Following a recipe, like baking cookies, is one way to ensure consistency in the setup and configuration of your devices and systems, which in turn, reduces the possibility of introducing new configuration mistakes that could lead to unwanted vulnerabilities exploitable by an attacker. These recipes are baseline configurations that document in detail the exact settings that an operating system, application, or device should be configured. Use these well-defined configurations to automate processes that look for variance and configuration drift in a rapid and efficient manner. In this blog, we’ll look at how configuration baselines are an important tool to ensure your applications and devices are set up appropriately.
Configuration baselines are not at all new. Systems engineers and administrators have long relied on these templates to ensure that every system is configured identically. Prescriptive guidance, provided by system manufacturers and other subject matter expert groups, is an important place to start to ensure that your configurations are designed with security in mind.
Configuration baselines define how a specific type of device must be set up and are very detailed down to each input and variable. For example, configuration baselines define how to configure remote access to a device and what protocols to enable. Leveraging baseline configurations should reduce the overall operational costs of your devices because they ensure homogeneity across your fleet, which in turn, facilitates configuration through automation and other time-saving methods. It is expected that if one device works well with a specified configuration, the rest should behave in the same way. Proper configuration baselines improve security as well because through their development, they require a detailed review of every setting and often will result in a change of a device’s default behavior to a more secure posture depending on the use case. As a device operator, you can study and review the prescriptive guidance from one source, and then extend this knowledge to create appropriate baselines for similar devices from different manufacturers. This comparison method also highlights differences in capabilities between devices and may even influence which devices you choose based on their security features. Configuration baselines should include how to set up these security features and ensure that the devices and systems are appropriately hardened from attack. Take remote access for example, many devices support remote access for allowing system administrators and developers to configure them over the network. It is common for a device to support multiple protocols—e.g., telnet, secure shell, and web browser access—but not all these protocols are equally secure. For the most secure configuration, you would want to favor encrypted protocols that support modern authentication methods and disallow others.
Ensure your baselines support your organization’s security requirements and obligations by linking them to your security policy and standards. Your security policy is the cornerstone of your information security program and defines at a high-level what behavior is allowed and what is not. A good security policy is broad and covers multiple security domains relevant to your company or organization. Whereas the policy is broader and higher level, the information security standards dive deeper into each policy area. For example, you might include a single paragraph or two in your policy describing appropriate authentication principles but dedicate an entire five to six-page standard that describes in much more detail the approved protocols and permissible use cases and systems supported by your organization for these authentication services. The configuration baselines directly support the policy and standards and include the actual settings for how to set up the devices to use these systems. Lastly, you might choose to document appropriate procedures that complement the standards and baselines that include broader instructions on how to configure more complex systems and devices.
In our previous remote access example, the policy might describe the requirement for all devices and systems to encrypt network communications and require authentication for privileged access. Supporting standards would specify secure shell (SSH, over TCP 22) and hypertext secure protocol (HTTPS, over 443) as approved remote administration protocols and WS-Federation, Security Assertion Markup Language (SAML 2.0), and OAuth as approved authentication standards. Every type of device and system in your organization would have a unique configuration baseline created for it that defines the device-specific configuration settings that enable the device to support these standards. Configuration baselines can take many forms. The most simple is a table that lists every configuration element of a device and its preferred value. An illustrative baseline might include screenshots of configuration dialog boxes to make it easier to manually set up. To reduce the chance of configuration variance between devices, be sure to explicitly define how each checkbox, radio button, and field should be set. For larger installations, look for opportunities to automate the configuration through Application Programming Interfaces (APIs) or commands exposed by the device. Most enterprise network equipment is configured in this way. You can create a text file or XML document that includes all important configuration commands and settings and load this file into the device to ensure the equipment is configured in exactly the right way.
These configuration baselines are auditable. Many organizations use a redacted configuration file to demonstrate the secure configuration of a device to an auditor. Some vulnerability scanners like Qualys or Nessus can be configured to scan for configuration settings in addition to their vulnerability signatures. As a part of a broader Information Security Management System (ISMS), it is important to demonstrate not only that your devices are configured appropriately but that the configurations align with your security policy and program and these configuration baselines do just that.
