Transcription
System Security:A Comprehensive ApproachWhite PaperJune 8, 2005 2004 Altiris Inc. All rights reserved.
ABOUT ALTIRISAltiris, Inc. is a pioneer of IT lifecycle management software that allowsIT organizations to easily manage desktops, notebooks, thin clients,handhelds, industry-standard servers, and heterogeneous softwareincluding Windows, Linux, and UNIX. Altiris automates and simplifies ITprojects throughout the life of an asset to reduce the cost and complexityof management. Altiris client and mobile, server, and asset managementsolutions natively integrate via a common Web-based console andrepository. For more information, visit www.altiris.com.NOTICEThe content in this document represents the current view of Altiris as of the date of publication. Because Altirisresponds continually to changing market conditions, this document should not be interpreted as a commitment onthe part of Altiris. Altiris cannot guarantee the accuracy of any information presented after the date of publication.Copyright 2005, Altiris, Inc. All rights reserved.Altiris, Inc.588 W est 400 SouthLindon, UT 84042Phone: (801) 226-8500Fax: (801) 226-8506BootW orks U.S. Patent No. 5,764,593.RapiDeploy U.S. Patent No. 6,144,992.Altiris, BootW orks, Inventory Solution, PC Transplant, RapiDeploy, and RapidInstall are registered trademarks ofAltiris, Inc. in the United States.Carbon Copy is a registered trademark licensed to Altiris, Inc. in the United States and a registered trademark ofAltiris, Inc. in other countries.Microsoft, W indows, and the W indows logo are trademarks, or registered trademarks of Microsoft Corporation inthe United States and/or other countries.Other brands and names are the property of their respective owners.Information in this document is subject to change without notice. For the latest documentation, visitwww.altiris.com.www.altiris.com
CONTENTSIntroduction. 1Potential Problem of Ineffective Security Management . 3Damage to Customer Confidence and Competitive Position3Regulatory Impact3Loss of Data3Fraud4Cost of Recovery4Unavailable Systems and Diverted Staff4Comprehensive Security Management . 6Managing and Maintaining Antivirus Services6Patching OSs and Applications6Scanning for Top Vulnerabilities7Controlling Network Traffic with Personal Firewalls7Controlling System Security Configuration Settings7Detecting Unauthorized and Required Software7Detecting Unauthorized and Required Hardware8Summary . 9www.altiris.com
www.altiris.com
INTRODUCTIONManagers and administrators responsible for securing data andapplications on servers, desktops, and notebooks have two broadstrategic goals: Preventing unauthorized access to IT resourcesMaintaining IT servicesThe first goal ensures the basic integrity and confidentiality ofinformation. Access controls are an obvious tool for preventingunauthorized access; less obvious practices, such as auditing forunauthorized hardware, are also important. Consider an unauthorizedwireless access point in an office transmitting confidential customerinformation over an unencrypted Wi-Fi network. Anyone with a wirelessnetwork card could intercept the traffic, highlighting the fact that all thework that went into defining, implementing, and managing access controlpolices can be easily circumvented.Maintaining IT services requires a multifaceted approach as well.Firewalls and intrusion prevention systems (IPSs) immediately come tomind as tools for preventing Denial of Service (DoS) attacks,unauthorized intrusions, and similar attacks. Another important measureis to ensure that operating systems (OSs) are appropriately patched. Ifan attacker exploits a vulnerability in a DNS server and redirects trafficfrom a legitimate server to the attacker’s server, a firewall might not filterthe traffic and the IPS might never detect an attack pattern. Thissituation would result in users being unable to work with the attackedapplication because the malicious code has circumvented the front-linedefenses to exploit a vulnerability elsewhere in the IT infrastructure.Realizing the simultaneous goals of preventing unauthorized access andmaintaining service availability requires multiple point systems thataddress individual security issues. A comprehensive securitymanagement framework requires seven critical security areas: Managing and maintaining antivirus servicesPatching OSs and applicationsScanning for top vulnerabilitiesControlling network traffic with personal firewallsControlling system security configuration settingsDetecting unauthorized and required softwareDetecting unauthorized and required hardwareOften, each of these critical security areas is managed separatelyresulting in disconnected security systems and the possibility ofincreased vulnerabilities. Maintaining an effective security posturerequires security managers to have information about the state of eachof these services: www.altiris.comAre antivirus signatures up to date?Has the last OS service pack been installed?Is the database patched for a known SQL injection vulnerability?System Security: A Comprehensive Approach 1
