|By Brad Doctor||
|April 19, 2004 12:00 AM EDT||
As the state of the art in operating systems (OS) continues to advance, an unnerving trend has emerged: vulnerabilities in tightly integrated operating systems. How do you address this? With an effective combination of educated staff, proper procedures, and technology.
Rather than being a collection of separate utilities and daemons, the modern OS is moving toward a highly integrated system with numerous dependencies. As a result, the core of the OS is more easily exposed to a broader range of vulnerabilities. While Linux still largely a collection of separate components, Microsoft Windows is at the forefront of this design principle and, in fact, is moving to an even more tightly integrated system. The risks can become significant. Whenever a vulnerability is found in one of the core components of a tightly integrated OS, interdependent components are vulnerable as a result. Developing an appropriate approach to protecting systems with tightly integrated OSs is the key to maintaining a secure and safe network environment.
The rationale for a tightly integrated operating system is sound - reduced development costs and effort, a reduction in portability issues, and fewer components to break. The flip side is unprecedented exposure to vulnerabilities. In the past, when a single system component had a vulnerability the impact was isolated to that single component. However, due to the dependencies introduced by extensive integration, that one component may now impact multiple applications. It is this chain of dependencies that presents enormous risk.
A Practical Approach to Isolating the ExposuresA number of approaches exist for isolating - or at least reducing - your exposure in cases such as these. For the purposes of this article, the assumption is that it is impossible to catch every security flaw during development and that organizations will need to take measures to protect themselves until patches or upgrades are available that solve the security flaw.
The simplest approach to dealing with exploits aimed at integrated OSs is to turn off any services not required or restrict access to those services via network firewalls or network intrusion prevention systems (IPSs). Turning off a service entirely is rarely a practical option for Web servers or file servers. In the specific case of a Web server, doing so would certainly solve the problem, but then you wouldn't have a Web server!
A layered approach consisting of the following primary components is the most practical solution:
- Education of your network and system administrators
- A baseline of the current state of your network
- Proper configuration of the host operating system, including current patches and service packs
- Proper configuration of the network service being hosted
- A generic network firewall to allow only specific traffic in and out
- An IPS to cover the bases left open by the network firewall
- An on-board firewall for each device (IPtables in Linux, TCP Filters in Windows)
- In the case of a Linux system, a chrooted environment for each available network service, and optionally physical separation from the internal network
Knowledge is power! Knowing your current exposures and configuration issues should be on your short list, regardless of how far into this process you may go. Rectifying the issues found should be the immediate next step - directly followed by another baseline to once again ascertain any new issues. Automated vulnerability management tools can help make this process straightforward and manageable.
Current shipping distributions of Linux as well as current shipping versions of Windows still contain many services that are not useful or appropriate for a device that will host publicly accessible network services. You should identify and disable these services before the device is ever connected to any network. Linux is able to fully function with far fewer resources than Windows, and you should take advantage of this. If the first step (i.e., a well-educated staff) was successful, your administrators will be able to identify which services to safely disable.
The network service itself, for example a Web server, should also be properly configured. No prepackaged examples or documents should be present anywhere within the document root, nor should any of this data be accessible by anyone over the network. For example, many exploits exist that rely upon these stock examples being installed in a default installation of the Microsoft IIS Web server.
Every network that is to be interconnected with any other network should have a firewall at the gateway. The firewall should be configured to only allow specific traffic both into and out of the network. Nearly every firewall controls inbound traffic, but few are configured to also control outbound traffic. For example, should an internal system ever be infected with a worm (as has happened both with Linux and Windows), the outbound controls will hopefully limit the impact and propagation of the worm.
An intrusion prevention system (IPS) is a great tool to fill in the cracks that a firewall leaves open. As most firewalls do not normally perform any type of content inspection (or very limited if they do), the allowed traffic is by no means assured to be free of malicious content or exploits. This is where an IPS really shines - the ability to inspect all traffic for attacks. Most IPS products also allow the traffic to be blocked, hence the prevention in intrusion prevention system. The value of an IPS is often discounted or misunderstood, yet for those in the know, an IPS represents a 24/7 partner that never stops preventing the malicious traffic from entering your network.
An on-board firewall is a critical component that will shield your organization from the inevitable configuration error. By restricting which types of network traffic may be passed into and out of each endpoint, you greatly reduce your exposure. Windows and Linux have this capability. Most Linux distributions use this out of the box; however, Windows must be configured after the fact to leverage this capability, although Service Pack 2 for Windows XP will change that.
