Page 43 - CDM Cyber Warnings February 2014
P. 43
The concept of �hardening� has nice imagery to it. When ports, and yet another 20,000 or so �private � ports. These
we use it to describe battle-hardened soldiers who have in turn support a vast number of services and processes.
been tested in combat a grim, determined image invariably
leaps to mind. The same thing happens when we speak of There�s a nice analogy that helps us get our arms around
hardened steel that�s been repeatedly quenched and this: If we translate a server�s �ports and processes and
tempered, or of hardened fortifications or bunkers. services� to the �doors and gates and windows � in a house,
we see information systems as unimaginably large,
But what does this state of �being hardened� mean in the fundamentally porous houses. Security configuration
context of information systems� What do we mean when management becomes the job of determining which of
we talk about �hardening systems � to repel exploits and these doors and gates and windows should be open, closed,
withstand intrusions� Much of this is captured in three or locked at any given time.
simple concepts:
Of course, this notion of whether something should be
1) Ensure a system� s security configurations are appro- �open or closed or locked� is very conditional – it depends
priately set, given the job it needs to do on circumstances like�when� or �where.� If I�m going away
for a week, I double-check that everything in my house is
2) Ensure operating system software, firmware and ap-
locked down tight. If I�m only going to be gone for an hour
plications are updated to stay ahead of exploits that I may leave the back door unlocked. And if it�s the height
attack flaws in the underlying code of summer I may have an air conditioner in a window that
comes right off the front porch. In this case I�ve knowingly
3) Ensure this process runs continually, leveraging and
traded an inherent security weakness – I can�t lock that
employing as much automation as possible
window until autumn� – for comfort.
Configuration Hardening
Configurations are, in an almost literal sense, the DNA of To drag this analogy back to the modern computer
modern information systems. �Configuration settings� are network, we need to amplify our numbers exponentially.
the attributes and parameters that tell these systems—from The first thing we note is that the number of �configuration
servers to network devices and from databases to desktops items� —doors and gates and windows that need to be
and applications—how to act and how to behave. monitored and assessed just to achieve a basic level of
security—becomes staggering:
“We see information ● Network device configurations can have an average of
systems as unimagina- 2000 lines of code for each device
bly large, fundamentally ● Each device configuration can contain hundreds of
parameters for about 20 different IP protocols and tech-
porous houses” nologies that need to work together
● A Fortune 1000 enterprise can have over 50 million
Unfortunately, these systems are made to �do work � and lines of configuration code in its extended network
not to �be secure.� In other words, they�re shipped infinitely
capable but effectively insecure. Modern computer systems
have over 1,000 well-known ports with which to get work At the device level, this complexity is apparent in even the
done. They also have another 40,000 or so �registered� simplest of �vendor hardening guideline� documents.
These are vendor-provided �How To� guides that show
CYBER DEFENSE MAGAZINE - ANNUAL EDITION 43