WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec

80-20 Rule of Information Security
Removing Unneeded Services, Patch Maintenance, and Enforcing Strong Passwords

While at times the practice of managing information security may seem complex and costly, not all security controls are equally difficult to implement or effective. In fact there are three easy to understand controls that if implemented successfully will dramatically reduce your risk of a successful compromise against your information resources. These three controls are embodied in the notion of the information security 80-20 rule. This rule states that 80% of security risk is effectively managed by implementing the most important 20% of available technical security controls, which are removing unneeded services, keeping service patches current, and enforcing strong passwords.

Every security control implemented within an organization costs money and in sound economic terms the 80-20 rules helps an organization spend their security dollars wisely. By focusing the attention of security officers and IT staff on the most important 20%, a large and seemingly unbounded security problem can be successfully managed, and at a reduced cost. These three controls remove the most common avenues of attack and significantly raise the attacker's cost of successfully penetrating and exploiting information resources.

At any given time, there is a set of vulnerabilities that are considered "fashionable" and popular among attackers. These vulnerabilities are used as entry points for the vast majority of attacks primarily because they are pervasive and available. In 2001 there was a significant increase in the sophistication and destructive power of automated exploit code such as Code Red and Nimda. In the case of both of these attacks, the underlying vulnerabilities were well understood and patches had been available for several months before the tools were released.

The economic bar must be raised to the point that it is very costly on the part of the attacker, in time, skill, and money, to successfully compromise an organization. The use of the 80-20 rule will raise the attacker cost to the point that script kiddies and automated exploit code are ineffective, and will turn away all but the most determined "uber hacker".

I. Removing Unneeded Services

The modern operating system is a sophisticated and complex set of programs and components. Because of this complexity there exists in many components security weaknesses, some of which can be exploited over the network. For any given service such as ftp, web server, network file sharing, smtp, etc., there are known as well as undiscovered vulnerabilities. It stands to reason that the best way to gain control and simplify the security problem domain is to remove the number of components, programs, or services from your information systems until only the minimum "business needed" services remain. These actions should be taken:

  1. Define the role of the information system. Avoid using systems in more than one role, e.g., a web server should not also be the ftp server. A single role system makes it easier to define which services should be running and which services should not.
  2. Determine which services are needed on the system (legitimate business need) and remove all others. If it is a public facing web server then obviously some web server components should be running, but the vast majority of other services installed by default should not. To discover services that handle network connections use netstat to view open ports and then systematically eliminate all services which are not legitimately needed for the system's purpose.
  3. Determine which features within the service should be enabled. In many instances it is important to disable features within a service when there is no legitimate need such as ISAPI extension mapping in IIS. Also there are many sample script files that are installed by default by enterprise applications in many instances these samples do not undergo the same level of quality assurance and can be used to compromise the service. Remove sample scripts.
  4. Public facing systems such as web servers, DNS, email servers, etc., should have priority in this first step. Internal servers should then have next priority when defining role and removing unneeded services.

Symantec's Enterprise Security Manager has pre-configured security policies for specific platform/server roles. This tool identifies systems that are running services that are unnecessary for its specific role and will also alert whenever a compliant system has new services added to it.

Removing unneeded services is critical to reducing the number and quality of avenues of attack and in reducing the security problem scope for security staff to manage. Removing unneeded services also makes the next step manageable, keeping patch levels current.

II. Keeping Patch Levels Current

There is no question that this is the most difficult of the three controls to successfully implement, nevertheless keeping patches up-to-date on services that must remain operational is critical to closing well known holes that attackers and automated tools use to compromise an information resource. It is easy to understand why removing services and turning off features is key to successfully managing patch maintenance. Each time a service is permanently removed the need to provide regular patch maintenance on that service is gone as well.

OS and application vendors provide patches to their products periodically. The use of patch tools to discover which systems are missing patches is highly recommended. In addition procedures and automation should be used to its fullest extent possible so that the more mundane and easily overlooked tasks such as patch discovery and download are accomplished regularly. The key to a successful patch maintenance program is for staff to focus on testing and deployment of patches rather than discovering what patches are available and which systems needs them. This is where patch tools and automation can provide great benefit over time. These steps should be taken:

  1. Identify available patches from vendor sites. This should be automated if at all possible or a patch tool should be used.
  2. Identify systems that are not running the latest patch. A patch tool can identify systems without current patch levels.
  3. Download and test patches on test systems. Vendors run patches through QA but the release cycle is often much shorter than the long regression testing employed during a regular release cycle.
  4. Deploy patches to systems. Public and internal servers receive first priority.
  5. Monitor systems. Determine if the service behavior has changed.

