|By Brad Doctor||
|April 19, 2004 12:00 AM EDT||
As the state of the art in operating systems (OS) continues to advance, an unnerving trend has emerged: vulnerabilities in tightly integrated operating systems. How do you address this? With an effective combination of educated staff, proper procedures, and technology.
Rather than being a collection of separate utilities and daemons, the modern OS is moving toward a highly integrated system with numerous dependencies. As a result, the core of the OS is more easily exposed to a broader range of vulnerabilities. While Linux still largely a collection of separate components, Microsoft Windows is at the forefront of this design principle and, in fact, is moving to an even more tightly integrated system. The risks can become significant. Whenever a vulnerability is found in one of the core components of a tightly integrated OS, interdependent components are vulnerable as a result. Developing an appropriate approach to protecting systems with tightly integrated OSs is the key to maintaining a secure and safe network environment.
The rationale for a tightly integrated operating system is sound - reduced development costs and effort, a reduction in portability issues, and fewer components to break. The flip side is unprecedented exposure to vulnerabilities. In the past, when a single system component had a vulnerability the impact was isolated to that single component. However, due to the dependencies introduced by extensive integration, that one component may now impact multiple applications. It is this chain of dependencies that presents enormous risk.
A Practical Approach to Isolating the ExposuresA number of approaches exist for isolating - or at least reducing - your exposure in cases such as these. For the purposes of this article, the assumption is that it is impossible to catch every security flaw during development and that organizations will need to take measures to protect themselves until patches or upgrades are available that solve the security flaw.
The simplest approach to dealing with exploits aimed at integrated OSs is to turn off any services not required or restrict access to those services via network firewalls or network intrusion prevention systems (IPSs). Turning off a service entirely is rarely a practical option for Web servers or file servers. In the specific case of a Web server, doing so would certainly solve the problem, but then you wouldn't have a Web server!
A layered approach consisting of the following primary components is the most practical solution:
- Education of your network and system administrators
- A baseline of the current state of your network
- Proper configuration of the host operating system, including current patches and service packs
- Proper configuration of the network service being hosted
- A generic network firewall to allow only specific traffic in and out
- An IPS to cover the bases left open by the network firewall
- An on-board firewall for each device (IPtables in Linux, TCP Filters in Windows)
- In the case of a Linux system, a chrooted environment for each available network service, and optionally physical separation from the internal network
Knowledge is power! Knowing your current exposures and configuration issues should be on your short list, regardless of how far into this process you may go. Rectifying the issues found should be the immediate next step - directly followed by another baseline to once again ascertain any new issues. Automated vulnerability management tools can help make this process straightforward and manageable.
Current shipping distributions of Linux as well as current shipping versions of Windows still contain many services that are not useful or appropriate for a device that will host publicly accessible network services. You should identify and disable these services before the device is ever connected to any network. Linux is able to fully function with far fewer resources than Windows, and you should take advantage of this. If the first step (i.e., a well-educated staff) was successful, your administrators will be able to identify which services to safely disable.
The network service itself, for example a Web server, should also be properly configured. No prepackaged examples or documents should be present anywhere within the document root, nor should any of this data be accessible by anyone over the network. For example, many exploits exist that rely upon these stock examples being installed in a default installation of the Microsoft IIS Web server.
Every network that is to be interconnected with any other network should have a firewall at the gateway. The firewall should be configured to only allow specific traffic both into and out of the network. Nearly every firewall controls inbound traffic, but few are configured to also control outbound traffic. For example, should an internal system ever be infected with a worm (as has happened both with Linux and Windows), the outbound controls will hopefully limit the impact and propagation of the worm.
An intrusion prevention system (IPS) is a great tool to fill in the cracks that a firewall leaves open. As most firewalls do not normally perform any type of content inspection (or very limited if they do), the allowed traffic is by no means assured to be free of malicious content or exploits. This is where an IPS really shines - the ability to inspect all traffic for attacks. Most IPS products also allow the traffic to be blocked, hence the prevention in intrusion prevention system. The value of an IPS is often discounted or misunderstood, yet for those in the know, an IPS represents a 24/7 partner that never stops preventing the malicious traffic from entering your network.
An on-board firewall is a critical component that will shield your organization from the inevitable configuration error. By restricting which types of network traffic may be passed into and out of each endpoint, you greatly reduce your exposure. Windows and Linux have this capability. Most Linux distributions use this out of the box; however, Windows must be configured after the fact to leverage this capability, although Service Pack 2 for Windows XP will change that.
