As companies create their security management plans for the coming year, they are outlining specific areas within their IT environment that would be ideal for technology and security upgrades. This is especially important for small and midsize firms trying to figure out what technology upgrades they need to make a top priority for the best security.
When setting your business security priorities, the first thing to consider is your overall environment and landscape in terms of software (operating systems, applications, middleware and databases) and hardware (PC's, server, appliances and network).
To begin, here are the key questions organizations need to ask when planning for technology upgrades:
- What technology within your environment do you consider mission-critical or business-critical?
- When was the last time you upgraded key software and hardware in your critical areas?
- Will upgrading cause forced outages? If so, for how long?
- What technology within your environment is either nearing or at the end of life, where the manufacturers will no longer provide support?
- Are there any areas where you are running into performance issues as a result of obsolescence?
- Are there any significant security issues that can be eliminated by upgrading to new software or hardware?
Lastly, one of the main considerations for organizations right now is determining what role virtualization and
When creating or updating your security management plan, there are a number of key areas you should consider. First and foremost, determine your needs vs. your wants. An upgrade that is a "need," for example, is any situation where you are running an application, operating system or appliance that is no longer supported by its manufacturer. In this case, you need to have a plan to upgrade. On the other hand, if you are running Windows XP on your PC environment and are considering moving to Windows 7, you are not in a situation where you have to upgrade.
Here are a few technology upgrades you should consider in 2011:
Red Hat Enterprise Linux 5 Server
The fifth update from Red Hat, Enterprise Linux 5 includes enhancements to hardware, virtualization and interoperability. Enterprise Linux 5 includes four major innovations that protect systems against attack, particularly in the area of buffer overflow and other memory-based attacks. Customers can increase the level of security used for authentication with Enterprise Linux 5 systems from a one-factor, password-based authentication scheme, to a two-factor, smart card-based authentication.
Enterprise Linux 5 is the first operating system from Red Hat to ship with support for the functionality necessary to meet Common Criteria for Trusted Operating Systems. This includes all functionality to enable EAL 4+ certification under the following protection profiles: CAPP (Controlled Access Protection Profile), RBAC (Role Based Access Control) and LSPP (Labeled Security Protection Profile).
Adobe Flash Player 10.1
Adobe Flash Player (formerly Macromedia Flash Player) lets the user view animation and entertainment on the Web. It displays Web application front-ends, high-impact website user interfaces, interactive online advertising and short-form to long-form animation. In its latest version, it has improved security features using industry-standard cryptography. Adobe Flash Access 2 and Flash Player 10.1 provide an environment to protect content so it remains safe from tampering or capture throughout its lifecycle, thus improving the security of Adobe applications. While prior versions of this product have had appropriate security controls and Adobe has been quick to respond to known vulnerabilities, upgrading to 10.1 is one way of removing the vulnerabilities that existed in prior versions of Adobe Flash Player. Further, an upgrade allows organizations to utilize all the new Flash Player benefits, including support for mobile devices and mobile-ready features, in addition to providing improved support for live events.
While upgrading to Windows 7 isn't a "need" right now, it is a significant improvement over Vista and is for the most part the major upgrade made by organizations in 2010. Where Vista had poor performance, compatibility issues and lack of compelling features, many organizations regret upgrading and others refuse to leave Windows XP. While Windows 7 is far from flawless, it appears to be the worthy successor to Windows XP that Vista never was.
For Windows security, Windows 7 gives you control over User Account Control (UAC) in the form of a slider containing four security settings. You can accept the full-blown UAC or elect to disable certain features. You can also tell UAC to notify you only when software changes Windows' settings, not when you're tweaking them yourself.
Internet Explorer 8, Windows 7's default browser, includes many security-related enhancements, including a new SmartScreen Filter (which blocks dangerous websites) and InPrivate Browsing (which permits the user to use IE without leaving traces of where they have been or what they have done). Internet Explorer version 8 is equally at home in XP and Vista -- and it's free -- so by itself IE 8 doesn't make the case to upgrade to Windows 7.
If the specs of the PCs in your organization qualify to run Vista, get Windows 7. If they do not, avoid the upgrade. However, this may be a signal that it is time to upgrade your hardware. If that's the case, for an incremental investment, you can upgrade your hardware and OS at the same time.
As always, keeping the Internet browsers on your organization's PCs up to date is key, and organizations have several options available, including Google Chrome, Microsoft IE8, Mozilla Firefox and Apple's Safari. Keeping browsers updated is an important element for managing and reducing security exploitations.
Ensuring your security controls are updated/upgraded will be key going into a new year, so ensure your antivirus, malware, firewalls (security-based appliances, IDS/IPS, etc.) are all up to date with the latest versions and patches in place.
About the Author:
Robbie Higgins is Vice President of Security Services at GlassHouse Technologies.
This was first published in November 2010