It’s best to use hardened operating systems as an organization’s standard configuration. This hardening is done by disabling unnecessary features and changing default configurations. These are easier to support and troubleshoot, and they shrink the organization’s attack surface.
Locking systems down before they are deployed in the production environment leaves less opportunity for exploits. There is a free or low cost toolset from the Center for Internet Security that provides benchmarks for securing the major operating systems.
Despite the layer of protection at the network perimeter level, a company cannot be certain that it will prevent all attacks from getting through the network perimeter unless it wants to prevent all traffic. Since that’s not generally an option, each system should have its own firewall and IPS agents, as well as antivirus software.
Applications, which are the focus of many attacks, represent the third layer for protecting information. There are two ways to increase application security: source scans and vulnerability scans.
Source code scans occur during application development. They examine vulnerability-prone areas, such as buffers, or memory units, for aberrations. There are several commercial products from Ounce Labs, Fortify Software, and others for this task.
If the organization is not developing the software itself, it should ask the software vendor to validate that a scan has been performed. The Open Web Application Security Project (OWASP) and the SANS (SysAdmin, Audit, Network, Security) Institute have Web sites that are good application security resources.
Second is application scanning, which looks at how applications and their services are configured. It should be conducted during the testing phases along with postproduction deployment. While network vulnerability scanners can detect some application vulnerabilities, it is best to use an application security scanner like WebInspect from SPI Dynamics or WatchFire from IBM. The security of an application, like that of an operating system, directly affects the protection of the information flowing through it.
Application and database firewall solutions are starting to emerge as additional protection against application-focused attacks. The Payment Card Industry (PCI) security standard has strongly recommended that these firewalls be used for businesses doing credit card transactions. In fact, application firewalls will be one way to meet PCI’s application protection requirement in mid-2008. Many other non-PCI affected businesses also stand to benefit from this protection, especially to protect their Web applications.