Chrooted environments are an extremely effective means to isolate processes on a Linux system. Linux has native support for chrooted environments and most distributions ship with tools out of the box that will allow you to do this for nearly any network service (or any process for that matter!). Unfortunately, Windows has no good way to implement a chrooted environment. A somewhat feasible option for Windows includes running VMware, but the resources required are often too much, making this impractical. The primary benefit of a chrooted environment is the logical separation: if a process or application is exploited, the damage is limited to the chrooted environment, significantly reducing the impact to the rest of the system. How-to's exist for popular Linux network services and a quick search on Google will find those.
ConclusionThe rate of exploit attempts and network worms is rising and will continue to rise. The attack vectors are continually increasing in their sophistication, and attacks are becoming much more difficult to prevent or even contain. Both Linux and Windows can be made insecure in a network environment - and both can also be made secure enough to be safe. Regardless of your chosen platform, the most important tool available to you is an effective combination of your staff, proper procedures, and technology.
SYS-CON Events announced today that Micron Technology, Inc., a global leader in advanced semiconductor systems, will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Micron’s broad portfolio of high-performance memory technologies – including DRAM, NAND and NOR Flash – is the basis for solid state drives, modules, multichip packages and other system solutions. Backed by more than 35 years of technology leadership, Micron's memory solutions enable the world's most innovative computing, consumer,...
Aug. 31, 2015 11:15 AM EDT Reads: 227
As more intelligent IoT applications shift into gear, they’re merging into the ever-increasing traffic flow of the Internet. It won’t be long before we experience bottlenecks, as IoT traffic peaks during rush hours. Organizations that are unprepared will find themselves by the side of the road unable to cross back into the fast lane. As billions of new devices begin to communicate and exchange data – will your infrastructure be scalable enough to handle this new interconnected world?
Aug. 31, 2015 11:00 AM EDT Reads: 162
Through WebRTC, audio and video communications are being embedded more easily than ever into applications, helping carriers, enterprises and independent software vendors deliver greater functionality to their end users. With today’s business world increasingly focused on outcomes, users’ growing calls for ease of use, and businesses craving smarter, tighter integration, what’s the next step in delivering a richer, more immersive experience? That richer, more fully integrated experience comes about through a Communications Platform as a Service which allows for messaging, screen sharing, video...
Aug. 31, 2015 10:30 AM EDT Reads: 634
SYS-CON Events announced today that Pythian, a global IT services company specializing in helping companies leverage disruptive technologies to optimize revenue-generating systems, has been named “Bronze Sponsor” of SYS-CON's 17th Cloud Expo, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Founded in 1997, Pythian is a global IT services company that helps companies compete by adopting disruptive technologies such as cloud, Big Data, advanced analytics, and DevOps to advance innovation and increase agility. Specializing in designing, imple...
Aug. 31, 2015 10:15 AM EDT Reads: 297
Contrary to mainstream media attention, the multiple possibilities of how consumer IoT will transform our everyday lives aren’t the only angle of this headline-gaining trend. There’s a huge opportunity for “industrial IoT” and “Smart Cities” to impact the world in the same capacity – especially during critical situations. For example, a community water dam that needs to release water can leverage embedded critical communications logic to alert the appropriate individuals, on the right device, as soon as they are needed to take action.
Aug. 31, 2015 09:40 AM EDT
In his session at @ThingsExpo, Lee Williams, a producer of the first smartphones and tablets, will talk about how he is now applying his experience in mobile technology to the design and development of the next generation of Environmental and Sustainability Services at ETwater. He will explain how M2M controllers work through wirelessly connected remote controls; and specifically delve into a retrofit option that reverse-engineers control codes of existing conventional controller systems so they don't have to be replaced and are instantly converted to become smart, connected devices.
Aug. 31, 2015 09:30 AM EDT Reads: 125
SYS-CON Events announced today that IceWarp will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. IceWarp, the leader of cloud and on-premise messaging, delivers secured email, chat, documents, conferencing and collaboration to today's mobile workforce, all in one unified interface
Aug. 31, 2015 04:00 AM EDT Reads: 409
WebRTC has had a real tough three or four years, and so have those working with it. Only a few short years ago, the development world were excited about WebRTC and proclaiming how awesome it was. You might have played with the technology a couple of years ago, only to find the extra infrastructure requirements were painful to implement and poorly documented. This probably left a bitter taste in your mouth, especially when things went wrong.
Aug. 31, 2015 02:00 AM EDT Reads: 453
Too often with compelling new technologies market participants become overly enamored with that attractiveness of the technology and neglect underlying business drivers. This tendency, what some call the “newest shiny object syndrome,” is understandable given that virtually all of us are heavily engaged in technology. But it is also mistaken. Without concrete business cases driving its deployment, IoT, like many other technologies before it, will fade into obscurity.
