Configuration: the forgotten side of security
I was interviewed for an article, Configuration: the forgotten side of security, about proactive security. I am a big believer in proactive security. However, I do not discount the need for reactive security. In the email interview I stated the following:
I define proactive security as a method of protecting information and resources through proper design and implementation to reduce the need for reactive security measures. In contrast, reactive security is a method of remediation and correction used when your proactive security measures fail. The two are interdependent.
I was specifically asked for best practices on setting up UNIX/Linux systems. My response was to provide some generic goals for configuring systems, which surprisingly made it into the article. I avoided listing specific tasks or steps because those change over time and vary based on the systems used. I have written a security configuration guide or two in my time, so I know how quickly they become out of date. Here are the goals again:
The five basic goals of system configuration:
- Build for a specific purpose and only include the bare minimum needed to accomplish the task.
- Protect the availability and integrity of data at rest.
- Protect the confidentiality and integrity of data in motion.
- Disable all unnecessary resources.
- Limit and record access to necessary resources.
In all, the most exciting aspect is that I was quoted in an article alongside Prof. Saltzer. That’s good company to have.