Therefore, what can be done to prevent zero-day attacks?
I think you acknowledge an interesting sys-admin truth there, which is that
- unless you can reduce the probability of being hacked to zero then…
- eventually, at some point, you are going to get hacked.
This is just a basic truth of maths and probability, that for any non-zero probability of an event. The event eventually happens…
So the 2 golden rules for reducing the impact of this “eventually hacked” event are these;
1). The principle of least privilege
You should configure services to run as a user with the least possible rights necessary to complete the service’s tasks. This can contain a hacker even after they break in to a machine.
As an example, a hacker breaking into a system using a zero-day exploit of the Apache webserver service is highly likely to be limited to just the system memory and file resources that can be accessed by that process. The hacker would be able to download your html and php source files, and probably look into your mysql database, but they should not be able to get root or extend their intrusion beyond apache-accessible files.
Many default Apache webserver installations create the ‘apache’ user and group by default and you can easily configure the main Apache configuration file (httpd.conf) to run apache using those groups.
2). The principle of separation of privileges
If your web site only needs read-only access to the database, then create an account that only has read-only permissions, and only to that database.
Reduce the consequence of any attack, by reducing the power of the service that has been compromised.
Silver Rules are also good.
Use the tools available. (It’s highly unlikely that you can do as well as the guys who are security experts, so use their talents to protect yourself.)
- public key encryption provides excellent security. use it. everywhere.
- users are idiots, enforce password complexity
- understand why you are making exceptions to the rules above. review your exceptions regularly.
- hold someone to account for failure. it keeps you on your toes.
Leave a comment
- Cron expression that runs every 5 minutes from 1:30 am – 6:00 am [duplicate]
- Understanding redundant power supplies
- Is there a way for administrators to disable users from installing Firefox extensions?
- Is there research material on NTP accuracy available?
- How to create a limited “domain admin” that does not have access to domain controllers?