Aug. 30, 2015 10:00 PM EDT Reads: 351
While many app developers are comfortable building apps for the smartphone, there is a whole new world out there. In his session at @ThingsExpo, Narayan Sainaney, Co-founder and CTO of Mojio, will discuss how the business case for connected car apps is growing and, with open platform companies having already done the heavy lifting, there really is no barrier to entry.
Aug. 30, 2015 05:00 PM EDT Reads: 139
SYS-CON Events announced today that HPM Networks will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. For 20 years, HPM Networks has been integrating technology solutions that solve complex business challenges. HPM Networks has designed solutions for both SMB and enterprise customers throughout the San Francisco Bay Area.
Aug. 30, 2015 10:30 AM EDT Reads: 881
Consumer IoT applications provide data about the user that just doesn’t exist in traditional PC or mobile web applications. This rich data, or “context,” enables the highly personalized consumer experiences that characterize many consumer IoT apps. This same data is also providing brands with unprecedented insight into how their connected products are being used, while, at the same time, powering highly targeted engagement and marketing opportunities. In his session at @ThingsExpo, Nathan Treloar, President and COO of Bebaio, will explore examples of brands transforming their businesses by t...
Aug. 30, 2015 10:15 AM EDT Reads: 233
With the proliferation of connected devices underpinning new Internet of Things systems, Brandon Schulz, Director of Luxoft IoT – Retail, will be looking at the transformation of the retail customer experience in brick and mortar stores in his session at @ThingsExpo. Questions he will address include: Will beacons drop to the wayside like QR codes, or be a proximity-based profit driver? How will the customer experience change in stores of all types when everything can be instrumented and analyzed? As an area of investment, how might a retail company move towards an innovation methodolo...
Aug. 30, 2015 09:15 AM EDT Reads: 449
The Internet of Things (IoT) is about the digitization of physical assets including sensors, devices, machines, gateways, and the network. It creates possibilities for significant value creation and new revenue generating business models via data democratization and ubiquitous analytics across IoT networks. The explosion of data in all forms in IoT requires a more robust and broader lens in order to enable smarter timely actions and better outcomes. Business operations become the key driver of IoT applications and projects. Business operations, IT, and data scientists need advanced analytics t...
Aug. 30, 2015 08:30 AM EDT Reads: 402
As more and more data is generated from a variety of connected devices, the need to get insights from this data and predict future behavior and trends is increasingly essential for businesses. Real-time stream processing is needed in a variety of different industries such as Manufacturing, Oil and Gas, Automobile, Finance, Online Retail, Smart Grids, and Healthcare. Azure Stream Analytics is a fully managed distributed stream computation service that provides low latency, scalable processing of streaming data in the cloud with an enterprise grade SLA. It features built-in integration with Azur...
Aug. 28, 2015 07:45 PM EDT Reads: 217
Akana has announced the availability of the new Akana Healthcare Solution. The API-driven solution helps healthcare organizations accelerate their transition to being secure, digitally interoperable businesses. It leverages the Health Level Seven International Fast Healthcare Interoperability Resources (HL7 FHIR) standard to enable broader business use of medical data. Akana developed the Healthcare Solution in response to healthcare businesses that want to increase electronic, multi-device access to health records while reducing operating costs and complying with government regulations.
Aug. 26, 2015 07:00 AM EDT Reads: 136
For IoT to grow as quickly as analyst firms’ project, a lot is going to fall on developers to quickly bring applications to market. But the lack of a standard development platform threatens to slow growth and make application development more time consuming and costly, much like we’ve seen in the mobile space. In his session at @ThingsExpo, Mike Weiner, Product Manager of the Omega DevCloud with KORE Telematics Inc., discussed the evolving requirements for developers as IoT matures and conducted a live demonstration of how quickly application development can happen when the need to comply wit...
Aug. 2, 2015 11:15 AM EDT Reads: 556
The Internet of Everything (IoE) brings together people, process, data and things to make networked connections more relevant and valuable than ever before – transforming information into knowledge and knowledge into wisdom. IoE creates new capabilities, richer experiences, and unprecedented opportunities to improve business and government operations, decision making and mission support capabilities.
Aug. 1, 2015 10:00 AM EDT Reads: 482
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at @ThingsExpo, James Kirkland, Red Hat's Chief Architect for the Internet of Things and Intelligent Systems, described how to revolutionize your archit...
Jul. 30, 2015 07:30 PM EDT Reads: 1,565
MuleSoft has announced the findings of its 2015 Connectivity Benchmark Report on the adoption and business impact of APIs. The findings suggest traditional businesses are quickly evolving into "composable enterprises" built out of hundreds of connected software services, applications and devices. Most are embracing the Internet of Things (IoT) and microservices technologies like Docker. A majority are integrating wearables, like smart watches, and more than half plan to generate revenue with APIs within the next year.
Jul. 30, 2015 02:30 PM EDT Reads: 282