Server Operations & Security

We’ve had some fun recent fire drills around zero-days and major encryption vulnerabilities of late, and hopefully we’ve taken steps to not only better understand the potential for the seemingly simplest of vulnerabilities to become a significant incident, but also ways we can become better at responding and handling the treatment of these risks.

If you don’t currently have a formal vulnerability management program in place, then you rely more heavily on the announcement of these Heartbleed type vulnerabilities, and take a reactive approach to the mitigation of these risks as they exist in your environment. Of course nothing is a sure thing with security, and as it’s been said by many, an attacker has to be right only one out of a 100 times to be successful, and security tools are 99% effective, so we are in quite the predicament. There are some things we can and should be doing to deal with these risks, which should put everyone in a slightly less uncomfortable position for when the next big remote code execution or privilege escalating vulnerability comes to light.

1. Privileged accounts - Stop IT admins and others (if there are others) from using an account with elevated permissions when logging in to their standard computer. This is going to be a huge help against many vulnerabilities that rely on privilege escalation to cause significant disruption and deeper access to your environment. You can create a separate account for each admin type role required, but they should not be used as standard logins…full stop!
2. Identify your critical assets and the systems that house them – Ensure these systems are patched and kept up to date, keeping in mind compatibility of other business critical applications and one-off custom software packages that coexist on the network.
3. Collaboration - Engage other system owners early and often for discussions around best practice and use of their systems. Identifying a point of contact in your incident response plan for each system will help minimize the scrambling effect when something happens or when any vulnerability needs immediate remediation. Leverage the expertise around you, as others often think of details you might otherwise miss from your own perspective.
4. Production systems - Just because a user isn’t hitting it to do their daily work, doesn’t mean it’s not production, and more importantly, doesn’t mean it isn’t vulnerable. Document and communicate your process for scanning and patching servers in all situations (i.e. POC), so the entire group can develop good habits around not plugging any system into the network that increases the firm’s risk. The last thing you want to do is have a system that someone “thought” was harmless, introduce an entry point to your network, or increased risk to the firm. As Joe Daw mentioned in an earlier blog post, get a handle on your assets and maintain an asset management system of some kind. If you don't know what's in your environment, how can you know if it needs to be updated?

All of these are cost effective (free, minus the soft cost for resources) ways to deal with the continually evolving landscape of exploits, vulnerabilities, and rapidly changing systems converging across the enterprise.

There are researchers and other groups working tirelessly to identify what many software manufacturers do not know, or simply do not share with the general public, and unlike what the dentist told you about “ignoring your teeth and they will go away”, vulnerabilities are not like teeth! They will not just go away, and you cannot simply ignore them and keep your fingers crossed whenever a vulnerability that poses significant impact to your environment is announced. So while it certainly feels like a hamster wheel at times, trying to stay ahead of the risks to your environment is a little bit easier when you take a more proactive approach.