Assess and Mitigate the Vulnerabilities of Security Architectures, Designs and Solution Elements

This section represents the vulnerabilities present in a plethora of technologies in an environment. You should feel comfortable reviewing an IT environment, spotting the vulnerabilities and proposing solutions to mitigate them. To do this, you need to understand the types of vulnerabilities often present in an environment and be familiar with mitigation options.

• Client-based systems. Client computers are the most attacked entry point. An attacker tries to gain access to a client computer, often through a phishing attack. Once a client computer is compromised, the attacker can launch attacks from the client computer, where detection is more difficult compared to attacks originating from the internet. Productivity software (word processors, spreadsheet applications) and browsers are constant sources of vulnerabilities. Even fully patched client computers are at risk due to phishing and social engineering attacks. To mitigate client-based issues, you should run a full suite of security software on each client computer, including antivirus, anti-malware, anti-spyware and a host-based firewall.

• Server-based systems. While attackers often target client computer initially, their goal is often gaining access to a server, from which they can gain access to large amounts of data and potentially every other device on the network. To mitigate the risk of server-based attacks (whether attacking a server or attacking from a server), you should patch servers regularly — within days of new patches being released, and even sooner for patches for remote code execution vulnerabilities. In addition, you should use a hardened operating system image for all server builds. Last, you should use a host-based firewall to watch for suspicious traffic going to or from servers.

• Database systems. Databases often store a company’s most important and sensitive data, such as credit card transactions, employees’ personally identifiable information, customer lists, and confidential supplier and pricing information. Attackers, even those with low-level access to a database, might try to use inference and aggregation to obtain confidential information. Attackers might also use valid database transactions to work through data using data mining and data analytics.

• Cryptographic systems. The goal of a well-implemented cryptographic system is to make a compromise too timeconsuming (such as 5,000 years) or too expensive (such as millions of dollars). Each component has vulnerabilities:

• Software. Software is used to encrypt and decrypt data. It can be a standalone application with a graphical interface, or software built into the operating system or other software. As with any software, there are sometimes bugs or other issues, so regular patching is important.

• Keys. A key dictates how encryption is applied through an algorithm. A key should remain secret; otherwise, the security of the encrypted data is at risk. Key length is an important consideration. To defend against quick brute-force attacks, you need a long key. Today, a 256-bit key is typically the minimum recommended for symmetric encryption, and a 2048-bit key is typically the minimum recommended for asymmetric encryption. However, the length should be based on your requirements and the sensitivity of the data being handled.

Algorithms. There are many algorithms (or ciphers) to choose from. It is a good practice to use an algorithm with a large key space (a key space represents all possible permutations of a key) and a large random key value (a key value is a random value used by an algorithm for the encryption process). Algorithms are not secret, but instead well known.

• Protocols. There are different protocols for performing cryptographic functions. Transport Layer Security (TLS) is a very popular protocol used across the internet, such as for banking sites or sites that require encryption. Today, most sites (even Google) use encryption. Other protocols include Kerberos and IPsec.

• Industrial Control Systems (ICS). Supervisory control and data acquisition (SCADA) systems are used to control physical devices such as those found in an electrical power plant or factory. SCADA systems are well suited for distributed environments, such as those spread out across continents. Some SCADA systems still rely on legacy or proprietary communications. These communications are at risk, especially as attackers are gaining knowledge of such systems and their vulnerabilities.

• Cloud-based systems. Unlike systems on-premises, cloud-based systems are mainly controlled by cloud vendors. You often will not have access to or control of the hardware, software or supporting systems. When working with cloud-based systems, you need to focus your efforts on areas that you can control, such as the network entry and exit points (use firewalls and similar security solutions), encryption (use for all network communication and data at rest), and access control (use a centralized identity access and management system with multi-factor authentication). You should also gather diagnostic and security data from the cloud-based systems and store that information in your security information and event management system. With some cloud vendors, you might be able to configure aspects of the service, such as networking or access. In such scenarios, ensure that your cloud configuration matches or exceeds your on-premises security requirements. In high-security environments, your organization should have a dedicated cloud approach. Last, don’t forget to look at the cloud vendors and understand their security strategy and tactics. You should be comfortable with the vendor’s approach before you use their cloud services.

• Distributed systems. Distributed systems are systems that work together to perform a common task, such as storing and sharing data, computing, or providing a web service. Often, there isn’t centralized management (especially with peer-to-peer implementations). In distributed systems, integrity is sometimes a concern because data and software are spread across various systems, often in different locations. To add to the trouble, there is often replication that is duplicating data across many systems.

• Internet of Things (IoT). Like cloud-based systems, you will have limited control over IoT devices. Mostly, you will have control of the configuration and updating. And you should spend extra time understanding both. Keeping IoT devices up to date on software patches is critically important. Without the latest updates, devices are often vulnerable to remote attacks from the internet. This is riskier than internal-only devices. On the configuration side, you should disable remote management and enable secure communication only (such as over HTTPS), at a minimum. As with cloud-based systems, review the IoT vendor to understand their history with reported vulnerabilities, response time to vulnerabilities and overall approach to security. Not all IoT devices are suitable for enterprise networks.

Learn More:

• Training and Solutions