Wednesday, November 25, 2009

Software installation

Blog Has Moved

Link to the same post in the new blog: Software installation

One of the most important rules of server hardening is limiting the exposure surface.

I guess it's ok to install a product (from operating system to office applications) on a developer or users desktop using the default installation method (in many cases it means full product installation, since most of us don't bother to read what it means and just click next to continue).

However, on a production environment, any additional component means additional exposure surface, additional disk space and additional CPU and memory usage, which are very critical on production environments.
It is time to read the product documentation, and understand what does each and every component is doing on the system.
Customize or minimal installation is the best practice on this case.
We don't need any sample pages, product documentation or help files, or even demo scripts/web application/databases.

Another best practice is to limit anonymous, guest or any other non-authenticated access to sensitive areas of our application, such as administrative sections in web applications.
The best practice is to configure authentication for administrative sections, using built-in application capabilities such as strong passwords, dedicated accounts with privileges to certain parts of the application, certificate authentication or if nothing else is possible, using file system permissions according to the hosted operating system.

Another crucial part, for applications that start their own service to listen to outside requests, is to use the least-privileges security model, which means, non-administrative/root account to load the service, with limitation for running the specific application and least amount of privileges to the operating system.
The reason for that is if I am using an application that depends on JAVA for example, and there is a flaw in the JAVA runtime that allows it to break the JAVA security mechanism, your server might be vulnerable as well.

Another point to think about is software upgrades. You may be doing a good job during application installation and configuration, but the next product upgrade or security hotfix, might bring back sample applications or change the file system privileges.

Tuesday, November 24, 2009

Information leakage

Blog Has Moved

Link to the same post in the new blog: Information leakage

Information is all around us. We don't even realize how much information we share with everyone, and I have two examples to think about.

Business cards
We use to give away our business cards to colleagues and potential customers without realizing how much people can learn about us.
We put our mobile phone number, so now people can reach us 24/7.
We put our phone number, something such as 917-999-6666 and now the potential attacker knows that most of our company phone extensions (and maybe our fax and modem lines) begins with 917-999xxxx and that our extension is probably 6666 (wonder whom will I reach trying 6665 or 6667...)
We put our fax number, which can be used by spammers and advertisers we once met at a commercial fair.
We put our email address, something such as johnd@somecompany.com (in most cases, our username to the internal company assets will be something such as Johnd)

Voicemail / out-of-the-office message
We tend to leave a message on our voice mail or on our company mailbox, information such as:
"Hi, you've reached John Doe, from the sales department. I will be out of the office between July 28th and August 2nd. In case of emergency, you may contact Linda Smith, at 5435742, ext. 2"
If I was a potential hacker, I now know that John will be out of the office, I know his department name, I know the dates he will not be available, I know who replaces him while he is out of the office, and I know how to reach her.
Instead of giving away all this information, why not use something polite and simple, such as:
"Hi, I will be out of the office. You may send me emails and I will get back to you as soon as I will return to the office."

Think about it, the next time you share information, and don't forget that everyone on the internet can see it, the next time you share photos from your wonderful vacation on facebook, or what a great day you had, on twitter, just after you told your boss, you are not coming to the office today since you are not feeling well.

Introduction

Blog Has Moved

Link to the same post in the new blog: Introduction

Andy Grove, the former Intel CEO used to say "Only the paranoid survive".

As an information security with more than 7 years in the field, I can tell you that even though I don't consider myself paranoid, people expect me to think out of the box and the only way I see it, to see the world from the eyes of the potential attacker, is to be paranoid.

I have opened this blog, in-order to share with you, my point of view and my experience in the security and technology field, looking at the world in a holistic and non-vendor oriented point of view as much as possible.