Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

In Configuration We [Still] Trust

Posted March 22, 2012    Marc Maiffret

It has been roughly a year since we released our original paper titled “In Configuration We Trust.” The goal of that research was to try to draw awareness to the fact that a lot of security improvement can be made simply by how you architect your network and configure your operating systems and applications. These recommendations can not only help stop the run-of-the-mill drive-by attacks but also even some of the more sophisticated, dare we say APT, attacks. We’ve updated that research, which can be found here, and have also added a new tool into the mix.  Why did we do all this? Let’s talk about that. 

The larger goal of the paper though is to work towards trying to change the conversation in security. We far too often focus on the outcome of some new threat or malware. We analyze every single bit of data about what some new malware does to a system and the fallout from such an attack. We far too often fail to ever answer the simple questions: How did the malware or attack happen in the first place and what could have been done to prevent it?

People were rather surprised in our original paper to hear that even such well covered attacks as Aurora or Stuxnet could have been defeated or crippled through simple security measure such as web proxies and proper file permissions. But these things should not be surprising when you think about how much time and energy our industry spends on reacting vs. preventing.

We suffer from a culture that is similar to the healthcare world in which people are more concerned with finding the next magic pill to improve their life instead of putting in the effort to do the simple and effective things such as eating right and exercising.

Security, just as in life, has no silver bullet and while there is indeed a very clear place for preventative security technologies these things alone are not enough, and there is no appliance you can rack nor single solution you can install that will make you secure. This should come as no surprise though when you step back and think about it.

I am often asked at security conferences by people working in IT, “Why is nothing working? Why is my Anti-Virus and IPS failing me?” and the answer really is a play on Dan Geer’s famous monoculture argument, except in this case I am referring to the Security Monoculture rather than Geer’s original focus on Operating Systems, namely Microsoft.

The fact is everyone is using one of the main two anti-virus solutions and one of the four main intrusion prevention systems. It becomes easy for attackers to understand exactly what defenses they are up against and it is only a matter of time until their exploit and malware can overcome those defenses. This is of course something that is happening on a daily basis and why people working in IT have become beyond frustrated in dealing with security.

You must step outside the security monoculture. This does not mean getting rid of your security solutions but rather adding security to your network and operating systems that is unique and tailored to your environment. It comes down to the customization you do around your network architecture and your overall systems attack surface.

So why then do we find ourselves in a situation where even some security experts try to talk people out of proper network architecture and system configuration? Surely we do not suggest in our paper nor believe that any one configuration change is going to stop all attacks or malware. Rather the goal of proper architecture and configuration is to raise the bar of what it takes for a system to be compromised.

There will always be cynics in any walk of life, the security industry is absolutely overflowing with them. You hear them all the time, people willing to say it is good advice to recommend that people do not even do the basics of network and system security because those things are not foolproof. It would seem obvious that of course nothing is foolproof but even more obvious to me is IT people are absolutely tired of people in security telling them everything that does not work instead of trying to ever share what is working.

Clearly, proper network architecture and system configuration  is something we believe strongly in.  When we wrote the first version of our paper we gave just a few simple examples of some configuration and network changes that could be made to help increase your organization’s level of security. These are to serve not as the end all be all list of what will improve your security, but as a starting point to hopefully shift the dialogue to move beyond only talking about what is not working in security.

We also are releasing a free configuration scanning tool that will audit your environment for a handful of the things we discussed so you can get a quick pass/fail look on how your environment fairs. These checks alone will not tell you if your security is good enough or not but indeed if you are failing more than a couple you probably have some work to do in reviewing your network architecture and system configuration.

Our hope is to continue to try and push the security conversation to not just be about what the next major threat does but how to prevent it. This tool is simply to create awareness to that end and we look forward to you continuing the conversation with us on real-world ways IT can improve security. You can grab the white paper and tool from here:


, ,

Leave a Reply

Additional articles


6 things I like about Gartner’s Cyber Resiliency Strategy

Posted August 27, 2015    Nigel Hedges

There were 6 key principles, or recommendations, that Gartner suggested were important drivers towards a great cyber resiliency posture. I commented more than once during the conference that many of these things were not new. They are all important recommendations that are best when placed together and given to senior management and the board – a critical element of organisations that desperately need to “get it”.


Why Customers Choose PowerBroker: Flexible Deployment Options

Posted August 26, 2015    Scott Lang

BeyondTrust commissioned a study of our customer base in early 2015 to determine how we are different from other alternatives in the market. What we learned was that there were six key differentiators that separate BeyondTrust from other solution providers in the market. We call it the PowerBroker difference,

, ,

On Demand Webinar: Security Risk of Mac OS X in the Enterprise

Posted August 20, 2015    BeyondTrust Software

In the last several years, Mac administrators have come to realize that they may be just as vulnerable to exploits and malware as most other operating systems. New malware and adware is released all the time, and there have been serious vulnerabilities patched by Apple in the past several years, some of which may afford attackers full control of your systems.

, ,