A hardened approach to system security
Hardening software to prevent security breaches is coming back into fashion. And, yes, it's worth the trouble.
Computerworld - Glenn Phillips, president of Pelham, Ala.-based Forté, says that the dedicated Windows workstations his company sells to hospital emergency room administrators must not only be secure, but absolutely tamperproof as well. After all, lives depend on the machines' flawless operation.
Forté's applications show emergency medical technicians the emergency room's current availability status, "so our software must be the program that is always running," Phillips says. "We cannot have anyone closing our program, adding games, changing Windows settings and so on."
Phillips and others who need to create highly secure workstations or servers are turning to hardening to create a virtual steel wall against intruders. The hardening process involves removing nonessential tools and utilities from an operating system or application, any of which could be used to help an attacker gain unauthorized access to system settings or data.
The approach can be used to substitute for or, more commonly, complement other security practices and technologies, such as network firewalls.
Hardening is a technique that's been around since the earliest days of networked computers, but it gradually fell into disuse as software vendors boosted the security of their products and IT managers adopted new security technologies and practices.
Even so, the security improvements haven't made hardening any less practical or useful. "It's still one of the least expensive and most effective ways of protecting yourself or preventing infections or outages," says Chris Rafter, vice president of consulting services at Logicalis Group, a systems integrator in Bloomfield Hills, Mich.
Peter Makohon, a senior security and privacy manager at the New York office of professional services firm Deloitte & Touche, says hardening is coming back into fashion as more enterprises face pressure to patch every possible security hole that could conceivably be exploited as a pathway into a corporate system. Regulatory compliance is another factor that's inspiring many enterprises, particularly those in highly regulated industries, to take another look at hardening.
Just about any enterprise can benefit from hardening, Rafter says. "Operating systems and applications are definitely a lot more secure than they were a long time ago, but there's still logic to turning off unnecessary services and basically only activating and using what you really need," he contends. "Plus, it doesn't require a great deal of effort."
Most vendors long ago dropped any objections to customers hardening their products. Many -- including Microsoft -- actively encourage the practice. "Hardening an operating system is a key step in protecting a system from intrusion," says Chase Carpenter, a manager in Microsoft's Windows Server unit.
Carpenter says enterprise hardening efforts have traditionally covered the client and server operating systems, but with attacks increasingly targeting the application layer, the focus of hardening is shifting to applications. Microsoft views its Security Compliance Manager and Security Baseline products as hardening tools.
Manual or Automatic?
While most user organizations opt to handle the hardening work themselves -- assigning the task to either IT staffers or outside consultants -- some have opted to use commercial software that's designed to automate the process. For example, CellTrust, a mobile applications developer in Scottsdale, Ariz., hardened its servers and its Linux-based network appliances with a product called Security Blanket from Raytheon Trusted Computer Solutions, based in Herndon, Va.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts