This section is about making your design process a secure process. With the design of the application, there’s several things to consider such as reducing the attack surface. That basically means that you only have as much as is necessary to conduct the tasks as required. So, when designing modules, to have only as much as needed and no more than that. When there’s more installed than what is necessary, then the attack surface is greater and there are more locations where a threat could materialize. So, part of what we think of in the design process is as preventative against threats, as part of what we are designing. Threat modelling is part of helping to reduce your attack surface and it is like a what – if type of game.
So, for instance, what would happen if a threat materializes and how would it and would your system be able to prevent/ overcome that potential threat? So,in an example, when we look at Microsoft Operating Systems, historically there are tons of purchases from this particular OS as compared to others who are in some cases better for different functions. But, most people are intimidated by others such as Linux, Fedora, and others out there. Microsoft made it easy because it’s all there. You turn it on, hit the switch and everything you need is there. The Windows 2000 version especially had the DNS running, the ASP, had the webservice, and had the ILS if you consider this it would be the same product I’d use to make the main controller. Every machine had an ILS automatically installed and running. Connected to the webserver, and then the purpose of webserver is to share, however, there’s information on the main controller that I may not want to share. So, the fact that they included this software installed, up and running is super silly when considering security. It left the user and organization wide open to attack. So, it has a huge attack surface.
It was simply really easy to use, and from that standpoint, users were ready to make these purchases. The problem is that type of open huge attack surface is well, wide open to attack. Home users in terms of purchasing based on easiness of use, are just like business owners. So, we had a lot of businesses where it was easy access for others to get into their systems. Later versions of Windows, for example Windows 2008 and then the server for Windows 2012 had increasingly smaller attack surfaces. In other words, they didn’t necessarily have to install everything possible. Instead, the philosophy changed to having the users to be the driving force as to installing the tools they need. Instead, we now have a more bare bones OS installed and as users need other modules, they can add those. They can also add other pieces of functionality. So, in the marketplace, we went from a huge attack surface to a much smaller, tighter attack surface and planning for better security. Microsoft has added an installation in later versions in their network operating systems known as a server core.
The server core looks like DOS, and is a strictly command line based operating system. Since it takes more code to make the system with a point and click and greater attack surface, by going back to the command line type style, they’ve reduced quite a bit of the coding. This then has reduced the vulnerability of the OS, with this new server core. There is now an even further reduction in attack surface. Other ways to reduce attack surface, is to reduce potential for the user to cause problems when inputting information. So, for example, putting a limit on the number of input user fields is one way to reduce user input. Also, providing for the user to be forced into using checkboxes, dropdown boxes, basically anything preformatted. This will limit the potential of the damage by the user by limiting the input fields.
There are a number of elements that we can look at and decided if we actually need them or not for example, protocols, interfaces, configurations and in a later section, the configuration management will be discussed. If there are more than one interface and really only need just the one, why not get rid of the others. Don’t actually need the extra.
Back in 2000, there were a variety of protocols on the network. There may have been ipx spx for novelle, we might have tcp ip, there may be the appletalk to communicate with the apple based systems. So, there were several different protocols. Most of us, today, however, only use the one like tcp ip. Specifically, if there are other protocols installed and not really being used, then the idea behind reducing attack surface would be to get rid of these additional protocols, to reduce the potential of someone attacking your system. Thus, decreasing its vulnerability and increasing its security. The idea is to remove unnecessary elements or services to the system.