Security+ Certification: Shoring Up Your Defenses
Hardening refers to the process of making changes to a computer or network device in order to make it less vulnerable to intruders. This is important because the computers and networks that an organization uses are expected to continue functioning without interruption; the business information contained in or processed by them is expected to maintain its integrity.
For a number of reasons that are not germane to the topic of Security+ certification, systems do not come from their manufacturers in a completely hardened state. It is up to the organization that uses the systems to perform all hardening procedures that are appropriate for their environment.
The proper hardening of a system boils down to five principles:
- Keep security patches and fixes current. Virtually every hardware and software vendor from time to time releases security patches. It is essential that every organization using the product install the security patch as soon as possible in order to prevent security incidents.
- Disable or remove unnecessary components. If a software component on a system is unused, it is probably unnecessary. Every unnecessary component on a system must either be disabled or, better yet, removed altogether. When a software component is removed from a system, then any vulnerability discovered in that component cannot pose a risk to the system. If the flawed component is not running or is not present, then it cannot be used to break in to a system.
- Disable default access configurations. Systems and network devices may have default accounts and/or passwords that, if unchanged, provide easy access by an intruder. Guest accounts should be disabled or removed; default passwords must be changed; accounts with no passwords must be disabled or passwords assigned.
- Tighten access controls. Too often, access permissions to resources such as programs or files are too lax. In an effort to get a new service up and running, system administrators frequently change access controls to "wide open" and then, in their haste to complete the project, neglect to tighten down access. Later, the "wide open" access can be exploited by an intruder who can steal or damage information.
- Turn on audit logging. Many operating systems and applications, while they contain an event/access/audit logging feature, frequently are shipped with logging turned off or disabled. By using event logging, it may be possible to re-trace some of the steps taken by an intruder.
These universal principles apply in just about every situation regarding computers and network devices. If system and network engineers are diligent and follow these principles, then the majority of potential security incidents will be prevented.
Security flaws and patches
Computers and network devices have at their core one or more software programs that control their operation. Being written, installed, and managed by imperfect humans, sometimes computers and network devices contain flaws that permit unexpected behavior. Once in a while this unexpected behavior results in someone being able to control or alter the system. This is generally known as a security flaw.
Other malfunctions in software result in the system just not running as expected. While they may not take the form of security flaws, they may be irritating nonetheless.
The companies that make and support systems have people whose job it is to create software updates. Depending upon the reason for the creation of the update, it may take many forms:
- Service Release. Also known as a version upgrade or service pack, service releases usually contain many fixes, and even feature enhancements or upgrades. Service releases are generally produced from once to three or four times per year.
- Patch. Also known as a hotfix, a patch is designed to change one specific problem. While the changes in a patch are usually included in a Service Release, generally a patch is produced because there is a heightened urgency. Typically a vendor produces a patch because it believes that its customers should install it immediately instead of waiting for the next service release to address the issue.
Disable unnecessary services
An unused but running application or service can increase the risk to a system. Take, for example, the FTP service. FTP is reliable and adequate security when configured correctly.
Suppose, for instance, that a serious flaw was discovered in FTP. Say, if you provided a certain pattern in the password field, you would be able to control the system. This would jeopardize the integrity of the system. However, if FTP was not used on a given system, then it should be either disabled or removed. This would eliminate the threat caused by the FTP flaw, because if FTP is not running on the system, then it cannot be exploited in order to compromise the system.
Disable default access
In order to facilitate their initial configuration or use, many systems are shipped to the customer with a guest account, and perhaps a default password on one or more administrative accounts. If these accounts are not changed or disabled, then an intruder who knows the factory default passwords or other access methods might be able to control a system.
It is imperative, then, to perform any or all of the following:
- Disable or remove Guest accounts.
- Change any default passwords on accounts.
- Make sure that all accounts have passwords.
Accounts and passwords are a system's first line of defense, so it is important to not make it too easy for an intruder to compromise your system.
Tighten access controls
Access to everything related to computers and networks must be restricted to only those individuals who have a bona fide business reason to access them. Consider the following pointers:
- Resist the temptation to change access permissions to "wide open" (permitting access to anyone and everyone).
- Adopt the principle of "denied unless explicitly permitted". In other words, the default access permission to a resource should be "denied." Then, explicitly permit access to specific groups or individuals as needed. This works better than "permitted unless explicitly denied," which permits new users to access an otherwise closed resource (unless the administrator is 100 percent diligent and always adds every new user to the "denied" list of every managed resource).
- Adopt the principle of "users only have the fewest privileges necessary for them to perform their job." This is known as the principle of "least privilege."
Turn on Audit Logging
Audit Logging is a feature present in most OSes, databases, and larger applications where most (if not all) user and administrative transactions are independently recorded. This provides an audit trail that can be used to piece together routine or unusual events.
Audit logging at a minimum should contain the following items that describe a transaction or event:
- Who performed the transaction. This is generally the userid associated with the transaction.
- When the transaction was performed.
- What was contained in the transaction. Depending upon the nature of the transaction, this may contain "old" and "new" values, or a description of the transaction.
- Where the transaction was performed. This will generally be a terminal ID or an IP address.