In order to avoid “boiling the ocean”, most security industry “best practices” inevitably offer the same combination of high-level recommendations for vague IT security problems:
- Improve paper-based IT security policies and guidelines.
- Apply patches to systems.
- Use strong passwords.
- Conduct Security Awareness training.
While these considerations are fundamentally important, these “best practices” alone typically contribute little to the tangible improvement of overall security. The media coverage of successful attacks versus solutions to improve IT security has caused many IT and Security professionals to dangerously accept the situation as “just the way things are”. This is compounded by the media’s tendency to provide the latest silver bullet to solve all of our security problems in the form of product recommendations. Don’t get me wrong, there are many great security technologies and products out there, but simply implementing one or more of these on top of a weak foundation does not provide better security.
All organizations face the dangers of falling behind on patches or being susceptible to zero-day, un-patchable, and sophisticated threats. To build a strong foundation, today’s IT professionals must take a step back and look beyond the failures of their Anti-Virus, IPS, firewalls, and other point solutions. They need to ask what could be done to go above and beyond generic security and technology implementations.
One lesson that I have learned over the years from my instructors in both Tae Kwon Do and in Karate, is; if you want to defend yourself well, focus on the basics. A flying Superman punch looks real cool, but can be countered easily with a simple, well-timed snap-kick. Build a solid foundation in the simple movements, even after you have mastered them.
To effectively protect an organization, always work under the assumption that there will be an attack. Assume that the attack methods used will be unforeseen. Anticipate that an attack may eventually result in a breach. The goal is not to prevent every possible attack, but to build a foundation that is resilient enough to withstand known and common attacks, to detect and identify other attacks as early as possible, and to contain the damage that a breach could cause.
- Configuration Management in my opinion, offers the cornerstone of this basic foundation. Most organizations don’t realize the security risks that stem from basic configuration shortcomings within an IT environment. If systems are quickly pulled together with no standards or hardening efforts, and are allowed to provision additional services over time, no amount of add-on security will be able to ensure that they are adequately protected. You simply cannot protect what you do not control.
Configuration Management demands that each server placed within the server room have a defined purpose, and enables only those services that are required to meet those needs. It is considered a best practice to disable any features or subsystems that are not in use. The more services you have running and the more features you have active, the more attack vectors potentially available to gain initial or further access to a system. In any given environment, simply eliminating unused features and services will mitigate many vulnerabilities. Additionally, Configuration Management suggests that mixed services should be avoided. Don’t use the same server to provision critical customer information storage AND provide FTP services, for instance. A weakness in one application or service could compromise the other.
Configuration Management requires that the purpose and configuration of each system be recorded, monitored and audited in order to validate that it has not changed over time and remains in a steady state. This is not to say that a given configuration cannot be updated, rather any changes to the config are tested against the established standards, documented, and approved before being rolled out to production. Configuration Management also suggests that components used to build systems, such as hard drives, memory, CPU types, video cards, applications, etc. should also be documented and managed. There are many benefits to doing so, including being able to quickly stand up a complete replacement if necessary, provide an inventory for granular vulnerability management, and others.
Configuration Management is an important tool in the IT and Security arsenal. Coupled with Change Management and Change Control, you should have a very solid inventory and understanding of your IT assets, and a good grip on monitoring those assets. For clarity, Change Management is a process for documenting, approving and implementing changes within the environment. Change Control is a tool that provides the means to measure, verify, and validate changes, and audit the state of those networked assets.
- Vulnerability Management is the second basic networking martial arts move I will discuss. Through Configuration Management we learned about what makes up our environment, built an asset management capability, and started moving towards the advanced processes of Change Management and Control. Vulnerability Management now takes a look at what weaknesses are inherent in our assets and configurations, how much risk is presented by those weaknesses, and how we can mitigate the risks that those weaknesses impart.
Vulnerability Management contains several component processes, such as vulnerability Scanning, Vulnerability Assessment, and Patch Management. Vulnerability Management and Patch Management are often confused. If you are applying patches to Microsoft Windows or Red Hat Linux, you are not necessarily performing Vulnerability Management. It’s like punching an invisible opponent. What about the applications? If you are only patching the Operating System, you are reducing risk, but you are not effectively reducing risk. A larger and larger number of exploits are being focused on common and popular applications. Patch them too! Applying patches is only one method of vulnerability risk mitigation. Disabling un-necessary services and features is another, blocking communication is yet another, and removing redundant applications is still another. There are many options. Use them all appropriately.
- Proxy Servers are another useful weapon, and can go a long way in regard to improving security, however, few networks actually enforce their use. Require that all network traffic be routed through an authenticated proxy server before being sent to the Internet. Routing all traffic through a proxy server adds an additional step for attackers to take when attempting to communicate out from the network. A fair amount of malware is not “proxy aware” meaning that after installation, it will be unable to perform a “connect back” to the infection source for command & control or data exfiltration.
It is important to note that this only contains the post infection communication. It does not stop the infection, remove the infection, nor does it prevent the infection from spreading within the network. It does prevent an attacker from knowing that a successful infection was achieved, and from gaining at risk data. It could also make detecting infections easier, as a system could monitor for dropped packets going out to the Internet. This may lead to some false positives, but watching for large numbers of drops from one system could provide a chance to detect and stop an infection before it spreads to other machines within the network, or identify other technical issues with the affected host.
- Firewalls must be mentioned in any discussion of basic security. Do you need one? Yes, you do. Do you need one at home? Yes, you do. Even if you have a router? Yes, you do. A firewall differs from a router in its most fundamental purpose. A router is intended to connect networks together, ensuring communications get to their intended destinations. A firewall is built as a restrictive tool. It is intended to separate networks from one another. It is true that you can enter rules on a router to filter traffic, and you can have it perform some functions of a firewall, but not all, and not very efficiently.
It is my opinion that every single home should have a hardware firewall in place to protect the network, however your firewall should extend to the desktop as well. The reason I recommend a personal firewall in addition to a hardware firewall is the ability to control what enters and leaves the workstation as well as the network. A hardware firewall is going to provide a basic test of network traffic against a small set of rules. If a packet is properly addressed, has no obvious errors, and belongs in a communication stream, it will be allowed past the firewall. A personal firewall on the endpoint is able to inspect the packets much more closely, examine the contents of the packets, and in many cases the effects that the contents will have on the endpoint itself.
- Finally, one more weapon for Security Karate basics is Penetration Testing. If you want to really know how vulnerable your network is to attack, and what specific weaknesses need your attention, conduct penetration testing on the environment. Pen-Testing differs from Vulnerability Scanning significantly. When you scan for vulnerabilities, you are looking for specific characteristics, such as Operating System version, application version, service on/off status, registry key settings, etc. It is either present or not present. The potential attack path and any mitigating controls in the path of the attack are not considered. Reach-ability of the service is also not always considered or measurable.
Good Vulnerability Scans involve automation. Good Pen-Tests involve people. In a Pen-Test, someone actually tries to identify and exploit (to some extent) the vulnerabilities found or suspected to be present in the network, services and applications. An attack either fails or doesn’t.
These are the basics. Learn them well. Continue to exercise and test them, even after you have mastered them. Notice that the first two and the last one are knowledge based activities. They seek and provide information and insight into the architecture and pain points of the network and its component assets. Performed diligently and methodically, these items and processes will provide a solid security foundation. Wax on, wax off. Wax on, wax off.