You will likely find more diversity in creating configuration baselines for on-premise infrastructure than cloud-based services due simply to the variety of devices and systems offered by multiple manufacturers. Look to these manufacturers of the operating systems and large enterprise applications that you use for configuration best practices. The major cloud service providers expose APIs for their entire configuration, so it becomes much easier to write scripts and programs to quickly deploy a new system configured exactly how you want it and just like your others. Microsoft has published recommended security configuration settings for their current operating systems, which they offer as a download from their website. This zip file includes thousands of recommended settings to secure these systems. The Center for Internet Security offers a free download of recommended security configurations for a wide variety of operating systems and applications including Microsoft Windows, Linux, iOS, Apache, Docker, Microsoft SQL Server, Oracle, and many others. These resources are free and a great starting point for identifying important security configurations that you can customize to your environment.
Security configuration baselines help ensure that your devices and systems are set up in a secure and repeatable manner. Especially in larger organizations, where multiple people may be responsible for setting up devices, these documents ensure not only that the devices are set up appropriately and securely, but later provide a checkpoint to audit for configuration drift over time. Configuration baselines are a complementary component to security updates in a comprehensive and effective vulnerability management program and an important tool for system administrators and developers alike.
(Source: Proxima Studio/Shutterstock.com)
Most small and home networks connect to the internet through an internet service provider (ISP), which provides a broadband modem or router over a digital subscriber line (DSL), cable, or fiber-optic connection. This device’s primary function is to connect your home network to the internet through two components: a modem and a router. The capabilities that the modem provides often perform at the data link and physical layers: You can’t configure them. The routing components provide networking and security functionality. Although they usually don’t stack up to the features that dedicated security appliances and modern firewalls offer, you can typically upgrade or replace them with more capable options. With the proliferation of Internet of Things (IoT) devices, more connected homes, and increasingly savvy attacks, it’s more important than ever to protect your home network adequately. A quick review of the device that connects you to the internet is a good place to start.
Protecting your home network begins with your ISP broadband modem or router. Your telecommunications provider typically supplies this device, which is the demarcation point between the ISP’s service and the devices on your home network. Over the years, as telecommunications providers have improved their performance and capacity, they have required that subscribers upgrade their equipment. The latest broadband modems and routers have more security functionality than before so that in many cases, simply enabling these features is good enough to protect your home network. However, if you’re running on older equipment, you might want to consider upgrading and looking at alternatives to add modern security protections to your network.
In most cases, your ISP issues you an IP address, a subnet mask, and a default gateway to configure your broadband router to connect to the internet. The router typically has two types of ports: a wide area network (WAN) port configured with your ISP-issued public IP address and local area network ports configured to provide your home devices with dynamic private IP addresses. The router provides Dynamic Host Configuration Protocol (DHCP) and network address translation (NAT) services to make this happen. All this results in a mostly plug-and-play installation process that ISPs try to make as simple as possible so that subscribers (especially less tech-savvy individuals) can connect their devices to the internet in as few steps as possible.
Unfortunately, many of these early broadband routers simply performed basic network filtering and port forwarding; they don’t protect your devices against more sophisticated attacks. Popular options for increasing this security include adding a dedicated security device, enabling security features that might be available on your broadband router but are not turned on by default, or upgrading your device to one more capable.
The first option, adding another security device, requires a bit more networking experience but also provides the greatest flexibility. This new device typically takes over the routing functionality that your ISP-provided equipment handles. If you can configure your broadband modem or router into bridge mode (which effectively bypasses any router functionality in your device), this can be a good option. Once your ISP device is in bridge mode, you can install a firewall (which acts as a more sophisticated router) behind your ISP device and configure its external WAN port with the public IP address that your ISP provided. All the networking and security functionality, such as traffic routing and inspection, DHCP, and NAT, will be handled by this new security appliance. Recently, an explosion of new, lower-cost security devices combine network firewalling, routing, switching, and services with wireless access point management and threat protection into a single device that you can install behind your broadband modem. Several low-cost open-source firewalls are available to install to provide commercial-grade protection for your network.
For the second option, enabling security options on an already-installed device, you must have administrative access to your ISP broadband router and an idea of which security capabilities are available. A quick internet search on your broadband router’s make and model typically leads to a device service manual that describes the additional security configurations. In many cases, these features won’t rival those offered by dedicated security equipment, but this option is much easier and less expensive to set up than installing a new inline security device.
