Making Products Secure, By Default
By Arjun Narayanan, Product Security Engineer
SECURE PRODUCTS WITH OS HARDENING:
The path to a more secure cyber world starts with designing, engineering and manufacturing products with cyber security best practices. In short, to make products “Secure by default”.
Connected Systems – High Risk:
Industry today, is focused on enhancing productivity by digitalization, automation and optimization of processes. To achieve this digitalization and automation, many intelligent devices and systems are interconnected and deployed. This phenomenal transformation in industries has impacted various stages of the supply chain, including design, prototyping, development, testing, processing, production, sales, service and maintenance.
The interconnected systems infrastructure, in any industry, has raised the stakes in terms of security risks. Connected systems is the new trend to faster time to market, but security risks like Denial of Service (DoS), ransomware, unauthorized access, data breach, device tampering, etc., have often been uncovered. Also, with the advent of wide range of desktop and mobile applications that are used together today to control, send/receive instructions, store information, etc., a poorly secured/hardened product deployed in an organization can become a Honeypot for attackers to gain access to data or to control devices remotely.
INTRODUCTION TO PRODUCT SECURITY AND HARDENING:
There are various aspects of security, including network security, data security, software security, etc. Product security has become an addition to that list, with a prime focus on securing devices, systems, instruments, etc. The process is like a health check-up. We scan our body, find illness and treat them, or we take medications to prevent common illnesses before they occur. In product security, we perform a vulnerability assessment, find known vulnerabilities in our devices and fix them before shipment. We also perform hardening on product operating systems (OS) to protect it from security flaws. For more information on our product security program please refer to our previous blog post.
Product OS Hardening is a process of securing the operating system of the products against attacks, by minimizing the attack surfaces. An unhardened OS may be susceptible to security flaws like,
- Outdated software – that may lead data privacy risks. Recently, a tele-conferencing software provider faced complaints from the users regarding security flaws in their software that allow an attacker to gain access to the user’s PC remotely.
- Unused ports – an unprotected telnet port has a risk of being hacked into to gain access to the system
- Outdated services – the WannaCry ransomware attack is a classic example of showing the risk of using an outdated service like Server Message Block (SMB).
- Poor encryption of sensitive data
- Poor user account management – leading to unauthenticated/unauthorized system access
The above diagram is sample snapshot of how to secure an environment.
Product OS Hardening @ Keysight:
Securing a system should be a bottom up approach. We start with a simple principle – “Secure by default” - which leads to the individual aspects of hardening that address the security flaws discussed earlier. Data protection is one of our major concerns in Keysight instruments. Sensitive data not only includes user account information but also covers various signal and sensor information depending upon the type of product. The diagram below shows a high-level overview of the Product OS hardening process in Keysight’s product lifecycle.
Is OS hardening all that is needed to protect our products/systems? The answer is no, but it is one of the effective, important and widely used methods to protect interconnected systems. Let’s refer back to our analogy that securing products/systems is like a health check-up. Hardening is like being vaccinated to improve our immune system and prevent us from being vulnerable to common infections/illnesses.
To learn more about Keysight’s hardening process, kindly reach out to us through our contact channels.
Benefits of hardening:
So now that we understand what hardening is and how it is adopted at Keysight, let’s review “why” it is important as part of product security.
- Eliminates access points1 – unsecure entry/exit points are eliminated by imposing stricter access control measures and strong password policies
- Reduces attack surface – exposure to vulnerable space is reduced by removal of untrusted protocols, services and closing unused/untrusted ports
- Secures infrastructure – if every product/system in an IoT infrastructure uses a secure, hardened OS, the landscape will be more secure at multiple levels, thereby minimizing attraction for attackers
- Stricter password rules make it difficult for attackers to perform brute force attacks to crack password and gain access
- Eliminates risks due to known vulnerabilities – a hardening baseline is defined with knowledge of known vulnerabilities captured by a vulnerability assessment process
- Secures data – secure hardening emphasizes use of established cryptographic methods in protecting sensitive data
The product security team at Keysight is dedicated to work on programs that ensure Keysight products are secure and safe.
Security is always an unfinished business. We need to be watchful of the latest threats, attacks, data breaches and make security a continuing process, or even a habit.
References:
1 https://www.g6com.com/benefits-of-operating-system-hardening/