The Farce of Hardening Guides

2012-11-05 07:37:35 by chort

Today I was directed to a blog post from VMware that discloses a leak of ESX source code. What struck me wasn't the leak itself, but the mention of security hardening guides. This isn't unique to VMware. Just about every enterprise IT vendor has hardening guides or knowledge base articles for how to take the default configuration, apply a bunch of changes, and make it more secure. This prompted me to muse about some ideal future where vendors instead post "softening guides" for the rare customer who wants to downgrade the default, highly-secure configuration.

Isn't that just wishful thinking on my part? Isn't it a good thing that vendors make the effort to create and publish hardening guides? I'll tell you why I think hardening guides are fundamentally dishonest and customers should demand better.

For background, prior to doing full-time SecOps, I was a professional services engineer and then sales engineer for several security vendors. I knew first-hand just how many configuration changes had to be made when installing products to give them some semblance of security or sanity. I often bitterly complained in product design meetings about bad default settings. To my dismay, I was often out-voted by other sales engineers who insisted some customer, at some time, in some special corner-case might want that feature and they "shouldn't have to go to all the effort to turn it on." The "someone might use that some day" defense was used more times than I can count (at multiple companies), and as a result a large number of mostly irrelevant features that added attack surface were left on by default.

It didn't stop at just the presence of features, either. Because false-positives are the worst thing a sales person can imagine happening during the evaluation of their product, nearly every feature is in it's most permissive state by default. That ensures a low probability of hiccups during crucial proof-of-concept phases of deployment. When I, or someone else, would point out these insecure settings, the response was always "the customer will tighten those up later." Show of hands, who honestly believes that those settings are ever changed after the initial pilot? No one can actually look in a mirror and say "the configuration will be hardened later," but it's a convenient excuse to be lazy and not feel guilty about it.

Some people will argue that purchasing professional services along with the product will ensure it's configured securely. The truth is, the standard proserv install package (generally one day for security appliances) is barely enough time to do a minimum functional install. Bigger companies might buy up to 3 days of installation services, which is enough time to do the minimum install and actually test it with real load. I've only seen a handful of times in over a decade where a customer bought more than 3 days of installation services, and those were the very biggest, multi-million dollar sales. The same ratio applies to more complex products (where a minimum install might take a week).

So how do hardening guides even get created in the first place? Not out of the goodness of the vendors' hearts, I can tell you that. Let's be optimistic and assume most of them are at the request of demanding customers, not due to pressure after breaches caused by their products. In my experience it generally is requirements from very big customers, either the US federal government, or Fortune 100 companies with very mature security programs. Rather than create a secure set of defaults in the product, or a template to apply, the vendors will push product marketing to write a quickie white-paper that covers perhaps 60% of what you really need to know.

So the vendor releases a hardening guide, now what? Nothing, that's what. The vendor no longer feels any pressure to improve the default configuration of their products. Any time someone hassles them about it, they will point to the hardening guides and totally dismiss the issue. No one will ever read the hardening guides, much less implement them. I really doubt even the government agencies ever follow these guides. Just look at how many government sites have been defaced, and how abysmal the agency security grades are according to federal auditors. Perhaps at best the NSA and DIA implement the vendor hardening suggestions, but then again the NSA writes their own hardening guides because vendors leave so much to be desired. Have you ever read one of the NSA guides? They are long!. The length of those should alert you to just how many settings are in bad shape by default.

So how do we fix the situation? Don't accept hardening guides as "good enough." Demand that the vendor ships their product in a secure configuration by default. At the very least, there should be an alternate configuration, accessed through the normal interface (i.e. not some hidden config file or obscure command line) that will set the device to a secure configuration. Don't buy that EAL/Common Criteria setting smoke-screen either. It's the worst kept secret in the security industry that any vendor going through Common Criteria certification will submit the absolute minimum features for evaluation. Some times it's just enough functionality for the device to power-on and run the management interface. You should require the advertised functionality of the device/product works in the secure configuration.

So what if the vendor won't change for you? There are a couple of options. Number one, try to write it into your contract as a provision. Require the vendor to implement a secure configuration within 90 days of your purchase, with a right to cancel. Also require that they maintain the secure configuration with new versions for the length of your contract. I've seen customers have success with this method, which in turn benefits all the other customers of the same product. It's a great way to immunize the herd. If the vendor won't agree to contract provisions, find another vendor. Seriously. I've been in this business long enough to know that the difference between products is often not significant, in the grand scheme of things. You're better off with a slightly inferior product from a vendor you can work with, then a slightly more capable product from a vendor who treats you like a piggy bank.

It's time we stop the farce known as "hardening guides." The default, out of the box configuration should be secure. Remember you control the purchase order--wield that power wisely. Don't be afraid to walk away.

Add a comment:




max length 1000 chars