Finally, you might replace your entire broadband router or bridge with a different model with the additional security features you want. For example, the website for the popular cable ISP Xfinity lists compatible devices that work with its service from companies such as Arris, Motorola, and NETGEAR. These products have different security features and prices, but they are all easy to install: You simply replace what you already have.
It is important to remember that many successful security attacks bypass network firewalls altogether. For example, simple firewalls won’t detect phishing attacks that trick users into divulging their credentials or clicking a link to a website that leads to malware. Although more sophisticated security devices that use threat intelligence feeds and real-time blacklists can lower the risk, a firewall solution alone is usually not adequate to fully guard against these kinds of attacks.
These broadband devices play important roles in protecting you against some attacks, but it remains critical that you enable other security protection. Protect your endpoints by patching your computers regularly with security updates and enabling the security features that your operating system provides. Don’t forget that the smart devices that you connect to your home network might have fewer security capabilities than your computer: Isolating those devices into a network separate from your sensitive data can be wise. It’s not always possible to patch these IoT devices, and their built-in security capabilities might be rudimentary at best. That said, upgrading and adding additional network security capabilities to your broadband connection might provide just enough security for these devices.
(Source: Virgiliu Obada/Shutterstock.com)
Connected homes powered by the Internet of Things (IoT) have become commonplace. Doorbells, thermostats, locks, and smart appliances have joined streaming video and audio to monitors and speakers throughout our homes. These wired and wireless devices sit inside your home but often connect continuously to remote cloud services. Attackers see these new devices as possible footholds into your home or business, and endpoint protection techniques such as regularly applying security updates and enabling operating system security features might not always be possible for these new devices. It’s important to be aware of where your sensitive assets and data are stored, and then ensure that the right security controls are in place to protect them.
It’s important to take a step back and think about the data that are most important to you, where they reside, and how you access them. For example, when you think about sensitive data, do you worry about losing photos stored on your computer, or perhaps losing a music collection painstakingly ripped from hundreds of CDs so many years ago? Do you worry about an attacker reading the email you’ve archived on your computer or stored in the cloud? Do you worry about attackers accessing webcams that you installed to monitor your home while you’re away? Each of these assets has a different valuation, and how much you want to invest in protecting these assets will vary. You will likely make different security choices, depending on your situation. For example, if your photos are stored on your laptop, you might choose first to encrypt your hard disk and back your pictures up to an external drive if you lost the laptop. If your mail and documents are all stored in the cloud, you might enable two-factor authentication and install malware protection software that includes phishing protection to reduce the risk of an attacker stealing your credentials. Thinking about which assets are most important to you will lead you to the security controls that will most effectively address the risks to these assets. Let’s review these specific security protection technologies.
Home network protection can be divided into two broad categories: endpoint protection and network protection.
Endpoint protection ensures that your devices and computers are hardened against attacks, even if connected to an untrusted network. For example, your laptop should be reasonably protected when connected to the Wi-Fi at a local coffee shop. Examples of essential endpoint protection controls include having the latest security updates installed on your computer or other devices, running modern malware protection, and enabling a host-based firewall. Out of the box, both Windows and macOS provide good security features. Both operating systems include automatic security updates to ensure that your computer is patched. They can automatically lock after a period of nonuse to prevent prying eyes from accessing data on the computer. Security doesn’t have to be difficult anymore. Newer systems support facial recognition, fingerprint touch sensors, or proximity to mobile devices to unlock them; you no longer have to type in complex passwords. Enabling encryption means that even if you lose your laptop, an attacker can’t steal data from it. Built-in firewalls operate at the network and application layers to protect your computer from both inbound and outbound connections. Best of all, most of these features are free and included as a part of the operating system; some need only be enabled for you to use them.
Both Windows and macOS provide all these capabilities built-in, but some IoT devices that run stripped-down versions of Linux might not have adequate protection. In that case, network-level security controls can help. Network-level protection can include the inspection and blocking of network traffic between devices based on static or dynamic rules. For example, the most basic firewalls typically block inbound traffic from the internet to your protected devices but allow outbound connections for surfing the Web. More advanced firewalls can detect the unwanted outbound connection from a compromised device to an attacker’s command and control server by checking communications against a real-time blacklist that looks for and alerts on connections to known malicious sites. In today’s connected homes, it’s important to consider both endpoint and network protection to protect your most sensitive data.
