What Are the Weakest Links?

Security is like a chainit is only as strong as its weakest link. The concept of building and achieving end-to-end security encompasses all IT systems' infrastructure components such as hosts, applications, users, network devices, client applications, communications, and so on. From a security standpoint, every resource in an IT system's infrastructure is vulnerable to security breaches and malicious activities. The overall security architecture of an IT system's infrastructure relies on three fundamental IT infrastructure components: the network services, the host operating system, and the target application. Any security loophole or flaw in any one of these three components can be exploited. In the worst case, a hacker can compromise the entire IT infrastructure. These three components could be the weakest links in the chain that secures an IT system's infrastructure end-to-end.

The Network Services

A network is a group of computers or information devices and associated peripherals connected by a communications channel capable of sharing information and resources between computers, applications, users, and other networks. A typical network uses routers, switches, and firewalls. Contributors to the security of a network include network firewalls, Intrusion Detection Systems (IDS), Router Access Control Lists (ACL), Virtual Private Networks (VPN), and SSL/Cryptographic accelerator appliances. These devices enforce access control by examining and filtering the inbound and outbound traffic routed between the networks. The network-level security is limited to protecting the network resources from IP connection attacks and to packet filtering for unauthorized ports, protocols, and services. Because of this limitation, resources are still publicly accessible and vulnerable to attacks via the network communication channels that are open for inbound and outbound traffic to support, for example, Web servers that use the HTTP protocol and mail servers that use the SMTP protocol. For example, in Web services communications, the XML traffic tunnels through using the HTTP and HTTP/SSL ports of a firewall. Such access allows hackers and criminals to abuse the network by attacking content-level vulnerabilities with malicious code injection, virus attachments, buffer overflow, content-based denial-of-service, and so on.

The Host Operating System (OS)

The OS plays a vital role in running, managing, and controlling hardware and software applications and in interacting with other hosts and with network-enabled applications. An OS consists of surplus functionalities and services such as tools and utilities that support administration, application deployment, and end users. The typical out-of-the-box OS provides for an insecure configuration that uses a default security policy. Such a configuration leaves the OS open to exploitation and attack by hackers. Information theft, spreading viruses, trojan horses, software buffer overflows, password cracking, and so on are all invited by the default configuration. Applying OS Hardening and minimization techniques reduces the risks by establishing an OS-level security policy, eliminating non-essential utilities and tools, disabling unused services and ports, updating the environment with security-specific patches and upgrades, and so on. The end result of OS hardening and minimization is a bastion hosta host with improved resistance that provides safeguards against all known threats. Without implementing an OS hardening and minimization process or adopting a trusted OS environment, a network-connected host will always be vulnerable to security threats.

The Application or Service

An application or service is a software program composed of one or more components that act as executable business functions, processes, or user presentation interfaces running within one or more hosts in a network. An application is vulnerable to security breaches if it is not protected against all known threats to functions, deployments, and operations. A risk or a flaw can be exploited by a hacker if it exists in any low-level area: code, data, input/output validation, exception handling, sign-on, access control, library linking, configuration management, session handling, connection, communication, or program execution.