Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

In Configuration We [Still] Trust

Post by Marc Maiffret March 22, 2012

It has been roughly a year since we released our original paper titled “In Configuration We Trust.” The goal of that research was to try to draw awareness to the fact that a lot of security improvement can be made simply by how you architect your network and configure your operating systems and applications. These recommendations can not only help stop the run-of-the-mill drive-by attacks but also even some of the more sophisticated, dare we say APT, attacks. We’ve updated that research, which can be found here, and have also added a new tool into the mix.  Why did we do all this? Let’s talk about that. 

The larger goal of the paper though is to work towards trying to change the conversation in security. We far too often focus on the outcome of some new threat or malware. We analyze every single bit of data about what some new malware does to a system and the fallout from such an attack. We far too often fail to ever answer the simple questions: How did the malware or attack happen in the first place and what could have been done to prevent it?

People were rather surprised in our original paper to hear that even such well covered attacks as Aurora or Stuxnet could have been defeated or crippled through simple security measure such as web proxies and proper file permissions. But these things should not be surprising when you think about how much time and energy our industry spends on reacting vs. preventing.

We suffer from a culture that is similar to the healthcare world in which people are more concerned with finding the next magic pill to improve their life instead of putting in the effort to do the simple and effective things such as eating right and exercising.

Security, just as in life, has no silver bullet and while there is indeed a very clear place for preventative security technologies these things alone are not enough, and there is no appliance you can rack nor single solution you can install that will make you secure. This should come as no surprise though when you step back and think about it.

I am often asked at security conferences by people working in IT, “Why is nothing working? Why is my Anti-Virus and IPS failing me?” and the answer really is a play on Dan Geer’s famous monoculture argument, except in this case I am referring to the Security Monoculture rather than Geer’s original focus on Operating Systems, namely Microsoft.

The fact is everyone is using one of the main two anti-virus solutions and one of the four main intrusion prevention systems. It becomes easy for attackers to understand exactly what defenses they are up against and it is only a matter of time until their exploit and malware can overcome those defenses. This is of course something that is happening on a daily basis and why people working in IT have become beyond frustrated in dealing with security.

You must step outside the security monoculture. This does not mean getting rid of your security solutions but rather adding security to your network and operating systems that is unique and tailored to your environment. It comes down to the customization you do around your network architecture and your overall systems attack surface.

So why then do we find ourselves in a situation where even some security experts try to talk people out of proper network architecture and system configuration? Surely we do not suggest in our paper nor believe that any one configuration change is going to stop all attacks or malware. Rather the goal of proper architecture and configuration is to raise the bar of what it takes for a system to be compromised.

There will always be cynics in any walk of life, the security industry is absolutely overflowing with them. You hear them all the time, people willing to say it is good advice to recommend that people do not even do the basics of network and system security because those things are not foolproof. It would seem obvious that of course nothing is foolproof but even more obvious to me is IT people are absolutely tired of people in security telling them everything that does not work instead of trying to ever share what is working.

Clearly, proper network architecture and system configuration  is something we believe strongly in.  When we wrote the first version of our paper we gave just a few simple examples of some configuration and network changes that could be made to help increase your organization’s level of security. These are to serve not as the end all be all list of what will improve your security, but as a starting point to hopefully shift the dialogue to move beyond only talking about what is not working in security.

We also are releasing a free configuration scanning tool that will audit your environment for a handful of the things we discussed so you can get a quick pass/fail look on how your environment fairs. These checks alone will not tell you if your security is good enough or not but indeed if you are failing more than a couple you probably have some work to do in reviewing your network architecture and system configuration.

Our hope is to continue to try and push the security conversation to not just be about what the next major threat does but how to prevent it. This tool is simply to create awareness to that end and we look forward to you continuing the conversation with us on real-world ways IT can improve security. You can grab the white paper and tool from here:


, ,

Leave a Reply

Additional articles

Vulnerability Expert Forum Highlights: April 2014

We had a great turnout for last week’s April 2014 Vulnerability Expert Forum (VEF) webcast. BeyondTrust Research experts, Carter and DJ, provided in-depth knowledge about the latest vulnerabilities and their potential impacts on network environments. Below are highlights from the Forum, plus an on-demand video of the presentation. Latest critical vulnerabilities, vendor patches, and zero-day…

Post by Chris Burd April 16, 2014
, , , , ,

Understanding Who Has Access to What with BeyondInsight v5.1

Today, it’s my pleasure to introduce you to BeyondInsight version 5.1, the latest release of our IT Risk Management platform, which unifies several of our solutions for Privileged Account Management and Vulnerability Management. BeyondInsight v5.1 embodies BeyondTrust’s mission to give our customers the visibility they need to make smart decisions and reduce risk to their…

Post by Morey Haber April 15, 2014
, , , , , , , , , , , ,

PowerBroker for Unix & Linux Now Available via Web Services

This week BeyondTrust released a fully functional Web Services interface (REST API) for its PowerBroker for Unix & Linux product.  With this new feature users of the solution will now be able to remotely and securely configure and retrieve data via the API.  The Web Services interface implemented by BeyondTrust is an industry standard that…

Post by Paul Harper April 10, 2014
, , , , ,