Even after taking all these precautions, you might still want to consider a home security appliance to monitor risky internet behavior or discover misconfigured or vulnerable devices on your home network. The technology used in these devices has often trickled down from commercial firewalls but at a fraction of the price and designed specifically for home networks. As such, these devices are generally much easier to install and manage. Devices such as the Trend Micro Home Network Security appliance and Firewalla security device scan network traffic to identify and block network intrusions. These devices can also look for open ports and misconfigured devices and show useful metrics on device and bandwidth usage. They also include parental controls for restricting access based on time, site, or category. Catering to nontechnical users, the companies that make these devices advertise them as easy to install. In fact, they have just one network connection that you connect to your existing broadband router. They then use networking techniques to sit inline, even though physically, they are not logically.
Mesh Wi-Fi systems are another example of newer technology that often includes more robust security features and capabilities. These systems typically include multiple devices installed around your home to provide better wireless performance and coverage. Because all your wireless devices connect through this system, it provides a natural choke point to inspect all wireless traffic and analyze all network communications to look for risky behavior or signs of an attack or compromised system. As an example, the NETGEAR Orbi Wi-Fi mesh system advertises NETGEAR Armor as a service that integrates BitDefender malware protection to check for malware, open ports, password strength, firmware versions, and other potential security weaknesses.
IoT devices and cloud-based services continue to advance in-home technology. New security gateways and appliances continue to be developed to protect these new devices. As you consider how new devices can fit into your existing home network, make sure you consider which changes might be necessary to avoid putting your most sensitive data at risk.
Applying security updates is one of the most fundamental security controls that you must regularly perform to keep your devices and network safe from attack. Security updates protect your device from attackers and indiscriminate malware that exploit vulnerabilities in your installed software to gain access to or otherwise harm your system or network. While simple in concept, evidence shows regularly patching computer systems remains difficult. Vulnerability management practices were challenged in early 2000 by the Code Red and NIMDA malware worms; yet, nearly two decades later these processes still failed in some organizations as demonstrated by the WannaCry malware outbreak in 2017. All three of these malicious worms that trashed networks of unpatched servers had security updates available months before they spread. In the time between these high-profile attacks, there have been thousands of pieces of malware in the wild that damage and disrupt unpatched servers and devices every day.
In concept, applying a security update is very easy and usually takes just a few minutes. However, this is a software change and should follow a standard and well-documented change control process that includes:
These activities take time to develop and practice. Additionally, this subjectively simple process can be complicated if you do not fully understand the devices that need to be updated. For example, you may be afraid of what might happen if the update fails or the system must reboot. Plus, with the influx of new devices running all sorts of different firmware and operating systems it can be difficult to stay on top of all the required security updates. These complications can overwhelm immature vulnerability management processes to the point that some systems go for long times—months or even years—without updates.
Not applying security updates results in very real security problems and risks to these unpatched systems. In 2017 the WannaCry malware exploited a vulnerability in the Windows operating system server message block (SMB) protocol. WannaCry included a replication mechanism that allowed it to scan the network for vulnerable systems, attack those vulnerabilities, and upon a successful attack install malware (in this case, ransomware) and in turn, use that machine to infect others. WannaCry affected hundreds of thousands of systems worldwide. Microsoft knew about this specific vulnerability and released a software update over a month prior, but many organizations did not have an adequate vulnerability management program to ensure the patch was applied in time.
Developing a disciplined vulnerability management program will protect your devices and systems from malware like these. A proactive program may also lower risks to your systems by avoiding the inevitable frenzy of patching emergency activities when malware like these do hit. Put quite simply, a solid vulnerability management program will provide a critical foundation of good security hygiene. And if you develop software, it is especially important to put into place best practices to lower the chance of vulnerabilities in your own code and lower the overall count of bugs that would need future patches.
Software manufacturers release security updates to correct discovered vulnerabilities in their code. These vulnerabilities may be simple software bugs that an attacker can exploit to access the entire device or system. Many software manufacturers follow a formal security development lifecycle (SDL) process to reduce the introduction of vulnerabilities into their code. The SDL may call out specific tools and procedures for reviewing code to find vulnerabilities including threat modeling, fuzzing for malformed inputs, and processing all source code through specific tools that scan for problems that could result in a vulnerability. In addition, outside security researchers often partner with software manufacturers to find these vulnerabilities before the bad guys do. The open source and crowd sourcing community enroll larger audiences and organize bug hunts to find vulnerabilities in software. Once the bug is found, it can be analyzed by the software manufacturer for the best corrective fix, which often comes in the form of a software patch. A software patch is typically downloaded from the manufacturer and applied to the affected system in the form of a security update. Additionally, the manufacturer may recommend mitigation controls that users can put into place until they apply the update. A mitigation control could include blocking a network port at a firewall or disabling a service on the vulnerable device.