Symantec's Enterprise Security Manager releases patch policies regularly which identify systems that do not have the latest patches installed. This removes the burden of monitoring vendor sites for patches and discovery of patch levels on systems.

There may be times when it is more appropriate to make a configuration change to the service rather than patch the service, especially in the case where patch testing reveals some behavior change in the service. It is not too uncommon for a vulnerability to be closed either through the application of a patch or to turn off the vulnerable feature. Again if the feature is not needed it is best to turn it off altogether.

Patch maintenance is usually the most difficult of the 80-20 controls to implement. Special care should be given both in the use of written manual procedures and automated procedures to make sure that this important task is successfully supported and completed regularly.

III. Enforce Strong Passwords

For many information systems the account and password logon is the first and only layer of defense, particularly within the organization. While worthwhile security money is spent on protecting information assets from the outside attacker coming into the organization, many times the "fifth" column attacks or attack from within are the most devastating. Brute force password attacks are the least sophisticated of attacks but nonetheless are very effective.

The most challenging part of password enforcement is for employees to choose and regularly update strong passwords. In too many cases passwords can be easily guessed. In particular there is a tendency for people to choose poor passwords from the entertainment media. Password cracker programs that use word dictionaries from entertainment and literature such as sports names, Star Wars, Star Trek, Monty Python, Disney, and J.R.R. Tolkien etc., invariably discover weak passwords at large organizations. Also default passwords or empty passwords that are found in devices and application software are an easy avenue to exploit.

It is important to educate employees as to what makes a strong password. Many of the recent versions of operating systems employ password complexity filters such as passfilt or npasswd that will reject passwords that are weak when users attempt to set or change them. The use of these filters is highly recommended. One important consideration in developing a password policy is how often users are forced to change passwords (max and min password age) and what password history should be used. If users are forced to change passwords too frequently then there is a tendency to write passwords down and prominently display them on Post-It notes. Also if a history is kept too short and the min password age is not long enough users will quickly cycle back to their original password. Enforce at a minimum these password settings:

  1. Minimum password length should be 8. Administrator passwords should be fifteen characters or greater.
  2. Use a password max age or 60 or 90 days. Any less may cause users to write down passwords.
  3. Use a password min age of not less than 14 days. Do not want users to cycle back to their "favorite" password.
  4. Keep password history at least 10.
  5. Use a password filter so that users are forced to use a combination of alphanumeric and non-alphanumeric characters.
  6. Audit for empty and weak passwords using a password strength analysis tool. Tool should use password dictionaries from the world of sports, Star Wars, Star Trek, Disney, J.R.R. Tolkien, Monty Python, etc.
  7. Remove all default accounts from applications and devices.
  8. Rename well known account names such as administrator, sys, system, if possible.
  9. Remove inactive accounts.

Symantec's Enterprise Security Manager has a comprehensive password strength auditing capability that makes password analysis across all your systems a single click event. Over sixteen settings such as min and max length, password = user name, empty password, password = password dictionary, default passwords, discover inactive accounts, are supported.

Keep in mind employee education. Many strong password principles are easily understood. Training employees in how to create a strong password, e.g., encode a phrase or sentence with upper and lower case letters and punctuation, can make the process of changing passwords much less frustrating to users. Password strength enforcement is probably the easiest of the three 80-20 principles since many of the password controls described here are built into modern operating systems.

IV. Summary

Preventative information security does not have to be an overwhelming problem. By using the principles of 80-20 presented here, namely, removing unneeded services, keeping patches current, and enforcing strong passwords, the organization's information security domain is greatly simplified and reduced while at the same time significantly increasing each system's security level. These steps do not all have to be accomplished at once. An organization should first apply these principles to the most critical information assets, particularly public facing servers such as web servers, DNS, email, and ftp servers, and then apply them to second and third line assets. Organizations that use these controls will enjoy a high degree of protection against many types attacks particularly "script kiddie" attacks and "blended threat" worms such as Code Red and Nimda, and will raise the economic opportunity bar so that attackers will simply move on to an easier target.