Are only required ports open in personal firewalls?Are all antivirus products current and running?Are all notebooks properly configured for virtual private network (VPN)access?Have any unauthorized wireless devices been added to the network?As these example queries illustrate, if any of the seven critical functionsis not operating correctly, systems are vulnerable to breaches. Theconsequences of such breaches can range from nuisance, such asspyware slowing the performance of desktops, to crippling, like adistributed DoS attack that effectively disables network services.2 System Security: A Comprehensive Approachwww.altiris.com
POTENTIAL PROBLEM OFINEFFECTIVE SECURITYMANAGEMENTIneffective security practices result in both business and technicallosses. The following sections explore the consequences and theirimpact.Damage to Customer Confidence and Competitive PositionFrom a business perspective, the loss of sensitive data is a seriousthreat. The loss of confidential customer information, data on businessprocesses and operations and financial data has always been a risk tobusiness competitiveness. In addition, the public disclosure of a majorsecurity breach could diminish customer confidence, and the loss oftrade secret information, strategy documents and similar information canweaken a company’s competitive position. Increasing the stakes is theprospect of compliance violations and a negative impact on the valuationof public companies as a result of the loss or disclosure of sensitivedata.Regulatory ImpactTo protect individual privacy and to ensure accurate public reporting,governing bodies from state to transnational levels have passedregulations that impact security practices. Some regulations are broadsweeping, such as the European Union privacy directive and the UnitedStates’ Sarbanes-Oxley Act. Other regulations target specific industries,such as the Health Insurance Portability and Accountability Act (HIPAA)for the healthcare industry, the Title 21 Code of Federal Regulations(CFR) Part 11 in the pharmaceutical arena, and the Gramm-Leach-BlileyAct for banking and financial services organizations. In the past, anorganization could avoid publicly disclosing a breach by not reporting itto law enforcement. Concerns about identity theft and other privacyviolations are prompting regulations, such as California Senate Bill 1386,which require disclosure when customer information is exposed tounauthorized access.Loss of DataFor a typical business user, the loss of a notebook can be debilitating—not because of the cost of the hardware, but because of the loss of data.Road warriors often keep essential documents and databases on theirnotebooks. Without them, they can’t work. It is easy to replace anotebook compared with the cost and effort required to restore the data.Now imagine the impact on an organization if a server werecompromised and data deleted or corrupted.Sudden catastrophic failures are, in many ways, the easiest from whichto recover. If a fire destroys a server, a recent offsite backup can berestored to another server and incremental changes can be madebecause the backup can be manually restored. Recovering from the losswww.altiris.comSystem Security: A Comprehensive Approach 3
or corruption of data that results from malicious code is morechallenging. If a piece of malware made a few random changes to datablocks in a database, these changes might have to cause a problembefore the attack can be discovered. By then, backups could includecorruptions and identifying the last valid backup would be a challenge.FraudFraud, particularly identity theft, is a growing problem with widespreadpublic recognition. When identifying customer information—such ascredit card numbers, Social Security numbers, and bank accountnumbers—is lost in a security breach, customers are put at risk. The costof remediation can include the costs associated with notifying customersof the breach as well as the cost of fraudulent charges made againstcustomer accounts.Cost of RecoveryThe true cost of remediation is often difficult to quantify. Certainly, onewould have to include the cost of IT staff time dedicated to identifying,isolating, and stopping a breach; the cost of restoring lost or damageddata; and the cost of reporting the breach according to appropriateregulations. Softer costs are the damage to brands, the potential for lostrevenue in the future as a result of customer concerns, as well as thecost of changing policies and procedures to prevent future incidents.Unavailable Systems and Diverted StaffThe most immediate technical consequence of a severe breach or attackis the loss of system availability. The old adage that time is moneyapplies equally well to servers as to other business operations. The lossof a key service can have a ripple effect beyond immediate users toother areas as well. For example, an inventory control program that issubjected to a DoS attack could prevent an online ordering applicationthat depends on the inventory control system from verifying theavailability of products. To make matters worse, when a publicapplication such as an online ordering system is down, your customersknow it.Getting systems back online after a breach often requires staff to forgotheir usual operations and projects to help with remediation. Thisredirection of efforts from normal operating activities can result in poorersupport services for other critical operations as well as delays indevelopment projects. The key to minimizing and ideally avoiding thesebusiness and technical impacts is to implement a comprehensivesecurity management practice.4 System Security: A Comprehensive Approachwww.altiris.com