Taking the time to understand and document what software and hardware you have as well as the steps for how to update them are important first steps to developing a vulnerability management program. It’s analogous to practicing changing your tire before getting a flat. Knowing where the tools are and generally how the tools work is a lot easier in your garage than the side of the road!
Begin with taking inventory of all the hardware and software running on your network or under your control. Large hardware and software companies like Microsoft and Apple have developed very sophisticated security update notification and installation processes, and they have made inventory collection easier with some of their enterprise management tools. But these tools have limitations and might only recognize certain types of devices and servers. The influx of embedded devices means that there is likely a much higher diverse set of devices on your network and not all of these may be discoverable by your enterprise tools. Because of this, it is not always easy to know whether your device is up-to-date or even where to go to get security updates for your specific components. Therefore, it is important to take a good inventory (manually if necessary or for smaller networks), as a basis for collecting subsequent support information. For each of your devices record their make, model, and their function. Visit the manufacturer website and look in their technical support or downloads section for evidence of software updates. For embedded devices, these might be in the form of new firmware. Remember also that security updates must be applied in both the operating system as well as any applications that run on the device—so don’t leave those out. Include the operating system, firmware, and vendor URL for software updates in your inventory database as well.
Once you have a solid inventory, be sure to understand how to install and verify the actual security updates. This process might vary by device or software manufacturer. Windows has specific system settings to manage security updates and the operating system takes care of most of the internal dependency checking, download, and install process leaving the user to simply click to install. In most software applications, the developer will include a configuration item to check for and apply new updates. Modern applications often take care of this behind the scenes and will prompt for the installation of new updates on launch or exit of the application. For more simple devices, you might be required to download an update to another device, transfer the update to the vulnerable device via TFTP, HTTP or USB memory stick, and apply with very specific instructions. Depending on the nature of the software patch, the system might need to be restarted which requires an understanding of how people use that system and what other dependencies other systems have on this system. I believe many organizations fear the reboot more than applying the update itself. This fear comes from not fully understanding dependencies and stability of their critical systems. Exercising these processes regularly and applying security updates helps assuage these fears.
Subscribe to distribution lists for when new security updates are available from manufacturers. Sometimes these lists are not public facing, and you might need to ask your manufacturer to be added to the security update announcements for their product. Receiving notification directly from the manufacturer might give you additional time to plan for an update rollout days or weeks ahead of broader announcements.
Develop a process for triaging new security updates and assign deadlines. Many companies will often incorporate these requirements into their security policy. For example, all severity-1 security updates must be installed within 24 hours, and lower severity updates must be installed within 30 days with appropriately accelerated procedures for testing and staged rollout. Conditions that could elevate a severity-1 update include recommendations from the manufacturer, whether an exploit is already in the wild, or simply what an attacker could do with this vulnerability. Document these policies and procedures and make sure your operators and developers understand where to find them and what is expected of them.
Lastly, keep everyone—or at least yourself—accountable. Set aside time monthly to review your security update posture and measure how many updates have been applied. If you are behind, plan how to catch up. Review metrics that show the percentage of vulnerable systems month over month.
Applying security updates regularly to all your computing systems is an essential first step in protecting those systems. In addition to fundamentally helping keep the attackers at bay, a comprehensive vulnerability management program pays dividends in improvements to other IT process areas as well—from inventory to dependency management.
(Source: Nikolay N. Antonov - stock.adobe.com)
While embedded systems tend to lack the processing horsepower of servers or even modern personal computers, the sheer number of devices is making them an increasingly valuable target for bad actors looking to run illegal botnets and cryptocurrency mining operations. One of the first major security-related wake-up calls for embedded system designers was the 2016 Nest thermostat botnet attacks. Given the consumer-facing nature of the particular Internet of Things (IoT) coupled with an increased sensitivity regarding privacy and security; the Nest botnet caused a huge amount of discussion. Those discussions tended to center on how companies should build security into their low-cost IoT products and how consumers can safely operate the devices in their homes and businesses.
