Building Securable Infrastructures

Note that the title of this blog post is not “Building Secure Infrastructures” it is “Building Securable Infrastructures” and there is a difference. I was just fortunate enough to be on an industry panel this week at Secure World and as I was thinking about the content of this panel I started to think about a talk delivered this year at Defcon:

Creating an A1 Security Kernel in the 1980s (Using “Stone Knives and Bear Skins”) by Tom Perrine.

The premise of the talk was about an operating system that was always in a “known secure” state. If a malicious person was able to steal the OS code the operating system still could not be exploited. Much of our time in engineering a security solution is trying to stop an intruder from gaining insight about our networks. What if we started using that time to:

1. Pick products that don’t have security holes backed in (read Java and Adobe)
2. If we properly configured those devices so that they were not prone to exploit in the first place
3. Give your application developers training on how to write secure code, the time to write secure code, and finally time in the development life cycle for code review. Wouldn’t this be cheaper and more effective than buying, configuring, and maintaining a WAF?

I’m not an offensive security expert, however, what I am is an infrastructure engineer that seriously cares about security. In that line of thought,what can I do in my environment to make it more secure from the middle out? Talk to your vendors and ask them critical questions like:

• What their management interfaces are written in?
• Do your products require any Adobe for Java plugins to operate properly?
• Do you require the Adobe PDF reader for any reports that are generated from your product?
• What is the least privilege that I can run your software under and still have it work?
• What is your internal process for code review and what is your SDLC like?
• How does your application manage passwords and or encryption keys?
• Does your hardware, software, appliance require access to the Internet to work properly?
• What two-factor solutions does your product integrate with?

Until we start asking our vendors questions like this we will be building insecure infrastructures from the start. Any attempt that we make to secure our infrastructures will be simply cleanup efforts and will fail to protect us from any real targeted threats.

Below is a great article from CSIS, a security research company that did a quantitative analysis of exploited threats in the wild that was published on Sept 28, 2011.

• Register Article: Here
• Original Report: Here

85% of the actual threats exploited in this study came from two vendors: Adobe and Java (Oracle). How much time and money would your company save if they could reduce their attack surface by 85%? These are fundamental questions that we as engineers need to start talking to our vendors about and we need to start demanding better solutions so that we’re not fighting fires when it comes to security. It’s only after we’ve started evaluating security from the inside out that we can have any hope of achieving security of any real measure.

This article was originally published here, 10/4/2012.

About Steven Aiello
Steven Aiello is a Senior Systems Engineer with Online Tech, the Midwest’s premier managed data center operator. His certifications include CISSP (Certified Information System Security Professional),  ISACS CISA, VMware VCP ( VMware Certified Professional),  Cisco CCNA ( Cisco Certified Network Associate),  Comptia Security+,and Certified Incident Responder (New Mexico Tech).