Next up was something more serious, a critical alert regarding Rig Exploit Kit detection. The Rig Exploit Kit has been around for a little over a year and is a highly configurable piece of malware able to deliver various types of attacks, including Cryptolocker, which encrypts data on a PC and can't be undone without paying a ransom. We ran our antivirus client and an independent malware detection tool on the PC in question, but neither came up with anything. Still, though, the firewall was flagging the PC as infected. We couldn't risk it, and we didn't have the time to conduct a deep forensic analysis of the PC, so I had our IT department wipe the PC and reimage. Naturally, the user was upset about the inconvenience, but after I explained the potential for harm, she understood. Was this another false positive? I don't know, but all in all I'd rather play it safe. And I'm glad we had a tool that could warn us about the problem.
Other events amounted to little more than noise, since they were all things that we really can't do anything about: SQL injection attempts, cross-site scripting, efforts to obtain the /etc/passwd file, port scans, and multiple authentication attempts against applications that we expose to the Internet. Those are things that I consider the cost of doing business on the Internet, where the entire world could be an adversary. We don't really need a new-generation firewall to tell us about them, but I don't object to having the reminders.
But the other alerts, even the false positives, affirm my defense-in-depth strategy and my focus on hardening our outer shell and inner core. I think a new firewall is in my future.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons.
Sign up for Computerworld eNewsletters.