IT departments are valuable assets to organizations and too often theirvalue is not fully recognized until there is a disruption of service. ITdepartments and their organizations are better served when systemsmanagers use reporting tools to monitor and analyze trends in ITservices. Even marginal increases in availability of IT services cantranslate into increased business value.www.altiris.comSystem Security: A Comprehensive Approach 5
COMPREHENSIVESECURITY MANAGEMENTMalware now often combines techniques of viruses, worms, keyboardmonitoring, and remote control through chat rooms to gain and maintainaccess to IT resources. Typically, these blended threats take advantageof a vulnerability somewhere in the complex web of hardware, software,and protocols that comprise the distributed systems of today. Byaddressing the seven critical security areas, security managers canminimize the threat exposure. This in turn, supports ongoing IToperations. Systems managers have enough to manage with increasingdemands for services ranging from more storage to additional networkservices. With a comprehensive framework in place, systems managerscan operate with a baseline assumption of a secure foundation.Managing and Maintaining Antivirus ServicesAntivirus protection is a first line of defense for most networked systems.E-mail is an essential tool for most organizations, but is also an opendoor for viruses, worms, spyware, and blended threats. Well-publicizedvulnerabilities have been discovered in commonly used email systems.Even when patches and workarounds have been implemented,vulnerabilities are likely to persist as a result of the complexity of theseapplications and the ability to execute programs within the context of email systems.Some antivirus vendors are expanding the reach of protection byincluding anti-spyware features. Other vendors are focusing on contentfiltering to prevent malicious code from entering the network throughWeb and various network protocols.Comprehensive security management requires that antivirus software bekept up to date with the latest virus signatures and upgrades to virusdetection engines. It is important to understand that many viruses mutateas they propagate, rendering simple signature-based detectionineffective. Antivirus vendors are using new techniques such as behaviorprofiling to detect patterns of activity as a program runs to determinewhether the code is likely malicious. It is now as important to have thelatest virus detection engines as it is to have the latest signature files.Patching OSs and ApplicationsKeeping software patched is one of the most important tasks for systemsadministrators. Software patches often correct vulnerabilities andenhance features to improve the security and stability of the platform.The proliferation of servers and desktops, often with different versions ofOSs and applications, throughout an organization increases thechallenge to keeping software up to date. Notebooks are even moreproblematic because they are often disconnected from the corporatenetwork. Push strategies, such as updating all desktops in the middle ofthe night, can easily miss notebooks that have been taken off site. To6 System Security: A Comprehensive Approachwww.altiris.com
ensure that all software is appropriately patched, systems administratorsneed the ability to identify the patch level of every device connected tothe network.Scanning for Top VulnerabilitiesEven when software is patched, vulnerabilities can still exist within utilityprograms, network applications, and other commonly used programs.Security researchers, developers, and malicious hackers regularlydiscover vulnerabilities. It is essential for security managers to keepabreast of the latest vulnerabilities and to identify those most likely toimpact their systems. Scanning tools can identify many vulnerabilities;however, as with antivirus programs, scanning tool effectivenessdepends upon whether they are up to date with a database of topvulnerabilities.Controlling Network Traffic with Personal FirewallsFirewalls were once considered perimeter defenses and located at theboundaries of internal networks, network DMZs, and access points to theInternet. With the advent of blended threats and spyware, personalfirewall protection is commonly used to bring network level protection tothe desktop. The configuration of personal firewalls is not always anintuitive process, and users may find that turning off a personal firewallsolves problems with desktop applications that might just need a portopened. This response not only leaves the desktop vulnerable