In Configuration We [Still] Trust

Marc Maiffret, March 22nd, 2012

It has been roughly a year since we released our original paper titled “In Configuration We Trust.” The goal of that research was to try to draw awareness to the fact that a lot of security improvement can be made simply by how you architect your network and configure your operating systems and applications. These recommendations can not only help stop the run-of-the-mill drive-by attacks but also even some of the more sophisticated, dare we say APT, attacks. We’ve updated that research, which can be found here, and have also added a new tool into the mix.  Why did we do all this? Let’s talk about that. 

The larger goal of the paper though is to work towards trying to change the conversation in security. We far too often focus on the outcome of some new threat or malware. We analyze every single bit of data about what some new malware does to a system and the fallout from such an attack. We far too often fail to ever answer the simple questions: How did the malware or attack happen in the first place and what could have been done to prevent it?

People were rather surprised in our original paper to hear that even such well covered attacks as Aurora or Stuxnet could have been defeated or crippled through simple security measure such as web proxies and proper file permissions. But these things should not be surprising when you think about how much time and energy our industry spends on reacting vs. preventing.

We suffer from a culture that is similar to the healthcare world in which people are more concerned with finding the next magic pill to improve their life instead of putting in the effort to do the simple and effective things such as eating right and exercising.

Security, just as in life, has no silver bullet and while there is indeed a very clear place for preventative security technologies these things alone are not enough, and there is no appliance you can rack nor single solution you can install that will make you secure. This should come as no surprise though when you step back and think about it.

I am often asked at security conferences by people working in IT, “Why is nothing working? Why is my Anti-Virus and IPS failing me?” and the answer really is a play on Dan Geer’s famous monoculture argument, except in this case I am referring to the Security Monoculture rather than Geer’s original focus on Operating Systems, namely Microsoft.

The fact is everyone is using one of the main two anti-virus solutions and one of the four main intrusion prevention systems. It becomes easy for attackers to understand exactly what defenses they are up against and it is only a matter of time until their exploit and malware can overcome those defenses. This is of course something that is happening on a daily basis and why people working in IT have become beyond frustrated in dealing with security.

You must step outside the security monoculture. This does not mean getting rid of your security solutions but rather adding security to your network and operating systems that is unique and tailored to your environment. It comes down to the customization you do around your network architecture and your overall systems attack surface.

So why then do we find ourselves in a situation where even some security experts try to talk people out of proper network architecture and system configuration? Surely we do not suggest in our paper nor believe that any one configuration change is going to stop all attacks or malware. Rather the goal of proper architecture and configuration is to raise the bar of what it takes for a system to be compromised.

There will always be cynics in any walk of life, the security industry is absolutely overflowing with them. You hear them all the time, people willing to say it is good advice to recommend that people do not even do the basics of network and system security because those things are not foolproof. It would seem obvious that of course nothing is foolproof but even more obvious to me is IT people are absolutely tired of people in security telling them everything that does not work instead of trying to ever share what is working.

Clearly, proper network architecture and system configuration  is something we believe strongly in.  When we wrote the first version of our paper we gave just a few simple examples of some configuration and network changes that could be made to help increase your organization’s level of security. These are to serve not as the end all be all list of what will improve your security, but as a starting point to hopefully shift the dialogue to move beyond only talking about what is not working in security.

We also are releasing a free configuration scanning tool that will audit your environment for a handful of the things we discussed so you can get a quick pass/fail look on how your environment fairs. These checks alone will not tell you if your security is good enough or not but indeed if you are failing more than a couple you probably have some work to do in reviewing your network architecture and system configuration.

Our hope is to continue to try and push the security conversation to not just be about what the next major threat does but how to prevent it. This tool is simply to create awareness to that end and we look forward to you continuing the conversation with us on real-world ways IT can improve security. You can grab the white paper and tool from here: