Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/26/2018
10:30 AM
Tom Thomassen
Tom Thomassen
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Secure by Default Is Not What You Think

The traditional view of secure by default - which has largely been secure out of the box - is too narrow. To broaden your view, consider these three parameters.

Secure by default is not a new issue, but it is an ever-increasing challenge. That’s because enterprise environments continue to become more complex as IT capabilities increase and the sheer volume of data grows exponentially. Technology stacks have many moving parts, with a lot of unique dependencies and requirements.

In this world, the traditional view of secure by default — which has largely been secure out of the box — is too narrow. Instead, secure by default today is no less than an entire ecosystem of moving parts aligned to the same goal. In fact, it is not really possible to build a product that’s secure out of the box. For secure by default to truly reach its potential, customers who use that product must be able to securely develop and deploy solutions for it.

To broaden a view of secure by default, consider these three parameters:

1. How you build it: Products and applications need to be built with security in mind — from the beginning. This means best practices and rigorous processes need to be followed. For instance, penetration testing can mimic real-world attacks that circumvent security controls. Threat modeling can model IT systems and software to understand potential threats, categorize possible impact, and then mitigate vulnerabilities. Code reviews ensure use of current versions of standard libraries and appropriate cryptography. Developers need to understand secure coding and adhere to coding best practices.

2. How and what you do when you install it: Once a product is built to be secure by default, it still needs to remain that way once deployed in its environment, which is increasingly complex and interconnected. That’s why the first responder — the person installing the product, application, or database — is evermore important. To keep the organization and users safe, the first responder needs to apply general principles, such as configuring controls to be secure as possible, enabling encryption at rest and SSL/TLS secure communication channels, restricting access to applications or data only to those people who need it, and requiring authentication that relies on trusted identity sources. Certificate or key-based authentication also are considerations.

General principles can guide administrators, yet one size does not fit all. Administrators also have to tailor approaches to specific environments. What banks need from their databases, applications, and other technologies, for instance, is different from what oil companies or intelligence agencies need. Whatever the industry, someone needs to watch the whole picture. For instance, a database sits between an application above it and an operating system below it. A network brings them all together. Each one of those layers has to do something appropriate for that layer in terms of security. But if one layer is not secure, there’s potential for a failure of the weakest link to compromise the entire system.

Another test of secure by default at the installation level is whether the end user needs specific technical understanding to securely use an application or database. If he does, the administrator has more work to do.

3. What policies and governance are set up: Data management policies need to be continually enforced to protect an enterprise’s most valuable asset: its data. These policies govern data and validate data provenance, where the data came from, as well as when, how, and if it was changed, and by whom. Data policies also need to follow the data, no matter where it goes. This will ensure that safeguards such as encryption and access controls remain in place.

Separation of duties is also key. The system administrator, who controls the server, should not have access to the database, while the database person should not have access to security controls, and vice versa. By having a separation of duties, no one role can compromise the system.

Throughout the Enterprise
Secure by default still means having the best security possible without users even knowing that it is there. But the pace of data breaches continues to indicate that enterprises have a long way to go to achieve secure by default throughout their ecosystems of technologies.

By broadening the view of what secure by default entails, enterprises will be more likely to build systems that are secure top to bottom. This requires involving humans even more in the oversight and administration to make sure that secure by default extends throughout the enterprise.

After all, when it comes to security, the old adage is really true: You are only as strong as your weakest link.

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Tom Thomassen is a senior staff engineer of security at MarkLogic. He is responsible for helping identify and implement secure development practices into the company engineering process, educating the team on security best practices, monitoring and responding to changes in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.