With the growing threat of cyberattacks, it is essential that developers keep security considerations in mind throughout the design process. By following some practical tips and recommendations, developers can guard against a wide range of attack scenarios. Read on for an outline of security measures developers can use in their embedded designs.
While there are numerous chip architectures, operating systems, and communications protocols; many IoT devices tend to be built around Arm®-based architectures, and if they run an OS it tends to be a Linux distribution. This commonality is good in many ways; lower costs and faster development times; it also comes with quite a few negatives. Attack vectors tend to become “one-size-fit-all”, especially for devices running a Linux-based OS. To mitigate the threats associated with widespread devices that share a common architecture, developers should implement the following “quick win” security design principles:
Physical access to a device tends to be the game-over situation for devices. That doesn’t mean that there aren’t things that can be done to make it harder physically exploit these types of devices. Entire books have been written on making circuit boards and associated enclosures tamper-resistant but for a few “quick wins” consider the following physical design rules-of-thumb to harden your device:
Some of the following recommendations might be a bit much for consumer-grade IoT devices. However, as we will elaborate on later, industrial control systems and defense systems would likely benefit from these more robust physical security measures:
It should be noted that there is quite a dichotomy between the paradigms of security and openness. Security values obfuscation. Open hardware values understanding. Regardless, keep in mind the old adage that locks only keep honest people honest, and so too with security-at-large. For more information on how to build secure IoT devices, visit the Open Web Application Security Project (OWASP) IoT Project.
Even if a manufacturer could implement all the best secure design principles in their product, they would be mostly for naught if the end-user does not operate their device in a secure manner.
Consumer-facing IoT products may be plentiful, but their industrial counterparts, collectively referred to as Industrial Control Systems (ICS) manage numerous extremely important and potentially dangerous processes. Everything from energy production to factories uses embedded digital technology (referred to as Operational Technology or OT; in contrast to office-centric Information Technology or IT) to control the facilities and associated machinery responsible for performing the various processes. The ICS environment is sufficiently different from a strict IT environment that special considerations for hardening OT devices and ICS networks are warranted. The most fundamental principle is that ICS should not have a connection to the internet. While this seems like a no-brainer, it is surprising how often this fundamental rule is violated. For more information on how to secure ICS networks and devices, there are two security frameworks you should review: MITRE ATT&CK for ICS and the MITRE ATT&CK for Enterprise.
The nature of where ICS systems are typically found (e.g., areas that are environmentally, chemically, or otherwise hazardous) means ICS has been designed to prioritize the availability of the systems over confidentiality. From a positive perspective, this typically means there are redundant systems and those systems are designed to fail safely. However, ICS systems can be left in operations for several decades and may not always be kept up-to-date. In addition, many of the protocols are older and were built with efficiency, not security in mind. Bottom line, security in the ICS or IIoT space is uniquely challenging and best practices may be difficult to implement. However, embedded developers for such machinery should be cognizant of the need to modernize their design practices and incorporate security into future designs and not treat it as a bolt-on afterthought.
Building and maintaining an accurate inventory of your systems, devices, and applications is critical to ensuring that your technical security controls operate effectively across your entire organization. This is simply because you need to know what you have before you can begin to secure it adequately. Having an accurate inventory when you develop your security program enables you to know what machines to scan for vulnerabilities and subsequently patch. Also, you will likely query your inventory for which specific devices to include in your advanced security-information event-manager platform. Without a solid inventory, you might inadvertently exclude devices from your security controls that could give an attacker a foothold into your network.
The most basic inventory is a list of systems and devices found in your organization or environment. Enhance this list with security-relevant metadata including the make and model of the device and distinguishing characteristics such as:
More sophisticated inventories include additional metadata about a device such as:
Logical assets should include information that makes it easy to find the device or manage it in case of an incident. Examples of when you would use this information include:
The purpose of the inventory metadata is to aid in planning when designing new security controls as well as reduce the response time to discover impacted assets during a security incident.
Make sure your inventory is usable and accessible. For even the smallest inventories, give thought to the best data structures that organize and store your inventory that allow you to easily filter and query for specific devices based on the metadata. In some cases, a simple web frontend to your inventory database might be a good solution to abstract users from more complicated database schemas.
