The Five Fundamentals of SecurityComputer security is a complex and ever-changing process. To minimize security risks, companies should pay heed to the "5 Fundamentals of Security":
100% security does not exist It is impossible to guarantee that all the software running on all of your systems is free from any kind of bug that could be leveraged to break in. There are simply too many people writing too many lines of code with too little verification of their work. This is not solely the fault of software developers. Software development is an extremely complex process and one incorrect character in a program with millions of lines of code can create a security hole. Also, you cannot accurately predict the interactions of thousands of different programs that might end up on a single network together. It is impossible to cause perfect code to be written, so you must make architectural decisions with this fact in mind. Security is a trade-off. Business needs must be balanced against security concerns in much the same manner as physical security controls. Security policies must always involve risk assessment and cost/benefit analysis. In the end, the degree of security is always a business decision. Security risks are directly proportional to software complexity There are two issues here: the complexity of each software program and the total number of software programs that comprise your web solution. The more code you have, the more bugs you are likely to have. Since all software must be presumed to have bugs, which may be exploited as security holes, companies should only run the software they need to be operational. Companies should eliminate the sample programs, scripts and documentation that are unnecessary for operating a production system, because there is no reason to incur the risk when these programs deliver no operational value. Plus, more software means more security updates. Don't simply install the default configuration. Most software comes in an insecure configuration, to make it as easy as possible to get it working. To remove unnecessary security risks, you must "lock down" the software or operating system installation. In particular, default and support passwords must be changed, since they are readily available to crackers. Finally, simpler programs are less likely to have security holes, so use them! This is why proxies are a good way to secure the network border from outside attack. Proxies are simple programs -- they understand the application protocol, but they do not implement the functionality. Therefore, they are more secure than the servers they protect. Implement security in layers Since all code has bugs, you never want to trust any single piece of code as your only line of defense. If you implement multiple layers of security, the cracker cannot get in as easily because a weakness in one layer may not represent a total breach of the system. For example, if your web server is running as a privileged user, such as "root" or "LocalSystem", and there is a bug anywhere within that large, complex piece of code, a cracker may well gain total administrative access to your machine. If the web server runs as a non-privileged user, then even if a bug is encountered, the exposure can be controlled. Don't allow a breach to be leveraged elsewhere Separation of function is critical to security. You need to have separate machines for separate functions, and different networks for machines with different levels of security. For example, a web server communicates with the outside world, whereas a database server should only communicate with the web server. Each machine should be on a separate network. Thus, if you have a break in, the cracker might have access to your mail server, but not your database server, which is physically isolated and protected by firewalls, etc. Keep in mind, security is never about any one thing. Also, security is only as good as the weakest link, something many companies seem to forget. Firewalls are only a piece of the puzzle, and you may well need more than one firewall. For example, many companies use Virtual Private Networks (VPNs) to allow two offices to talk over the Internet "securely". VPNs have one fundamental Achilles heel that could make them undesirable: if you have a home user connected to a corporate network via a VPN, then the entire corporate network is only as secure as the home PC's security. How secure is YOUR home office? You're never done A big mistake that many companies make is that they set up a firewall, or some other protection, and then they forget about it. Security is an ongoing process. You must continually monitor log files and keep abreast of new security threats. In addition, you must stay current with software patches that fix the latest security holes. Over 90% of all security incidents could be avoided if the system administrator kept up-to-date on software patches. To stay current, leverage other people's experience. Use resources such as the System Administration, Networking and Security Institute (www.sans.org). Use security experts. Even when I was on the customer side of the business, I outsourced Internet security, because the experts had the resources and the focus to keep up-to-date. This doesn't mean you can't do it in-house, but you'll have to devote significant resources to it if you want to do a reasonable job. Good security can definitely be achieved, but it takes a dedicated effort. Recognizing that security is a means to an end, and not an end unto itself, will provide the single, largest improvement in the overall security of your site. . Printed in New Jersey TechNews, August 2001 |