Chapter 18
Plugging Security Holes
In This Chapter
Determining which vulnerabilities to address first
Patching your systems
Looking at security in a new light
After you complete your tests, you want to head down the road to greater security. However, you found some security vulnerabilities — things that need to be addresses. (I hope not too many serious ones, though!) Plugging these security holes before someone exploits them is going to require a little elbow grease. You need to come up with your game plan and decide which security vulnerabilities to address first. A few patches might be in order and possibly even some system hardening. You may need to purchase some new security technologies and might want to reevaluate your network design and security infrastructure as well. I touch on some of the critical areas in this chapter.
Turning Your Reports into Action
It might seem that the security vulnerability to address first would be obvious, but it’s often not very clear. When reviewing the vulnerabilities that you find, consider the following variables:
- How critical the vulnerable system is
- What sensitive information or business processes are at stake
- Whether the vulnerability can be fixed
- How easy the vulnerability is to fix
- Whether you can take the system offline to fix the problem
- What time, money, and effort is involved in purchasing new hardware or software or retooling business processes to plug the holes
In Chapter 17, I cover the basic issues of determining how important and how urgent the security problem is. In fact, I provide real-world examples in Table 17-1. You should also look at security from a time management perspective and address the issues that are both important (high impact) and urgent (high likelihood). You probably don’t want to try to fix the vulnerabilities that are just high impact or just high likelihood. You might have some high impact vulnerabilities that, likely, will never be exploited. Likewise, you probably have some vulnerabilities with a high likelihood of being exploited that, if they are exploited, won’t really make a big difference in your business or your job. This type of human analysis and perspective will help you stand out from the scan and run type assessments than many people perform (often in the name of some compliance regulation) and keep you employed for some time to come!
Focus on tasks with the highest payoff first — those that are both high impact and high likelihood. This will likely be the minority of your vulnerabilities. After you plug the most critical security holes, you can go after the less important and less urgent tasks when time and money permit. For example, after you plug such critical holes as SQL injection in web applications and missing patches on important servers, you might want to reconfigure your backups with passwords, if not strong encryption, to keep prying eyes away in case your backups fall into the wrong hands.
Patching for Perfection
Do you ever feel like all you do is patch your systems to fix security vulnerabilities? If your answer yes to this question, good for you — at least you’re doing it! If you constantly feel pressure to patch your systems the right way but can’t seem to find time — at least it’s on your radar. Many IT professionals and their managers don’t even think about proactively patching their systems until after a breach occurs. Just look at the research in the Verizon Data Breach Investigations Report (among others). Patch management is a huge security failure across organizations in all industries. If you’re reading this book, you’re obviously concerned about security and are hopefully way past that.
Whatever you do, whatever tool you choose, and whatever procedures work best in your environment, keep your systems patched! This goes for operating systems, web servers, databases, mobile apps, and even firmware on your network firewalls, routers, and switches.
Patching is avoidable but inevitable. The only real solution to eliminating the need for patches is developing secure software in the first place, but that’s not going to happen any time soon, if ever. Software is just too complex for it to be perfect. A large portion of security incidents can be prevented with some good patching practices, so there’s simply no reason not to have a solid patch management process in place.
Patch management
If you can’t keep up with the deluge of security patches for all your systems, don’t despair; you can still get a handle on the problem. Here are my basic tenets for applying patches to keep your systems secure:
- Make sure all the people and departments that are involved in applying patches on your organization’s systems are on the same page and follow the same procedures.
- Have formal and documented procedures in place for these critical processes:
- Obtaining patch alerts from your vendors, including third-party patches for Adobe, Java, and so on, which are often overlooked (and often the most critical)
- Assessing which patches affect your systems
- Determining when to apply patches
- Make it policy and have procedures in place for testing patches before you apply them to your production servers. Testing patches after you apply them isn’t as big of a deal on workstations, but servers are a different story. Many patches have “undocumented features” and subsequent unintended side effects — believe me, I’ve experienced this before. An untested patch is an invitation for system termination!
Patch automation
The following sections describe the various patch deployment tools you can use to lower the burden of constantly having to keep up with patches.