If you are not yet formally collecting an inventory, start with a simple list—a spreadsheet works fine—and evolve to a more sophisticated inventory management program as your needs expand. You will find there are many commercial and open-source inventory and asset management applications for all sizes of businesses and many offer demonstrations to test drive the features that best suit your purposes. Larger applications require maintenance and upkeep. It is important not to let the complexity of these programs overshadow the accessible and immediately usable benefits that even a simple, effective inventory list can provide. For example, a spreadsheet with data filters and pivots can quickly transform and present data into usable and actionable results without a lot of development. Of course, larger organizations that require multiple teams to regularly access and update inventory information might require a more sophisticated approach.
Consider leveraging inventory repositories already set up by other teams to uplift your own efforts. Finance, datacenter, or facility teams may already manage physical inventory for their own capital asset tracking, and this data may be a great starter to seed the data collection for at least a subset of your own data needs. Through cooperation with these other teams, you may be able to add assets that they might not collect—e.g., virtual machines—and augment their records with security-relevant metadata that enriches the larger repository.
Dynamically subscribing to another inventory repository might net you a treasure trove of inventory data already collected and managed by others. Be careful of one-time data extracts that could go stale over time. As your organization and own program grows, do not forget to scale your inventory processes as well lest they obsolesce. Store your inventory in an extensible and exportable format to facilitate sharing with other programs and systems. Even for smaller efforts, this will become important as your program grows from a simple spreadsheet into a custom database or commercial or open-source inventory application. Where possible, extend and integrate your inventory management processes into your move-add-change and change management processes to allow these programs to update your inventory data in concert with real changes to the environment.
A complete inventory that supports most security controls will represent both the physical and logical systems and devices in your environment. It is important to include the cloud assets as many of the same challenges to secure on-premise hosts also affect infrastructure as a service (IAAS) guests as well. Capturing cloud assets will require additional steps than those used to collect assets on your own managed network because the cloud assets might reside across multiple cloud subscriptions. However, the major cloud providers supply queries and application programming interfaces (APIs) that you can use to create dynamic reports or data extracts of your cloud assets given the right subscription authorization.
I often think of the inventory count as the denominator for measuring the overall effectiveness and reach of your security controls. Think about your security scorecard. Your security scorecard might include a metric representing the percentage of systems patched for known vulnerabilities. You might feel pretty good thinking you patched 85% of your systems, but you might not feel so good if you later find out that this metric only represents half of your total systems. Showing the denominator for security metrics is essential and helps tell the whole story. Take for example these made up metrics. If only 134 out of 200 devices connect to the newest logging system, then that might suggest that there is more work to do to enroll the remaining 66 devices. The dashboard on your commercial vulnerability scanner might report that it scanned 3,462 assets for vulnerabilities last week. Is that a good thing? It is tough to tell without the denominator. What if you are responsible for securing 4,000 assets or possibly 10,000 assets and the scanner only evaluated 3,462 assets for vulnerabilities? Having a complete inventory provides this denominator and completes the story of the overall effectiveness of the security control. Let's take one of the prior examples a bit further. Regardless of how many vulnerabilities are found on the 3,462 scanned assets, it is also essential to understand how many assets were not scanned and why. For example, was an IP range mistakenly left out or was it a conscientious financial decision attributed to license costs? Knowing when a control is operating for only a subset of assets and knowing why it is not operating for all assets is important. This ensures you do not have any gaps in your security coverage and helps design mitigating controls where necessary.
A good inventory will also help you meet your compliance and audit obligations. For example, in the past, the Payment Card Institute Data Security Standard (PCI-DSS) considered systems that held or processed credit card data as in scope of the PCI-DSS controls and audits. Identifying and tagging the systems in your inventory with PCI-DSS relevant metadata ensures you apply the right security controls for very in-scope system. When requirements are updated, such as when PCI-DSS expanded in-scope systems to include all connected systems, you can update your inventory to reflect these changes and always have confidence that your controls are applied to the right assets.
Lastly, consider taking your inventory management to the next level by recording asset dependencies. For example, you might link a web server asset to the database asset that it relies upon in the inventory database. More advanced inventory management systems help manage these dependencies, and these relationships will help inform your security decisions. For example, patching a database server for a critical security vulnerability might require it to restart. Knowing which web servers this restart will affect enables others to prepare in advance.
