One of the bedrock principles of the information technology (IT) security fields for the past generation has been that strict hardware and software configuration management was the path to reducing security vulnerabilities.  In light of some recent changes on the network intrusion front, I am beginning to question the value of this principle… or at least wonder if it high time that we revaluate its balance.

 

computerVirus

Configuration Management is the process by which you minimize the number of variants of hardware, operating system, and software that you have fielded simultaneously on your enterprise network.  The ideal case would be to have only one desktop system, one server model, one operating system for each, and the exact same applications on all of them.  The reality is that user requirements differ, the same operating systems and applications do not run on the same hardware, and modernization, refresh, and replacement always increase the variance found.  A realistic finding is that all of the computers come from one hardware manufacturer, are of two to three generations, and are all running one companies’ OS differing only by version and server/client edition.

The problem is that today, the offense is getting much better, faster, and more effective at covering their tracks.  If you have a homogenous network, then while you have minimized your total number of vulnerabilities by definition, you have also ensured that the exact same hardware and software weaknesses exist on every single machine. If the bad guys do get a foothold, they will quickly be able to gain the keys to the kingdom.  If the threat is malware that is attempting to setup a botnet and co-op your network into conducting clandestine operations, then your configuration management security blanket is actually greasing the skids!  You could be one good attack away from total shutdown.

So is there an alternative?  The idea, that is as old as Internet Time, is a take-off of “security through obscurity”.  The basic idea is that maybe by intentionally creating a mix of hardware, operating systems, patch states, and application versions you actually decrease your chances of one silver bullet taking the entire thing down.  Would having a mix of Macs, PCs, Linux boxes with a corresponding operating system palette actually be more effective at maintaining capability through a dedicated attack?

Here is how Wikipedia introduces the idea of “security through obscurity”:

“Security through obscurity (sometimes called security by obscurity) is a principle in security engineering, which attempts to use secrecy (of design, implementation, etc.) to provide security…

 

A system may use security through obscurity as a defense in depth measure; while all known security vulnerabilities would be mitigated through other measures, public disclosure of products and versions in use makes them early targets for newly discovered vulnerabilities.”

For additional reading on this very interesting polarity management case, consider these links:

Obviously there are pros and cons to both approaches.  Obviously there is some stabile point where the balance board between the two produces the optimal state of modern network security.  The real question is whether it is time to actually question the paradigm of rigorous configuration management?  Maybe we need to think in terms of configuration optimization vice minimization? I think that it is the time to think this through again.

Does your organization have any experience with this topic?  Does anyone have any lessons learned or case studies on it?  How about any anecdotes of success or failure?  Please comment.

That is my Information Technology Thought of the Day for September 3, 2009. 

image credit: City of Haverville

Be Sociable, Share!

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.