Forging a Virtual Steel Wall

Hardening software to prevent security breaches is coming back into fashion. And, yes, it's worth the trouble.

1 2 3 Page 3
Page 3 of 3

While Phillips thinks of hardening as a "foolproof" means of securing systems, he adds that the technique shouldn't be used as an excuse to skimp on or ignore traditional security measures. "Hardening needs to be viewed as an 'extra,' not as an 'instead of,' " he says.

Don't Forget Training and Testing

Training is often neglected, but it should be a key part of the hardening process. Why? Because users may work very hard to circumvent hardening-created safeguards that just seem inconvenient; they need to understand why the safeguards are there.

"You still have to train your users in everyday security practices -- what to do and not to do -- because no matter what you've done to lock down [the operating system or application], within a few months there will be something out there that can bypass that. It's a moving target," Phillips says. He notes that a certain amount of rehardening is inevitable over time.

Phillips recalls a security hole that surfaced with the arrival of USB memory sticks. "We had done all this hardening, and then we discovered that you could simply take a USB drive, plug it into the USB slot, and [a window] would pop up asking, 'Do you want to run this?' "

The discovery prompted a fast repair job to modify the operating system's permissions settings. "We think our hardening solution was far more elegant than taking a hot-glue gun and filling up all the USB ports," Phillips says.

The final step in hardening is testing. "Anytime security configuration changes are made, they can have an impact on manageability, usability or application compatibility," Carpenter says.

Makohon agrees. "It's important to test platform configurations not only from a functionality standpoint, but from a performance and availability standpoint after they've been hardened," he says.

All tests need to be conducted under real-world conditions. "If systems have been hardened in a test environment, can they be properly managed and accessed?" Makohon asks. "It's one thing if they can still perform their primary function, but now can you still gain the required information in order to see how they're performing, or to see what types of logs they are writing, or have [the systems] available to help further track the presence of a malicious insider or a cybercriminal?"

Phillips advises managers to do a thorough job and make sure features are removed, not just made inactive. There's a big difference between removing a feature or command and simply locking it. "If something is simply not there, users are less likely to get frustrated, as opposed to seeing a visible option that won't work," Phillips adds. There's also the possibility that an attacker could exploit a dormant feature.

However, Phillips warns managers striving for maximum protection not to harden their software to the extent that it cripples functionality. "You want some things to be restrictive, [but] the tools need to be supportive and flexible to accomplish business goals," he says. "This is something that I see IT mess up over and over again."

Makohon agrees. "Just remember," he says, "the goal is hardening, not making things harder to use."

Edwards is a technology writer in the Phoenix area. You can contact him at jedwards@gojohnedwards.com.

This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.

Related:

Copyright © 2011 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
  
Shop Tech Products at Amazon