but alsoexposes the corporate network to DoS and other threats that could beeasily stopped by a personal firewall. Security managers should knowthe status of each of the personal firewalls on their networks.Controlling System Security Configuration SettingsAnother critical task in the comprehensive security framework ismonitoring basic system security configuration settings, such as accesscontrols and logging parameters. Ideally, only administrators will haveprivileges to change these settings, but even in those circumstancesproblems can arise. For example, a systems administrator might changea security setting to provide a workaround for a critical butmalfunctioning application with the intention of restoring the setting whena long-term solution is found. This type of change is easily forgotten inthe day-to-day operations of systems management. Systemsadministrators should have access to the security configuration on alldevices under their control.Detecting Unauthorized and Required SoftwareUnauthorized software can be introduced both intentionally andunintentionally. An occasional game on a road warrior’s notebooks maywww.altiris.comSystem Security: A Comprehensive Approach 7
not present a serious security threat, but the practice of user-installedsoftware is generally considered a threat. Fortunately, access controlsand system security configurations can eliminate most intentionalinstallations of unauthorized software.Spyware is a commonly found form of unintentionally installed software.With advanced browser features, such as the ability to execute Java,JavaScript, and .NET components, users can inadvertently download andinstall spyware applications. Systems administrators should have theability to identify unauthorized software anywhere on their networks.Ensuring required software is properly installed is as important askeeping unauthorized software off a system. Remote users, for example,may be required to access the corporate network using a VPN. Without aVPN client, a remote user is effectively locked out of network resources.Similarly, non-security software, such as a CRM client or a contactdatabase, may be required for all sales staff in the field. Although thelack of a contact database is not a security problem, it diminishes users’ability to work effectively. Fortunately, it is exactly the type of problemthat can be solved by tools designed to address security management.Detecting Unauthorized and Required HardwareSystems administrators and security managers should know whetherunauthorized hardware has been installed on the network. Wirelessaccess points are inexpensive and easy to install. A notebook with ahard-wired connection to the corporate LAN and a wireless cardaccessing a rogue wireless network can cause numerous problems.Systems administrators and security managers must be able to inventoryhardware and identify unauthorized hardware on the network.They must also ensure required hardware is in place. Some applications,for example, require a USB-dongle to operate; without the device, theapplication is disabled. Controlling installed hardware can also preventthe loss (or at least notify a manager about a loss) of hardware, such asa webcam that is easily removed from its parent device.By effectively monitoring and maintaining all seven critical securityareas, organizations can maintain a secure environment for their servers,desktops and notebooks.8 System Security: A Comprehensive Approachwww.altiris.com
SUMMARYA comprehensive security framework requires that security managersand systems administrators constantly monitor and maintain all sevencritical security areas. No single security application, such as anantivirus program or a personal firewall, will protect an IT infrastructure.Furthermore, if some of the critical areas are well protected but othersare not, the effect is the same as if none were well protected—resourcescan still be vulnerable. Effective security management requiresinformation about all seven critical security areas.Administrators also need reporting tools that help them find the needle inthe haystack through trend analysis: Which notebooks have beenpatched? Which servers are subject to the latest discoveredvulnerability? Answers to these questions can help administratorsmaintain an effective security posture through a continual process ofmonitoring and remediation of vulnerabilities to their systems. Inaddition, reporting and trend analysis enable systems managers andexecutives to understand baseline conditions and monitor improvementsin the comprehensive security framework.For more information about implementing a comprehensive securityframework and to learn about the Altiris solution for a Seven-AreaVulnerability Assessment , .www.altiris.comSystem Security: A Comprehensive Approach 9
of management. Altiris client and mobile, server, and asset management solutions natively integrate via a common Web-based console and repository. For more information, visit www.altiris.com. NOTICE The content in this document represents the current view of Altiris as of the date of publication. Because Altiris