Commercial tools
I recommend a robust patch-automation application, especially if these factors are involved:
- A large network
- A network with a multitude of operating systems (Windows, Linux, Mac OS X, and so on)
- A lot of third-party software applications, such as Adobe and Java
- More than a few dozen computers
Be sure to check out these patch-automation solutions:
- Ecora Patch Manager (
www.ecora.com/ecora/products/patchmanager.asp) - GFI LanGuard (
www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard) - IBM BigFix (
www-03.ibm.com/security/bigfix) - Shavlik Patch (
www.shavlik.com/products/patch)
Free tools
Use one of these free tools to help with automated patching:
- Windows Server Update Services (WSUS) (
http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx) - Windows Update, which is built in to Microsoft Windows operating systems
- Microsoft Baseline Security Analyzer (MBSA) (
www.microsoft.com/technet/security/tools/mbsahome.mspx) - The built-in patching tools for Linux-based systems (such as Yellowdog Updater, Modified [yum] and YaST Online Update)
Hardening Your Systems
In addition to patching your systems, you have to make sure your systems are hardened (locked down) from the security vulnerabilities that patches can’t fix. I’ve found that many people stop with patching, thinking their systems are secure, but that’s just not the case. Throughout the years, I’ve seen network administrators ignore recommended hardening practices from such organizations as the National Institute of Standards and Technology (NIST) (http://csrc.nist.gov/publications/PubsSPs.html) and the Center for Internet Security (www.cisecurity.org), leaving many security holes wide open. However, I’m a true believer that hardening systems from malicious attack is not foolproof, either. Because every system and every organization’s needs are different, there is no one-size-fits-all solution, so you have to strike a balance and not rely on any single option too much.
It’s a good idea to rescan your systems for vulnerabilities once your patches are applied.
This book presents hardening countermeasures that you can implement for your network, computers, and even physical systems and people. I find these countermeasures work the best for the respective systems.
Implementing at least the basic security practices is critical. Whether installing a firewall on the network or requiring users to have strong passwords via a Windows domain GPO — you must address the basics if you want any modicum of security. Beyond patching, if you follow the countermeasures I document, add the other well-known security practices for network systems (routers, servers, workstations, and so on) that are freely available on the Internet, and perform ongoing security tests, you can rest assured that you’re doing your best to keep your organization’s information secure.
Assessing Your Security Infrastructure
A review of your overall security infrastructure can add oomph to your systems:
- Look at how your overall network is designed. Consider organizational issues, such as whether policies are in place, maintained, or even taken seriously. Physical issues count as well. Do members of management have buy-in on information security and compliance, or do they simply shrug the measure off as an unnecessary expense or barrier to conducting business?
Map your network by using the information you gather from the security tests in this book. Updating existing documentation is a major necessity. Outline IP addresses, running services, and whatever else you discover. Draw your network diagram — network design and overall security issues are a whole lot easier to assess when you can work with them visually. Although I prefer to use a technical drawing program, such as Visio or Cheops-ng (
http://cheops-ng.sourceforge.net), to create network diagrams, such a tool isn’t necessary. You can draw out your map on a whiteboard like many people do and that’s just fine. Be sure to update your diagrams when your network changes or at least once every year or so.- Think about your approach to correcting vulnerabilities and increasing your organization’s overall security. Are you focusing all your efforts on the perimeter and not on a layered security approach? Think about how most convenience stores and banks are protected. Security cameras focus on the cash registers, teller computers, and surrounding areas — not just on the parking lot or entrances. Look at security from a defense in-depth perspective. Make sure that several layers of security are in place in case one measure fails, so the attacker must go through other barriers to carry out a successful attack.
- Think about security policies and procedures at an organizational level. Document what security policies and procedures are in place and whether they’re effective. No organization is immune to gaps in this area. Look at the overall security culture within your organization and see what it looks like from an outsider’s perspective. What would customers or business partners think about how your organization treats their sensitive information?
Looking at your security from a high-level and nontechnical perspective gives you a new outlook on security holes. It takes some time and effort at first, but after you establish a baseline of security, it’s much easier to manage new threats and vulnerabilities.