing the updates that were not done while the device was off. This could mean more work for me when I get the call 'why is my computer so slow'.
Not to mention out of date definitions as soon as they start surfing

Also now that most service providers have a 'modem/router' that does it all including wifi turning off this device could lead to the provider disabling the 'modem/router' because they see it has been offline.

Isn't this just like sticking the poor home users head in the sand and letting them ignore reality.

All this really does is stop the already infected device from actively participating in email spam or ddos. Which might not be all that bad.
Anonymous
Might not be a good idea for those whose WiFi is their cost saving for expensive cellular data caps. People with cloud backup apps usually schedule overnight transfer times. Along with all the OS patches/antivirus/podcatcher updates. And a real big one is the new VoIP replacement of analog phone lines. No Internet is no phone service.
PaulOutBox

7 Posts
A couple of good things happen on reboot. One, the computer reloads DLL files that were open during patching. On Windows 7 this happens automatically after a day or so from the update via a forced reboot, but not with XP. Another benefit is that acrobat reader checks for updates on reboot, and many other 3rd party apps check for updates on startup too. Many anti-virus programs also tend to catch something lurking on startup as their behavior is caught too. The best part... lowering your carbon footprint. Happy Holidays to all! -Al
Al of Your Data Center

80 Posts
NAT is pretty common so most people by default don't have to worry about port scans or sweeps. Also the majority of attacks that home users fall victim to are ones that rely on the users action. So turning off their computer when they aren't using it won't help much.
Al of Your Data Center
15 Posts
If your relatives were coaxed into a unified service providing Internet, cable TV, and telephone over the same cable, this may not be an option.
I know my 75 year-old mother-in-law was about to go that route until she found out the coax in her house would all have to be replaced out of her pocket because it was too old. She's not computer literate and never had Internet access. It was just a cost-saving measure for her.
Jasey

93 Posts
Powering off an ADSL router on a regular basis is a bad idea: the exchange end will lose all its adaptive-loss/bandwidth settings that it 'learned' about your line and will therefore start again from the beginning with a low-bandwidth default parameter-set.

Certainly on UK ADSL2+ circuits the link needs to be 'up' without interruption for several days to allow the gear to train itself properly and let you get the full bandwidth the line is capable of delivering.
Jasey
1 Posts
OK, TWO THINGS. FIRST, THERE IS TOMORROW, WHENEVER *THAT* IS.
SO, "TOMORROW", they turn their equipment on and it broadcasts to the world the information the malware authors considered FAR before your "suggestion", as *I* would do, were I a no good SOB.
Second, it transmits the data I'd need, as a no good SOB.
No loss.
MORE important, the small/mid business model companies are misguided by your worthless suggestion. THEY would consider themselves safe, meanwhile they're naked against exposure.
Face it, not ALL are professionals in this game, hence a suggestion of protection is viewed as a platinum shield.
Lousy against the current bullets of today.
Sorry, but the blinders on approach is doomed to failure, as I've personally witnessed, to the tune of US tax dollars of a billion and change going into the toilet.
Sorry, but the notion of reset for security is intellectial masturbation. Indeed, the highlight of it!
It's the practice of locking the doors when a suspected criminal is present, but leaving it unlocked when a suspect wasn't.
Even during off hours!
Sorry, but I personally spent a military career of taking certain risks. Today, I'm PAID to NOT take risks of that insane sort, but on occasion of my former occupation's nature risks.
We'll suffice it to say, I've had ZERO infections on networks I protect, for 7 years of experience, sequentially. ZERO network infections, only "onesies and twosies".
Whist my equals in our other networks ignored the basics and sought your solution and cost the US taxpayer WELL over a billion dollars.
The notion of "shut it off and you're secure" is equal to encasing your home in concrete, to include all doors and windows. It's secure, but useless.
BUT, the notion of shut off network and you are secure is beyond incompetent, as any malware will PROMPTLY report in before detection, even US DoD detection, initially.
Hence, it's "I have a camera guarding my unlocked door, hence, I'm secure".
Your idea might have worked in 1992, but NO WAY for today.
But, what would *I* know? I'm only securing 7 corporate client organizations.
Wzrd1

8 Posts
"It's the practice of locking the doors when a suspected criminal is present, but leaving it unlocked when a suspect wasn't.
Even during off hours!"

Not really.. it's more like the practice of locking doors, barring windows, when asleep, and leaving doors unlocked when awake, even when a suspect may be in the area. That is to say, it's a valid technique. Yes, you are subject to someone walking into your house when awake; worst than that, the burglars are known to possess a cloak of invisibility.

Just turning the device off when not needed reduces the chance of being infected by known and unknown threats.

It is the same principle as hardening a server by turning off unneeded services, and the principle's efficacy is well-proven.

Turn off devices when you don't really need them doing something. If they contain vulnerable software, you reduce the chance that they will be exploited before you can get them patched, OR before the news about the vulnerability reaches you.

Turning devices off doesn't allow you to safely be negligent in other ways, but it provides an additional defensive position -- defense in depth is sure the way to go, and "device not plugged into the network when not needed", reduces attack surface.

If you leave devices on 24/7, you are more subject to Zero day security attacks and new worms that haven't been discovered yet.

If your device is off when unused, you have a greater chance of being able to get the news of the problem, and apply the fix in time, before an attacker is able to get to you in order to exploit it.

Also, the more devices are left on, the faster the rate of worm spread. Witness the change in malware propagation rates after always-on broadband became widespread.
Mysid

146 Posts

Sign Up for Free or Log In to start participating in the conversation!