Traditionally, all anti-virus programs and IPS systems work using signature-based techniques. However, this doesn't help much to prevent zero-day attacks.
Therefore, what can be done to prevent zero-day attacks?
SnapOverflow
Traditionally, all anti-virus programs and IPS systems work using signature-based techniques. However, this doesn't help much to prevent zero-day attacks.
Therefore, what can be done to prevent zero-day attacks?
I think you acknowledge an interesting sys-admin truth there, which is that
This is just a basic truth of maths and probability, that for any non-zero probability of an event. The event eventually happens...
So the 2 golden rules for reducing the impact of this "eventually hacked" event are these;
The principle of least privilege
You should configure services to run as a user with the least possible rights necessary to complete the service's tasks. This can contain a hacker even after they break in to a machine.
As an example, a hacker breaking into a system using a zero-day exploit of the Apache webserver service is highly likely to be limited to just the system memory and file resources that can be accessed by that process. The hacker would be able to download your html and php source files, and probably look into your mysql database, but they should not be able to get root or extend their intrusion beyond apache-accessible files.
Many default Apache webserver installations create the 'apache' user and group by default and you can easily configure the main Apache configuration file (httpd.conf) to run apache using those groups.
The principle of separation of privileges
If your web site only needs read-only access to the database, then create an account that only has read-only permissions, and only to that database.
SElinux is a good choice for creating context for security, app-armor is another tool. Bastille was a previous choice for hardening.
Reduce the consequence of any attack, by separating the power of the service that has been compromised into it own "Box".
Silver Rules are also good.
Use the tools available. (It's highly unlikely that you can do as well as the guys who are security experts, so use their talents to protect yourself.)
Whitelist, don't blacklist
You're describing a blacklist approach. A whitelist approach would be much safer.
An exclusive club will never try to list everyone who can't come in; they will list everyone who can come in and exclude those not on the list.
Similarly, trying to list everything that shouldn't access a machine is doomed. Restricting access to a short list of programs/IP addresses/users would be more effective.
Of course, like anything else, this involves some trade-offs. Specifically, a whitelist is massively inconvenient and requires constant maintenance.
To go even further in the tradeoff, you can get great security by disconnecting the machine from the network.
Detection is Easier (and More Reliable) Than Prevention
By definition you cannot prevent a zero day attack. As others have pointed out, you can do a lot to reduce the impact of a zero day attack, and you should, but that is not the end of the story.
Let me point out that in addition, you should devote resources to detecting when an attack has occurred, what the attacker did, and how the attacker did it. Comprehensive and secure logging of all activities that a hacker might undertake will both make it easier to detect an attack and, more importantly, determine the damage done and remediation required to recover from the attack.
In many financial services contexts, the cost of security in terms of delays and overhead in executing transactions is so high that it makes more sense to focus resources on detecting and reversing fraudulent transactions rather than to take extensive measures designed to prevent them in the first place. The theory is that no amount of measures will be 100% effective, so the detection and reversal mechanisms need to be built anyway. Moreover, this approach has withstood the test of time.
Zero day doesn't mean that signature is not known. It means that there's no patch available to users of software, that closes vulnerability. So IPS is useful to protect from exploiting zero-day vulnerabilities. But you should not rely only on it. Create and follow a solid security policy, harden your servers, update software, and always have a 'Plan B'
Grsecurity or SELinux are good in helping to prevent 0 day attacks by hardening the kernel.
Quote from website "Only grsecurity provides protection against zero-day and other advanced threats that buys administrators valuable time while vulnerability fixes make their way out to distributions and production testing. "
If you are using Apache, modules such as mod_security can help you prevent common attack vectors. With mod_security you can
... and much, much more. Of course, using a complex module like mod_security it's quite possible to also block your actual clients, and on the server side mod_security adds some overhead.
It's also mandatory to keep your server software updated and to make sure you have disabled each and every module & daemon you won't use.
Tight firewall policies are a must and in many cases additional security enhancements such as SELinux or grsecurity might stop the attack.
