The idea of “ubiquitous computing” most people dream about doesn’t usually include the troubles of patching them every week. It doesn’t even mention that there would be new bugs found daily and that most of the fixes would be available weeks if not months after they were discovered.
Windows XP has been in news recently because Microsoft has finally pulled support for this aging OS. 30% of all active desktops are still on XP and now we know of a new security bug, which would never get fixed for these users.
XP may eventually become the epitome of unpatched buggy software because of the visibility this issue got, but I feel this may just be the tip of the iceberg. For every XP out there, I bet there is one or more unpatched networking device just waiting for someone to exploit it, and this number is growing very fast. Some of these bugs are just that… bugs, but I suspect most of them are due to less then reputable code/design quality. Its a wild-wild-west out there and this has to stop.
The other problem with ubiquitous computing is that the number of devices per house hold is growing rapidly and doing manual updates to every single one is getting close to impossible. We need to get to a place where users won’t have to worry about manually updating the devices. The industry as a whole needs to do a better job at promoting a type of automation and testing which requires significantly higher levels of investment in resources (by manufacturer) to make it happen. Apple with its iOS update infrastructure and Google with its Chrome updates has shown that its possible to do it at scale.
So what can we as users do ? For a start we may have an obligation to ask about auto-updates when we buy new devices. For connected devices at least, shipping updates shouldn’t be “optional”. Vote for the right manufacturer with your wallet.
Networking devices on the edges have become smarter over time. So have the firewalls and switches used internally within the networks. Whether we like it or not, web applications over time have grown to depend on them.
Its impossible to build a flawless product because of which its standard practice to disable all unused services on a server. Most organizations today try to follow the n-tier approach to create different logical security zones with the core asset inside the most secure zone. The objective is to make it difficult for an attacker to get to the core asset without breaching multiple sets of firewalls.
Doing frequent system patches, auditing file system permissions and setting up intrusion detection (host or network based) are some of the other mundane ways of keeping web applications safe from attacks.
Though cloud has made deployment of on-demand infrastructure simpler, its hard to build a walled garden around customers cluster of servers on the cloud in an efficient way anymore. And the absence of such walled gardens and logical security zones means there are more points of entry into the infrastructure which could be exploited. If you replace 10 powerful internal servers with 100 small servers on the cloud, all of a sudden you might have to worry about protecting 100 individual servers instead of protecting a couple of edge devices. In a worst case scenario, one week server in the cluster could expose the entire cluster to an attacker. Here are a few other things to think about…
- Host based firewalls should allow only traffic which are required/expected
- Non-essential services should be shut off on the server
- Some kind of Intrusion detection might be important to have
- Keys/passwords should be changed periodically
- System patches (update OS image) need to be applied periodically
- Authenticate/Authorize all inter-server communication
- Maintain audit trail for all changes to images/servers if possible
An organization which is completely on the cloud may not have an IT department in its current form, but it might still have an operations team which makes the security policies, updates OS images, manages billing, monitors system health (and IDS) and trains developers to do the things in the right way.
If your infrastructure is on the cloud, do write back with a note about what you do to protect your applications.
Image source: AMagill