Note that the title of this blog post is not “Building Secure Infrastructures” it is “Building Securable Infrastructures” and there is a difference. I was just fortunate enough to be on an industry panel this week at Secure World and as I was thinking about the content of this panel I started to think about a talk delivered this year at Defcon:
Creating an A1 Security Kernel in the 1980s (Using “Stone Knives and Bear Skins”) by Tom Perrine.
The premise of the talk was about an operating system that was always in a “known secure” state. If a malicious person was able to steal the OS code the operating system still could not be exploited. Much of our time in engineering a security solution is trying to stop an intruder from gaining insight about our networks. What if we started using that time to:
I’m not an offensive security expert, however, what I am is an infrastructure engineer that seriously cares about security. In that line of thought,what can I do in my environment to make it more secure from the middle out? Talk to your vendors and ask them critical questions like:
Until we start asking our vendors questions like this we will be building insecure infrastructures from the start. Any attempt that we make to secure our infrastructures will be simply cleanup efforts and will fail to protect us from any real targeted threats.
Below is a great article from CSIS, a security research company that did a quantitative analysis of exploited threats in the wild that was published on Sept 28, 2011.
85% of the actual threats exploited in this study came from two vendors: Adobe and Java (Oracle). How much time and money would your company save if they could reduce their attack surface by 85%? These are fundamental questions that we as engineers need to start talking to our vendors about and we need to start demanding better solutions so that we’re not fighting fires when it comes to security. It’s only after we’ve started evaluating security from the inside out that we can have any hope of achieving security of any real measure.
This article was originally published here, 10/4/2012.
About Steven Aiello
Steven Aiello is a Senior Systems Engineer with Online Tech, the Midwest’s premier managed data center operator. His certifications include CISSP (Certified Information System Security Professional), ISACS CISA, VMware VCP ( VMware Certified Professional), Cisco CCNA ( Cisco Certified Network Associate), Comptia Security+,and Certified Incident Responder (New Mexico Tech).
Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.