Building and managing a complete inventory of all your physical and logical systems and devices will prove useful to your day-to-day security and operations. With an up-to-date inventory, you will have fewer blind spots and more confidence that your security controls are appropriately scoped and deployed to just the right assets.
(Source: Michael Traitov -stock.adobe.com)
Engineers working on mission-critical applications in mil/aerospace and other segments have for years followed some fundamental principles of security intended to reasonably protect their applications, systems, and networks. Traditionally, physical compartmentalization has been a key factor in ensuring security in security-sensitive applications, and entry to a secure area has required positive identification and authorized access by individuals. Enterprise security policies defined the rules of identification, authorization, and access privileges, and those were enforced by security officers who were expected to adopt a certain attitude of distrust in dealing with individuals. In today’s environment of interconnected devices and services, these fundamental principles still remain vital to security, forming the foundation of zero trust security.
Zero trust distills the essence of security down to three principles:
With the emergence of bring your own device (BYOD) practices, companies have managed to overcome difficulties in defining policies and enforcing measures consist with these principles in the conventional information technology (IT) domain. In IoT networks, and more generally, operational technology (OT) networks, the idea of implementing zero trust across the hundreds or thousands of devices in an enterprise-level IoT application can seem daunting indeed. Nevertheless, achieving zero trust in the IoT environment can be made more accessible by focusing on three key security enablers:
The first enabler—hardware-based security mechanisms—provides the critical foundation for IoT security. IoT developers can choose from a wide range of security-enabled devices including security-enabled processors, secure elements, secure memory, cryptographic devices, and other devices able to support secure authentication and secure communications using trusted credentials. The availability of processors that enable hardware-based root of trust allows developers to dramatically minimize the possibility that IoT endpoint and edge devices themselves could be compromised, enabling hackers to co-opt a seemingly “trusted” device to penetrate deeper into the enterprise. The trust established at the very periphery of the IoT must be maintained at each higher layer of an IoT application. As companies build out large-scale IoT applications, however, legacy devices built with little or no security will complicate this sort of ideal greenfield security implementation, but even these devices can be isolated within subnetworks managed by highly secure edge devices.
The next enabler—defined security policies—might be the toughest for fast-growing high-tech companies, especially those who’ve established their success on quick action and reaction. Conversely, established enterprises with solid IT security policies might face some challenges in adapting those policies to the IoT domain. It’s not a trivial task to establish practical security policies that define the characteristics of authorized access across each layer and compartment in a complex IoT application. Developers can’t assume that any device or service already connected to the network can be trusted with privileged access to deeper areas of the application. Defining policies with broad brush strokes will likely provide hackers with a set of wide-open doors to sensitive information, critical services, or enterprise resources. It might not be easy to define all the required rules, but doing so is essential. Fortunately, IoT platforms from the major cloud providers offer a solid foundation of services built specifically to simplify implementation of the security rules associated with each resource and communications channel in IoT applications of any size and complexity.
The final enabler—security health monitoring—emphasizes the need to remain vigilant for new sources of potential threats and actual attacks. Not every new threat requires urgent action, but it should at least initiate an analysis of the risk (in all its facets) associated with the threat. On the other hand, an attack that successfully penetrates security measures should quickly initiate an appropriate response—whether it’s disabling the entry point used for the attack, uploading new security credentials, shutting down the affected endpoints or subnetwork, or more. Cloud providers and a growing number of third-party software vendors offer security monitoring software that monitors vulnerability databases for new threats, identifies potential attack surfaces, detects attacks, and generally provide developers and users with greater visibility into the security posture of their devices, networks, systems, and software.
It’s not that hard to find processors that enable building trusted operating environments on a hardware root of trust. It’s also not hard to find services able to support end-to-end security: If you look at zero trust support from leading IoT cloud providers like Amazon and Microsoft, you find largely the same architectural diagrams that they use to highlight their broader range of services. The real missing piece in implementing zero trust in IoT—the piece that you can’t buy off-the-shelf—is taking the time to define your security policies and having the will to ensure end-to-end enforcement in IoT applications.
Privacy Centre |
Terms and Conditions
Copyright ©2024 Mouser Electronics, Inc.
Mouser® and Mouser Electronics® are trademarks of Mouser Electronics, Inc. in the U.S. and/or other countries.
All other trademarks are the property of their respective owners.
Corporate headquarters and logistics centre in Mansfield, Texas USA.