Chrooted environments are an extremely effective means to isolate processes on a Linux system. Linux has native support for chrooted environments and most distributions ship with tools out of the box that will allow you to do this for nearly any network service (or any process for that matter!). Unfortunately, Windows has no good way to implement a chrooted environment. A somewhat feasible option for Windows includes running VMware, but the resources required are often too much, making this impractical. The primary benefit of a chrooted environment is the logical separation: if a process or application is exploited, the damage is limited to the chrooted environment, significantly reducing the impact to the rest of the system. How-to's exist for popular Linux network services and a quick search on Google will find those.
ConclusionThe rate of exploit attempts and network worms is rising and will continue to rise. The attack vectors are continually increasing in their sophistication, and attacks are becoming much more difficult to prevent or even contain. Both Linux and Windows can be made insecure in a network environment - and both can also be made secure enough to be safe. Regardless of your chosen platform, the most important tool available to you is an effective combination of your staff, proper procedures, and technology.
Join IBM November 2 at 19th Cloud Expo at the Santa Clara Convention Center in Santa Clara, CA, and learn how to go beyond multi-speed it to bring agility to traditional enterprise applications. Technology innovation is the driving force behind modern business and enterprises must respond by increasing the speed and efficiency of software delivery. The challenge is that existing enterprise applications are expensive to develop and difficult to modernize. This often results in what Gartner calls...
Oct. 28, 2016 07:00 PM EDT Reads: 384
WebRTC sits at the intersection between VoIP and the Web. As such, it poses some interesting challenges for those developing services on top of it, but also for those who need to test and monitor these services. In his session at WebRTC Summit, Tsahi Levent-Levi, co-founder of testRTC, reviewed the various challenges posed by WebRTC when it comes to testing and monitoring and on ways to overcome them.
Oct. 28, 2016 07:00 PM EDT Reads: 4,243
The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...
Oct. 28, 2016 07:00 PM EDT Reads: 398
Bert Loomis was a visionary. This general session will highlight how Bert Loomis and people like him inspire us to build great things with small inventions. In their general session at 19th Cloud Expo, Harold Hannon, Architect at IBM Bluemix, and Michael O'Neill, Strategic Business Development at Nvidia, will discuss the accelerating pace of AI development and how IBM Cloud and NVIDIA are partnering to bring AI capabilities to "every day," on-demand. They will also review two "free infrastruct...
Oct. 28, 2016 06:30 PM EDT Reads: 374
WebRTC defines no default signaling protocol, causing fragmentation between WebRTC silos. SIP and XMPP provide possibilities, but come with considerable complexity and are not designed for use in a web environment. In his session at @ThingsExpo, Matthew Hodgson, technical co-founder of the Matrix.org, discussed how Matrix is a new non-profit Open Source Project that defines both a new HTTP-based standard for VoIP & IM signaling and provides reference implementations.
Oct. 28, 2016 06:15 PM EDT Reads: 2,938
Smart Cities are here to stay, but for their promise to be delivered, the data they produce must not be put in new siloes. In his session at @ThingsExpo, Mathias Herberts, Co-founder and CTO of Cityzen Data, will deep dive into best practices that will ensure a successful smart city journey.
Oct. 28, 2016 05:30 PM EDT Reads: 3,331
Two weeks ago (November 3-5), I attended the Cloud Expo Silicon Valley as a speaker, where I presented on the security and privacy due diligence requirements for cloud solutions. Cloud security is a topical issue for every CIO, CISO, and technology buyer. Decision-makers are always looking for insights on how to mitigate the security risks of implementing and using cloud solutions. Based on the presentation topics covered at the conference, as well as the general discussions heard between sessi...
Oct. 28, 2016 04:30 PM EDT Reads: 5,256
November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Penta Security is a leading vendor for data security solutions, including its encryption solution, D’Amo. By using FPE technology, D’Amo allows for the implementation of encryption technology to sensitive data fields without modification to schema in the database environment. With businesses having their data become increasingly more complicated in their mission-critical applications (such as ERP, CRM, HRM), continued ...
