Follow Us.
Become a Fan! 
The biggest challenges that the typical enterprise faces in terms of operational security are:
If the site has in-house developed applications, an additional concern can be:
Taking advantage of the above mentioned challenges faced by a network administrator, there are several methods available when conducting security testing for a given site.
Software Patch Vulnerability - If a hacker chooses to break into the network and escalate privileges, a good place to start is by searching for missing patches. There are many tools available on the web to scan for specific vulnerabilities, and once a hole is discovered gaining administrative privileges on the host is typically a trivial exercise.
Password Selection Vulnerability - Another method of testing security is to look for default accounts, or for users that have chosen poor passwords. For example, many users choose their first name, a date, the word “password”, their user ID, etc.
Default Content Vulnerability - Many web applications come with sample code and documentation. Microsoft Internet Information Services, for instance, installs a multitude of default active server pages, API extension mapping, directories, and documentation. Some of this code has been found to contain vulnerabilities ranging from information disclosure to remote command execution.
Vendor Host Vulnerability - In many cases, even if the corporate assets are relatively well secured, a host provided by a given vendor presents an attractive target. These hosts are typically not kept up-to-date because of a vendor claim of a “certification”, either due to legislative constraints or because the current configuration is the only way the application will continue to function properly.
In-House Application Vulnerability - As mentioned above, applications developed in-house frequently do not undergo adequate input validation testing and end up being susceptible to buffer overflows or SQL injection attacks - either of which can be a gift to the hacker.
The two biggest and most common issues in operational security are addressed if a well-crafted information security policy is implemented - a policy that provides for an effective strategy for patching host operating systems and applications as well as enforcement of complex passwords. Add to this a best practice host configuration checklist for servers and the exposure is again significantly reduced.
A Thin Client environment provides an opportunity to easily capitalize on just such a strategy. When considering the three cornerstones of data security (Confidentiality, Integrity, and Availability) there are several ways that moving to a Thin Client system can serve to tighten operational security:
First, Thin Clients do not run any listening services so they are extremely difficult to attack from the network. All of the operating system complexity and functionality is on the terminal server. Confidentiality is improved because there is no confidential data on the workstations; it all exists on the server, and network credentials must be supplied to access it. By virtue of that fact, if a good password policy is being observed, (or the use of multi-factor authentication is in effect) the use has authenticated, meaning there is a high confidence factor that the user is who they say they are, and data integrity is improved. While a network connection is required to access the data, it only has to be backed up at the server because there is no data stored locally on the client, and any perceived risks can be mitigated through terminal server clustering.
Secondly, terminal sessions are encrypted by default, which means that network “eavesdropping” is prohibitively complex. There are currently no known weaknesses in the encryption implementation in Microsoft’s remote desktop protocol (RDP). This provides for additional data confidentiality.
Operational Security is also improved because the Thin Client has no means of allowing the introduction of malware or virii. There are no CD-ROM or floppy drives, so clients can neither be infected by floppies brought from home, nor can users install software, except from the network. Controlling what users can do and access via their profile on the server would limit that threat as well. Users can have permission profiles to access and use only the things they require to perform their job. This affects data availability.
More powerful servers are usually required with a Thin Client model, but since the administrators have many fewer machines to administer, patch and monitor, security and efficiency should increase. The fact that Thin Clients are significantly cheaper and easier to support also serves to offset the additional cost associated with bigger servers. Better patching and configuration implies better access control and better stability which affect both data confidentiality, and availability.
A centralized environment also centralizes security, and reduces the overall complexity of the network. Critical information assets are easy to identify and easier to protect using a reasonable defense-in-depth or multi-tiered security strategy. A risk assessment on this model would be much easier to conduct than a decentralized architecture. And the scope of user activity, malicious and otherwise, is restricted to the server, making proactive monitoring easier and overcoming the common problem of aggregating activity logging.
Carric Dooley has been a network security consultant for the past 8 years and has provided consulting services to a wide range of industries. He has performed network security assessments, security architecture reviews, penetration tests, firewall remediation, and acted as the resident subject matter expert for several fortune 100 companies ranging in size from 50 to 300,000+ users.
For more information on ACP Industrial Thin Client computers, please visit our web site at http://www.thinmanager.com
To sign up for the E-mail newsletter go here: ACP newsletter signup
For an archive of past newsletter articles go to: ACP Newsletter Archive
Copyright © Automation Control Products, Inc. All rights reserved.
