Posted by: adelvecchio
host security, network security, patch management
This is part three of a four-part series of posts where we look at perimeter security, network security, host security, and finally administrative security as distinct elements in an overall information security architecture and the best way to evaluate the current state of each.
A standard question we ask when working with clients is how they go about assessing their organization’s information security architecture. Previously, I examined perimeter and network security. As part of that evaluation, I covered how to address perimeter security in an ever-changing technical environment and how to use tools and technology to provide mitigating controls to secure access to networked assets. The third element — working our way from the outside of the network to the inside — is host security. Host security is a term we will apply equally to any/all endpoints on the network regardless of their purpose or nature (i.e. servers, workstations, network devices, printers, mobile devices, etc.). We do this because all endpoints on the network represent a potential attack vector. Host security started gaining a larger spotlight with the introduction of laptops and portable computers. It is now entrenched as a central part of the overall architecture assessment methodology due to the flood of mobile devices in today’s environment.
Likely the most prominent element of host security is a process information security professionals call “hardening.” It is a process that is performed on network endpoints to make them more resistant and less vulnerable to attack. This is accomplished by turning off unnecessary services and ensuring security controls are enabled on services that are necessary for the business to function. This simple process and if it’s applied in a disciplined manner, it can provide a firm base of host security on which enterprises can build.
The biggest piece of advice I can offer is that configuration and deployment checklists be developed for every platform/operating system/appliance/application deployed within the business environment. Establishing a standard checklist ensures all newly deployed endpoints are uniformly deployed with overall security of the device in mind. The logical follow-up step is to keep endpoints properly patched and updated. While the process might vary slightly from platform to platform — depending on the importance of the endpoint or other factors — there is no denying that routine patch management is a critical element to host security and there should be a formal documented process to support this activity. Coupling these two items with periodic vulnerability testing will yield a technical verification and validation point of the efficacy of the overall security process.
Once the foundation of host security is established with a robust endpoint building process, patch management, and periodic vulnerability testing, there are no shortage of technical controls that can also be deployed to help secure endpoints on the network. These technical policy enforcement tools include host-based firewalls, encryption of data on the endpoints, host intrusion detection, file system integrity monitoring, endpoint data loss prevention and, of course, the venerable AAA (authentication, authorization, and auditing) feeding into a log management application and potentially an event correlation engine (security information and event management).
As with other mitigating controls, host security controls should be evaluated as augmenting the existing complements of perimeter and network security, with particular attention given to mobile platforms that can often exist without those additional protections.