But, whatever you do, the bad guys are very patient, very creative and very skilled. Have a detailed plan what to do when you get hacked.
I'd like to add a few bronze rules:
If exposed, do not run what does not need running.
Do not make yourself a target worthy of a dedicated,targeted attack.
Securing against any such targeted attack possible is often uneconomical/impractical anyway. Check who could have a serious interest in breaking what and start there.
Considering "minimizing externally available information" and "going away from well known defaults" as nothing more than security by obscurity (often misunderstood as "worthless" as opposed to "a layer that in itself in insufficient") and omitting it is dangerous arrogance. A hackable lock on a door will not keep the thief out but probably will keep out the wolf.
A bloated machine with a huge security suite often makes mediocre PC's into dinosaurs and quad Cores into ordinary old pcs. I have fixed enough ( thousands) to understand that is mostly true. If you understand nothing is 100% security and the cost of performance drops exponentially as security while probability of infection only drops linear fashion. Most results when I stopped looking at comparisons were 90% max on a real world test of thousands of risks, meaning 10% of the infections were undetected or too late. while PC latency had increased 200 to 900%. OSX has an ideal situation where it essential is no better in security but the risks of attack were smaller due to being smaller targets with only 4% of market-share in non-phone/pad products in 2010. That will change but I wont change my philosophy of keeping my OS clean, lean & mean. I do the same for XP and Win7. I have a hige arsenal of repair tools but only need one app to fix everyone who gets infected and it only takes 10 to 20 minutes not hours or days.
My methods that work;
Educate the users, dont click on security warnings unless you really know what they are as opposed to the hundreds of ROgues that are carbon copies of good alerts. THose who cant be trained easily get non-admin accounts and sand-boxed browsers with java and JS disabled. But if I enable it for them, no worry, only 15~20 minutes to restore or repair.
SYstem Restore is good, but has many limitations , one being that items in your Documents folder and User Temp folders are protected where rogue drivers can get installed and startup and infect you on the next boot.
UAC is useful for many things but such a PITA that I never use and rely on better tools to detect startups and /or new processes, including but not limited to;
Winpatrol.com still the best investment I made for security and still free for others. It covers 80% of the issues where startups get added before executed and can be detected and disabled or deleted by user prompt. However if you are the anxious sort who can not make decisions take a pill or just use Windows Defender. Not the best for coverage but one of the highest for bang/buck ratio.. pretection/loss of performace or rise in latency ratio.
Mike Lin's startup utility is the lightest interceptor of startups that are stored in over a dozen locations of the registry
Script Guard is a useful script interceptor for kiddy scripts
ProcessGuard an old defunct program that works like a firewall for any new exectuable , but nags you for approval, however it is secure and lean after you accept a trusted source or ignore or block an untrusted source.
A Blacklist add-on for your browser is good like Web of trust (WOT) , but Chrome has part of included in a similar fashion but to a smaller extent.
a blacklist can get huge for HOSTS files and if you use this (>1MB is huge when scanned in 4KB chunks every 10 minutes. , But if you do, I highly recommend disabing DNS caching service to reduce the redunant periodic scans by every App that is active with firewall privies.
Disable File Indexing if you dont really use it for email and things, because it spawns your AV suite to scan every file accessed every time, again and again.. how redundant.
Some may take exception to this partial list off the top of my head, but I save time securing my PC and operating in a lean environment. Regular audits to confirm my security are done at night prove my worry free practise is justified. I still have a thousand HJT logs, combofix.txt logs and Runscanner logs to support my opinions of cures and better security/ performance balance.
Avoid careless download/installing of exe's or windows media files which can execute scipts (eg .WMA, .WMV ) unlike .mp3 or .avi.
Avoid all ads targetted big buttons to download or update your security which may distract your attention to the free update on download aggregators like hippo dot com .. cnet is not bad. Be very careful. Some sites use 3rd party ads and have no content control.
All for now.
Tony Stewart EE since 1975.