With attacks continuing to be launched in ever-increasing number, its easy to say IT systems are more threatened than ever. But the fact is, defensive weapons have multiplied as well—if only we will use them. Indeed, there are new enhancements to operating system security that should become important parts of every IT managers arsenal.
Much of todays security focuses on keeping the hacking armies outside the gates, yet phishing, e-mail viruses and social hacking have all proved to be successful ways for interlopers to gain entry. A different mindset is needed: IT managers must assume that intruders will get past perimeter defenses at times. Thus, IT pros should implement technology that prevents damage from spreading.
Trusted operating systems, and the compartmentalization they provide, are built on the assumption that attackers may find a way into an operating system function but that any damage they do can be limited to that function and prevented from spreading to other functions.
General-purpose operating systems have strengthened their reliance on this principle by fine-tuning the privileges of applications and users. For example, Solaris 10 has new process rights management that limits an applications rights to the bare minimum required for it to run. In this system, even if an application is compromised by a buffer overflow or an unpatched vulnerability, an attacker cannot increase his or her privileges on a machine. In the Linux world, Exec Shield and Pax are each vying to become the preferred technology for protecting the memories of Linux servers by limiting the damage compromised applications can do.
Because most major attacks target Microsofts operating systems, we encourage IT managers to investigate and implement the new DEP (Data Execution Prevention) functionality that arrived with Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1.
As of today, hardware support for NX (No Execute) functionality, which helps prevent infected programs from taking over a machine, is limited to AMD Athlon 64 and Sempron processors and Intels Pentium 4600 processor family. Without being enabled for specific hardware, the Windows systems can run a limited, software-only version of DEP.
Microsoft should develop technologies for buffer overflow prevention on additional processors and improve the NX technology on chips it already supports. We believe IT managers who use Microsoft technology are entitled to secure systems without having to adopt the controversial DRM (digital rights management) capabilities of NGSCB (Next-Generation Secure Computing Base), formerly called Palladium.
Setting up trusted operating systems requires commitment and skills from IT, but doing so can prevent serious security breaches. Attacks on IT systems arent likely to abate any time soon. IT pros who have not yet investigated trusted operating systems should do so. Now.
Tell us what you think at [email protected].