AntiOnline Security Spotlight: The Evils of Default Security
Are 'hardened by default' systems lulling computer users into a false sense of security?
Deploying an OS simply because of the perception that it is more secure out of the box (usually in comparison to Windows) can lead to trouble. And while IT pros are constantly clamoring for more secure operating systems and applications, the truth of the matter is that no amount of clever coding on a developer's part can completely eliminate the burden placed on today's security admins.
AO member catch, after a brief absence, returns with some words to ponder. This week's spotlight thread focuses on how admins ought to take an active approach to securing their systems, not simply rely on what conventional wisdom has deemed to be characteristic of a secure OS.
Despite how resistant to exploits an OS seems to be, there are several ways for admins to unwittingly poke holes in your network's defenses, all within the confines of a secure default configuration.
"Catch up" with AO in the New Year and discover why administrators and budding security gurus should never let their guard down, much less accept anything on blind faith.
Note: The opinions expressed below are solely those of the individual posters on the AntiOnline forums.
Direct link to this week's spotlight thread:
As 2003 marked its last days, catch dropped in with some words on why admins should be wary of trusting default security measures.
Part 1: The inadequacies of "hardening".Of course, what would AO be if everyone were in agreement? Nonetheless, chsh makes this observation after picking apart catch's opening post...
Hardening either before or after shipment typically includes but is not limited to the following actions:
- Removing unnecessary packages/applications.
- Removing unnecessary services.
- Stronger default file permissions.
- Locking down administrative accounts.
- Utilizing an intrusion detection system.
Following this checklist results in a very secure system right?
Nearly all computer attacks stem from the following six issues stack overflows, access to services, privilege and privileged accounts, networking resources, shared environments, and other bugs in applications and services. Considering this, it should be painfully clear how little hardening does for actually securing systems. Clearly different architectures and mechanisms are needed to deal with these issues as hardening alone is simply not viable.
Paranoia is definitely an attribute every good admin I've met has. Usually a lot of it involves constantly keeping tabs on the latest exploits and so forth, being on every security mailing list out there, etc. It is an invaluable tool to be aware of what is going on at large.While souleman succinctly adds...
I used to believe that security was/is only as good as the admin maintaining it, and in a lot of cases, that's very true. Like all things however, there are caveats to consider such as vendors not supplying patches. An admin can do everything right, but if an organization knows of a vulnerability and is slow to patch software or simply doesn't patch it at all, then said admin is left only with the options of shutting off services, exploring alternatives, or hoping that the patch comes out before he/she gets hit (if applicable).
Any sysadmin who has a feeling of security should be resume building.Striek sees things differently. Paranoid yet? Or not paranoid enough? Drop your $0.02 here.
What is AntiOnline?
AntiOnline (AO) is home to many of the most popular network security discussion forums online. Here, participants engage in candid, thought-provoking and enlightening exchanges on security hazards and how to protect your systems against them.
We invite you to join the AO community (it's free!), share your wisdom and learn a few things in the process. Stay tuned as Enterprise IT Planet spotlights the discussions and expert participants that have helped make AO the "go to" online resource for network security.