Secure by Default
Author(s): Dr. Glen E. Newton, Posted on April 24th, 2014
Let’s look at the concept “secure by default” to get an idea of the overall context of the secure by default features in ClearPath OS 2200 Release 15.
Intuitively, the phrase “secure by default” means that the object being discussed – a computer system, for our purposes – is protected against attacks without the administrator having to take any action. However, it’s a bit more complicated than that.
If we apply the technique of reductio ad absurdum to the practice of securing a computer system, we could say that every computer system ever delivered to a customer was secure by default. Why? Because it was powered off! (Cue the rim shot and cymbal crash.)
Customers expect a computer system to be accessible and usable in addition to being secure, and that leads to the tradeoffs that every business must make. As a starting point, you have to turn the system on; then there are the connections and features that are restricted by default but are needed for a particular business application and thus must be changed from their default values.
Security is one of the strengths of OS 2200 systems, and a wealth of configuration options let you configure the system, applications, and users to a level of security that matches your risk tolerance. Thus you might ask, “After over 30 years, why change defaults now?”
Part of the answer to that question is that some of the defaults that were originally acceptable are no longer aligned with best security practices that have evolved in the industry. The Release 15 secure by default features address these best practices, including requirements from the Health Insurance Portability and Accountability Act and the Payment Card Industry Data Security Standard (PCI DSS), a standard that is respected even by those businesses that do not process credit cards.
The other part of the answer is that criminals have also evolved over the years. The development of specialized hacking tools and increases in raw processing power for attacking systems put more weapons into the attacker’s arsenal. One consequence is that passwords that were previously considered to be long enough to be secure are no longer safe.
One of the new Release 15 defaults addresses that particular point. In Release 15, the previous defaults for allowable password length (a minimum of 1 character and a maximum of 6) have been updated to a minimum of 8 and a maximum of 18. These new defaults are in line with today’s best practices for password length.
This simple example illustrates the migration considerations involved in changing defaults. A new OS 2200 partition booted from a standard release tape will have the new defaults. An existing partition might already have other explicit values in the configuration, and those won’t change when the system moves to Release 15, but if the system was configured to use the released defaults, rather than specifying a minimum and maximum password length, then the new minimum of 8 and maximum of 18 will apply. That change doesn’t invalidate any user’s short password, but when the user changes his password, the new password will have to comply with the new length requirements.
The concept of “secure by default” applies to all OS 2200 security levels, from Fundamental Security through Security Level 3. The choice of configuration parameters is ultimately up to you, based on your risk tolerance and security policies, but our goal with these changes is to make it easy to be configured securely and harder to be insecure.