Recent Posts


« | Main | »

Is ‘dynamic security’ enough?

By Dale Reagan | May 18, 2011

Dynamic Security – simply defined here as monitoring both perimeter traffic as well as internal traffic and reacting based on rules/configuration & perhaps  behaviour(s).  Is this enough?

During the spring of 2011 we have seen quite a number of news stories covering personal privacy and cell phone ‘location data‘.  So who/what else about you is being stored/shared/transmitted without your direct knowledge?

From a 2010 SANS NewsBites issue (Vol. 12 Num. 44) – A new standard of due care in cyber security NIST 800-37:

“Know the status of every machine on the network at all times, they can reach into every machine for additional data on security, and they can take action to eliminate problems instantly.”

John Kindervag – discussed ZT and HOS during a webinar (December, 2010):

As users, we really have no/little awareness about what data is actually being transmitted as we use network resources.  Your cell phone is working with the private network of your carrier – we have no/little real knowledge (awareness) of any data being used/shared during cell phone operation.  Based on network theory/operation standards we can guess/speculate about the needed data but most of us simply choose to blindly trust network services and/or providers – we can’t imagine some entity abusing any information gathered from our use of a service.   Our PCs using wired networking, however, do provide opportunities to see what is actually going on.

Keeping the above in mind, what about those user-helpful-features on your PC that reache out in order to report on ‘network status’ – specifically the Microsoft Network Connectivity Status Indicator (NCSI) process:

So, what is wrong with providing a useful service/feature?

In an age of Zero Trust such processes need:

The bad part about this particular process is that it will bypass local DNS and proxy settings – it is configured to use custom DNS resources from Microsoft, a custom web domain target as well as a custom file to fetch (ncsi.txt.) Note that a similar configuration is highly likely for ANY ROGUE/spy/malicious software on your network – hiding in plain sight or hiding via more obscured encoding (using custom DNS targets, domain targets or even hard-wired IP addresses…)

If we want to monitor/block such traffic then a custom filter would be needed.  If the process used the local proxy/DNS then we could simply create a local DNS entry or a proxy rule/filter to  quickly alter such traffic.

Based on a  quick review the Microsoft Technet articles you can disable the feature via a registry key; I did encounter a blog post that suggested that you could also edit the NCSI registry network entries (DNS, target domain, and the target URL) – I will guess that some future update from Microsoft might create problems for you if you make such changes. I do, however, think that this should be another item that is under user-control via  a configuration panel (as ALL network configuration options should be.)

While I generally consider Microsoft documentation to be good, in an era of Zero Trust or at least at during a time of heightened sensitivity to personal privacy this type of process needs complete transparency instead of being buried in Tech-Net articles.

It truly would be wonderful if software providers would not assume that anything that they can do, or any environment feature that is available to them are acceptable resources to use with potentially personal, private data. Most folks/companies do things simply because they can, not because they should or because it is a good idea…  I encourage a bit more thought.  🙂


Topics: Computer Technology, System and Network Security | Comments Off on Is ‘dynamic security’ enough?

Comments are closed.

YOUR GeoIP Data | Ip:
Continent: NA | Country Code: US | Country Name: United States
Region: | State/Region Name: | City:
(US only) Area Code: 0 | Postal code/Zip:
Latitude: 38.000000 | Longitude: -97.000000
Note - if using a mobile device your physical location may NOT be accurate...

Georgia-USA.Com - Web Hosting for Business