Andrea Danti - Fotolia
How hardening options help handle unpatchable vulnerabilities
Using multiple hardening options to endure unpatchable vulnerabilities is explored in a recent NIST report. Learn how entropy sources can be an additional option with Judith Myerson.
A group of researchers recently published a report named "Surviving unpatchable vulnerabilities through heterogeneous network hardening options." In this tip, we'll take a look at those options and consider how adding additional entropy sources may be an effective way to harden networks against unpatchable vulnerabilities.
While most existing network hardening approaches rely on a single hardening option, such as disabling unnecessary services, this may not be enough when defending systems with unknown or other vulnerabilities that cannot be fixed.
To increase the effectiveness of the network's defense against unpatchable vulnerabilities, the authors of the report propose the unification of multiple hardening options, such as service diversification; firewall rule modification; and adding, removing and relocating network and access control. An optimal solution for heterogeneous hardening would be an automatic approach rather than manual efforts, which are often error-prone.
As part of the proposal, the authors provide a hypothetical cloud network for a typical data center based on the OpenStack architecture. Here, a firewall stands between the outer network and inner network, and there are three additional layers of protection: a security/authentication layer, a virtual machine that protects the application layer, and a storage layer that is separate and protected by another firewall.
The report outlines four steps for building a model based on the cost-effectiveness of the heterogeneous approach -- companies should not consider any approaches that exceed the budget. The four steps include:
- identifying the hardening options in one model;
- applying security metrics to evaluate network defense against unknown and unpatchable vulnerabilities;
- deriving optimal solutions to maximize security under given cost constraints; and
- evaluating the effectiveness of proposed solutions against unpatchable vulnerabilities using simulations.
Each step should provide feedback on the previous step, continuing in a loop and adjusting each hardening approach until an optimal solution is found.
The report identifies several examples of unpatchable vulnerabilities, including vulnerabilities that can be remotely exploited at the time of attack due to patch unavailability. One example is the vulnerability classified as CVE-2016-4502, which covers a flaw in Environmental Systems Corporation 8832 Data Controllers that could not be patched because the device has no code space for any security patches.
Other instances of unpatchable vulnerabilities can occur when a system has reached its end-of-life or end-of-system support. Such flaws can result in unacceptable service disruptions that may be triggered by a patch and could result in resource exhaustion and malicious rebooting. The final example of unpatchable vulnerabilities covered in the report is security vulnerabilities that were fixed previously, but which can be reintroduced by new patches.
The report emphasizes cost-effectiveness and cost estimations, which are provided in the authors' model to show why automation is more efficient than using employees.
The authors compare Gartner's total cost of ownership with the costs of hardening options in three categories: planning, indirect costs and direct costs. Within each category, the costs of the hardening options are grouped into diversifying services, adding a new service, removing an existing service, relocating a service, connectivity-based firewall rules, service-based firewall rules and access-control firewall rules.
In the direct costs category, changes in upgrade costs, production control costs and some support costs are applied to all the hardening options. The upgrade costs include the costs of managing assets, conducting production evaluation and upgrading user administration. The indirect costs include downtime costs, both planned and unplanned, for all the hardening options.
Cost planning can limit the costs of application acquisition to service diversification; adding, removing and relocating network services; the use of security; management; failure control costs that limit LAN/WAN troubleshooting; and repair costs to service diversification and firewall rules. The costs of security and virus protection, disaster recovery planning, hardware maintenance and insurance are not covered in the report.
Entropy sources as hardening option
Adding an entropy source as a hardening option can help increase a company's resilience against attacks that exploit unpatchable vulnerabilities. Because entropy sources must be tested and validated before they can be used to generate certificates for HTTPS, using them as a hardening option can affect planning costs, indirect costs and direct costs.
Budgets for such a program should cover the costs associated with planning, as well as the costs of installing new entropy sources in an enterprise. Another consideration is indirect costs, like planned and unplanned downtimes due to insufficient entropy on a large scale.
Other direct costs that should be considered include support for entropy management, asset management of the devices that generate entropy sources, and entropy source evaluation and testing. There are also more possible direct costs, such as security management and entropy-based hardware maintenance fees.
Resources must also be available when failures occur, such as insufficient entropy in the hardware, inadequate disaster recovery planning, and recovery from entropy-starved components of the system. Finally, the budget should cover event management for scenarios such as when entropy becomes insufficient due to hardware malfunctions or other issues.
Overall, maintaining entropy source hardening is an additional way to defend against the exploitation of unpatchable vulnerabilities. It can also help to improve resilience against unpatchable vulnerabilities. While some existing hardening options may become less cost-effective when entropy sources are insufficient for a resource to function properly, the testing and validation of entropy sources to ensure entropy works properly cannot be overlooked.