Top 10 Network Security Mistakes - #2: Dude, Where's My Ware?
I can admit that I’m a flawed human in many ways. I work too much. I get distracted easily. I snore. The list goes on and on. One of my most vexing traits is a tendency to overlook the basics in favor of complicated details. It is deceptively easy to overlook dated *wares.
This is a massive problem because wares underpin all your other efforts. A flawless firewall or IPS design is useless if there is a known vulnerability in the SSH daemon on the device.
Add to that an ever-expanding matrix of wares to keep track of, and you’ve got a mess to manage: Hardwares, Firmwares and Softwares, oh my! Some solutions may even have more than one type of ware. So, how do we ensure that we don’t overlook something so potentially critical?
Generally speaking, one can’t really patch hardware. But, when you buy a physical appliance, there will come a day when it is no longer supported. That means new firmware and/or software updates will eventually cease to work correctly, which means that eventually, that device will be on dated wares.
Many organizations adopt the “if it ain’t broke, don’t fix it” mantra. That’s understandable from the pursuit of many nines standpoint, but organizations often miss that they are mortgaging their long-term stability. What happens when you can’t fix a known bug because the proper version won’t run? What if the vendor can’t RMA your old box because they don’t have them anymore? It’s going to be a long, sweaty explanation to some very unhappy people.
Push your luck at the blackjack table, not in the datacenter.
Back in my day, a lot of infrastructure devices were purpose-built (and we liked it!). Those devices had firmware that was essentially a highbred OS and a collection of low-level device drivers.
More and more, appliances are merely commodity servers running a standard OS in a pretty box. This means fewer firmware issues (exceptions include: raid cards, NICs and other specialized components), but it’s a good idea to keep tabs on what every device has under the hood. If you’re not sure, ask your vendor.
If you want to have some fun, force your sales guy to answer that question without involving his sales engineer before you sign any purchase orders.
Devices with firmware must be tracked and kept current. Outdated firmware can leave system devices and services exposed. This is a very sneaky and easily overlooked component to the overall architecture.
You can’t really avoid software.
Okay sure, you could abandon society and live off the grid while you dance your soul free at drug-ridden music festivals, but if that were the case, this blog would be the last thing on your mind (right below contributing to society and paying back your parents).
For the rest of us, hopefully not much needs to be said about keeping software up to date. This is especially true for systems where there is a web management interface. Which is pretty much everything these days (a trend with which I disagree strongly, but I’ll curb my digression here), so beware. Updates, patches and upgrades are extremely important to avoid vulnerabilities in components that may be used to construct exposed services.
Sadly, there is a balancing act in many situations. “Latest and greatest” are two words that are said together much more frequently than they should be. Latest releases may have new features and new problems. Greatest, in many cases, is a revision that is several versions back from Latest. I know many organizations that stay just ahead of the end-of-support versions. Those are typically the most stable versions.
Keep up on current news.
I know - you’re already information overloaded. I can’t keep up, and frankly, I don’t know how anyone does. But, don’t roll over and give up. Check Reddit, follow smart insomniacs on social media, set up special google news sections, use IFTTT to build rules that make what you care about flash your IoT lights, something, anything to keep up! Just try, okay?
Sign up on vendor mailing lists.
This is an easy win. Ask your solution vendors how to keep current. Most have mailing lists, twitter feeds or smoke signals you can keep an eye on.
Engage pro services or service providers.
If you’re already oversubscribed, reach out to your vendors or VARs and engage some resources on a regular basis to help assess your environment and maybe even do the upgrades. Sure, this isn’t free, but they will spend much less time than you will to get results, so it generally works out in the end. Plus, now when the upgrade goes sideways, you can blame someone else. Goats are nice.
Proactively set up maintenance windows and manage expectations for the organization.
Don’t let your organization put you in a box on maintenance windows. The best response to “We can’t afford downtime” is “Would you rather plan for an interruption or be surprised by one?” Because, those are pretty much the options. Plan, execute, repeat.
For those of you keeping track, this concludes installment 9 of 10 in this series. While you anxiously await #1 like an obsessive Apple fanboy, consider getting your wily wares wrangled.
- #10 - Incorrectly Deployed DMZ Networks
- #9 - Bad Password Hygiene
- #8 - Insecure Admin Access
- #7 - Permissive Access Controls
- #6 - Insufficient Logging & Monitoring
- #5 - Lack of Segmentation
- #4 - Interior Malign
- #3 - Belief in Perimeter Security
- #1 - Not Looking Beyond Layer 7