Failing Securely

You may have noticed that most of the examples of security issues I provided in this chapter involved some devices or applications that failed in one way or another. Hackers commonly use exploits that cause services to fail due to unexpected events. Most exploits are simple scripts that cause services to crash and open security holes. The worst examples are services that run as administrator and, when successfully attacked, give up control and allow the attacker to become the administrator.

Many times, the failure of an application, networking service, or operating system can be performed gracefully. When dealing with critical DB servers, for example, failures usually trigger events that attempt to leave the data in a usable state. Similarly, a firewall that detects a failure will oftentimes shut down access services to avoid allowing unauthorized access from outside entities. This is what is called failing securely.

Everything is subject to failure no matter how robust or expensive it is. Such failures often lead to lost productivity and potential security issues. As such, potential failure scenarios should be considered before any new implementation. When programming an application, failures should be made to lock down security. When a network architecture is designed, failures should not result in bypassing security as is commonly done. If a power outage occurs, services, applications, and devices should apply security during the reboot process. Consider failures in all devices and services, walk through the contingency plan, and consider the security implications therein. This is especially essential for major failure plans like disaster recovery policies.