May 23, 2012
tom
No Comments

How to prevent zero day attacks

Question

Traditionally, all anti-virus programs and IPS systems work using signature-based techniques. However, this doesn’t help much to prevent zero-day attacks.

Therefore, what can be done to prevent zero-day attacks?

Asked by honeybadger

Answer

I think you acknowledge an interesting sys-admin truth there, which is that

  1. unless you can reduce the probability of being hacked to zero then…
  2. eventually, at some point, you are going to get hacked.

This is just a basic truth of maths and probability, that for any non-zero probability of an event. The event eventually happens…

So the 2 golden rules for reducing the impact of this “eventually hacked” event are these;

1). The principle of least privilege

You should configure services to run as a user with the least possible rights necessary to complete the service’s tasks. This can contain a hacker even after they break in to a machine.

As an example, a hacker breaking into a system using a zero-day exploit of the Apache webserver service is highly likely to be limited to just the system memory and file resources that can be accessed by that process. The hacker would be able to download your html and php source files, and probably look into your mysql database, but they should not be able to get root or extend their intrusion beyond apache-accessible files.

Many default Apache webserver installations create the ‘apache’ user and group by default and you can easily configure the main Apache configuration file (httpd.conf) to run apache using those groups.

2). The principle of separation of privileges

If your web site only needs read-only access to the database, then create an account that only has read-only permissions, and only to that database.

SElinux is a good choice for creating context for security, app-armor is another tool. Bastille was a previous choice for hardening.

Reduce the consequence of any attack, by reducing the power of the service that has been compromised.

Silver Rules are also good.

Use the tools available. (It’s highly unlikely that you can do as well as the guys who are security experts, so use their talents to protect yourself.)

  1. public key encryption provides excellent security. use it. everywhere.
  2. users are idiots, enforce password complexity
  3. understand why you are making exceptions to the rules above. review your exceptions regularly.
  4. hold someone to account for failure. it keeps you on your toes.
Answered by Tom H

Check more discussion of this question.

Related posts:

  1. How to prevent / detect ARP poison rooting attacks?
  2. Prevent brute force attacks in Microsoft FTP Server (IIS6/7)
  3. How I can prevent by site from attacks [closed]
  4. BZ2 backup files don’t differ in size from day to day
  5. how to combine day of week and day of month in crontab?

Leave a comment