Oct. 28, 2016 04:30 PM EDT Reads: 1,230
In his general session at 18th Cloud Expo, Lee Atchison, Principal Cloud Architect and Advocate at New Relic, discussed cloud as a ‘better data center’ and how it adds new capacity (faster) and improves application availability (redundancy). The cloud is a ‘Dynamic Tool for Dynamic Apps’ and resource allocation is an integral part of your application architecture, so use only the resources you need and allocate /de-allocate resources on the fly.
Oct. 28, 2016 04:00 PM EDT Reads: 3,878
SYS-CON Events announced today that Cloudbric, a leading website security provider, will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Cloudbric is an elite full service website protection solution specifically designed for IT novices, entrepreneurs, and small and medium businesses. First launched in 2015, Cloudbric is based on the enterprise level Web Application Firewall by Penta Security Sys...
Oct. 28, 2016 03:15 PM EDT Reads: 1,384
Virgil consists of an open-source encryption library, which implements Cryptographic Message Syntax (CMS) and Elliptic Curve Integrated Encryption Scheme (ECIES) (including RSA schema), a Key Management API, and a cloud-based Key Management Service (Virgil Keys). The Virgil Keys Service consists of a public key service and a private key escrow service.
Oct. 28, 2016 02:30 PM EDT Reads: 1,250
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, will discuss the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.
Oct. 28, 2016 02:15 PM EDT Reads: 4,030
SYS-CON Events announced today that MathFreeOn will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. MathFreeOn is Software as a Service (SaaS) used in Engineering and Math education. Write scripts and solve math problems online. MathFreeOn provides online courses for beginners or amateurs who have difficulties in writing scripts. In accordance with various mathematical topics, there are more tha...
Oct. 28, 2016 02:00 PM EDT Reads: 1,227
In an era of historic innovation fueled by unprecedented access to data and technology, the low cost and risk of entering new markets has leveled the playing field for business. Today, any ambitious innovator can easily introduce a new application or product that can reinvent business models and transform the client experience. In their Day 2 Keynote at 19th Cloud Expo, Mercer Rowe, IBM Vice President of Strategic Alliances, and Raejeanne Skillern, Intel Vice President of Data Center Group and ...
Oct. 28, 2016 01:45 PM EDT Reads: 1,728
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.
Oct. 28, 2016 01:30 PM EDT Reads: 5,203
@ThingsExpo has been named the Top 5 Most Influential Internet of Things Brand by Onalytica in the ‘The Internet of Things Landscape 2015: Top 100 Individuals and Brands.' Onalytica analyzed Twitter conversations around the #IoT debate to uncover the most influential brands and individuals driving the conversation. Onalytica captured data from 56,224 users. The PageRank based methodology they use to extract influencers on a particular topic (tweets mentioning #InternetofThings or #IoT in this ...
Oct. 28, 2016 01:15 PM EDT Reads: 8,656
There is growing need for data-driven applications and the need for digital platforms to build these apps. In his session at 19th Cloud Expo, Muddu Sudhakar, VP and GM of Security & IoT at Splunk, will cover different PaaS solutions and Big Data platforms that are available to build applications. In addition, AI and machine learning are creating new requirements that developers need in the building of next-gen apps. The next-generation digital platforms have some of the past platform needs a...
Oct. 28, 2016 01:00 PM EDT Reads: 2,430
"We've discovered that after shows 80% if leads that people get, 80% of the conversations end up on the show floor, meaning people forget about it, people forget who they talk to, people forget that there are actual business opportunities to be had here so we try to help out and keep the conversations going," explained Jeff Mesnik, Founder and President of ContentMX, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Oct. 28, 2016 01:00 PM EDT Reads: 3,730
Intelligent machines are here. Robots, self-driving cars, drones, bots and many IoT devices are becoming smarter with Machine Learning. In her session at @ThingsExpo, Sudha Jamthe, CEO of IoTDisruptions.com, will discuss the next wave of business disruption at the junction of IoT and AI, impacting many industries and set to change our lives, work and world as we know it.
Oct. 28, 2016 12:30 PM EDT Reads: 663
More and more brands have jumped on the IoT bandwagon. We have an excess of wearables – activity trackers, smartwatches, smart glasses and sneakers, and more that track seemingly endless datapoints. However, most consumers have no idea what “IoT” means. Creating more wearables that track data shouldn't be the aim of brands; delivering meaningful, tangible relevance to their users should be. We're in a period in which the IoT pendulum is still swinging. Initially, it swung toward "smart for smar...
Oct. 28, 2016 12:15 PM EDT Reads: 1,313