During my recent conversations with industry analysts about evolving security threats, the issue of security settings has become a main topic of discussion. Initially, anti-virus was adequate enough to protect systems from outside threats, but it soon became a service with a continual addition of virus signatures.
Anti-virus software has started to fall short of security expectations, and it is increasingly obvious that an additional layer of protection is needed to prevent vulnerabilities. As a result, numerous security patches and anti-spyware solutions have been released to complement existing anti-virus software and further secure systems from external threats. Yet all of these methods combined have proven deficient in providing complete system security, as none of them addressed the often-overlooked and critical area of security settings.
"Attacks against vulnerabilities that can be repaired by patching represent less than a third of hacking attacks. When the U.S. Department of Defense did studies on the matter, it found that these attacks accounted for only 30 percent of hacking. In contrast, attacks against configurations, essentially poor system hardening, accounted for 70 percent of successful attacks…"
–Ira Winkler, author of "Spies Among Us" and global security strategist with CSC Consultin.
Large organizations have been the first to adapt to this new era of creating, implementing and maintaining security settings policies. Small to medium-sized enterprises (SMEs) are slowly recognizing the importance of these policies on their own, or are being encouraged by large business partners to do so. Depending on the size of your organization, you may already be struggling with this or will soon be tasked with it.
Common security settings can include making changes to systems to restrict or control remote access of a desktop, changing permissions on directories to enable or disable access, or enabling or disabling services such as FTP and remote login. Luckily, there are many guides available from security experts, like NSA, NIST, CIS, CSE and Microsoft, on how to configure and maintain security settings policies. Unfortunately, these recommendations can be extremely lengthy and tedious to review. Organizations, especially SMEs, may not have the time or dedicated resources needed to evaluate and thoroughly understand all of the information to create policies appropriate for their environment and different machines. For example, access to servers should be tightly controlled, whereas workstations may have less strict access policies. Similarly, you may want to have different settings for your laptops to encrypt data despite performance overheads.
Although necessary, creating these tighter security policies can sometimes come at a cost. They may break your existing applications or inconvenience users by changing accustomed usage behavior. To avoid these issues, try running reports against a single expert's recommendations and compare them against the current setting on the computers in your organization. Or, begin by creating a policy with a few required settings you understand and enforce them. I like to suggest the following steps:
1. Create a policy with a few settings configured (perhaps a single setting)
2. Assign the policy to a set of computers
3. Deploy the settings
4. Run reports to verify compliance to the designated policy
5. Assess how the new settings are impacting the users and address individual issues
6. Go back and add a few more settings and repeat the process
Of all these tasks, developing a security policy is the hardest part. There are various tools available in the market to assist you with this process that I encourage you to explore and compare. Review the guides, as they may provide you the information in a more organized form to compare the experts' opinions and recommendations. Whatever tools you employ, remember that going beyond patch management is a critical factor in protecting and hardening your systems.
– Vijay Adusumilli is a senior product manager for St. Bernard Software.