4. Securing Hosts and Data

  • OS and Application Hardening
    • Disabling Unnecessary Services
      • If you don’t use FTP or RDP, kick them to the curb
      • This Improves Overall Security
      • Reduces Open Port Risks
      • Reduces Attack Surface
    • Eliminate Unneeded Applications
      • Base OS installations have a lot of apps that may be unnecessary or unused in your company. If a major vulnerability goes around for those apps, and your security definitions aren’t up, you fucked.
    • Disable default and unused accounts
      • Pay special attention to backdoor accounts that bypass security
    • Protect Management Interfaces
  • Establish Baselines
    • Set up standards for all computers so that its easier to prepare them for use
    • Set up monitors that check against the baseline to ensure computers remain secure
    • Set up NAC and a quarantine server for when things go wrong
    • Security Baselines
      • Might have requirements like FTP disables, all antivirus up to date, and host-based firewall installed
      • Most organizations will have different baselines for different hosts
      • Imaging is cool, cause you configure one computer, and take a “snapshot” of its settings that spread to other computers
        • Symantec Ghost and Windows Server 2012 offer this feature
        • Could be worth taking weeks or months to develop and test the source image
        • This greatly reduces cost and time of deploying new systems, and allows administrators to focus their efforts
        • You can check actual settings on live computers against the image for easy remediation
      • Group Policy
        • Forces certain configuration on all devices in a group
        • Account Settings
        • Password and Lockout Settings
        • Audit Policies – logs certain events such as log on/off or file access
        • User Rights – such as remote desktop usage or power off privileges
        • System Services – disable services like FTP
        • Software Restrictions – what software can be installed and/or run
      • Configuration Baselines
        • Printer config, app settings, TCP/IP settings, etc
        • If something stops working, you can check against baseline to identify the issue
        • Configuration baselines must be kept up to date with new changes in policy
        • USGCB – US Gov Configuration Baseline
          • Covers most common security issues and are easy to deploy
          • Good for agencies with limited resources
          • These images are compatible with SCAP – Security Content Automation Protocol which verifies security settings are preventing known vulnerabilities
        • Host Software Baselines
          • What software is on and allowed. Includes ability to scan systems
        • Application Configuration
          • Settings within an application
        • Performance Baseline
          • Identifies resource utilization and overall performance to check against future status
        • Trusted OS
          • Meets security guidelines, doesn’t allow things to run which shouldn’t

Virtualization

  • Virtual Machines or Networks running on a single physical platform
  • Hypervisor
    • Software that creates and runs the virtual machine
    • VM-Ware, Microsoft Hyper-V, Windows Virtual PC, Oracle VM Virtual Box
  • Host
    • Physical server
    • Lots of processors, tons of memory, shit ton of everything
    • Smaller and cheaper than multiple physical machines
  • Guests
    • Operating Systems running on the host
  • Patch Compatibility
    • VMs need patched
    • If it works on a physical machine, it’ll work on the virtual one
  • Host Availability/Elasticity
    • The ability to redirect resources to the VM guest that needs it
  • Sandboxing
    • Creating an isolated testing area that does not affect the physical machine or other VM machines
    • You can test virus, antivirus, patches, software, etc
  • VM Files
    • VHD Files
      • Contains the content of Virtual Hard Disk (VHD)
    • XML Files
      • Contain configuration of VM as well as snapshots
    • AVHD Files
      • Differencing disks- contain the differences between current VHD and snapshots
    • VSV Files
      • Similar to hibernate for VM
    • BIN Files
      • Memory for systems in a save state
    • Because of VM files, it’s easy to move VM from one server to the next, or to backup whole servers
  • Virtual Network Connectivity
    • Virtual NICs, Virtual switches, and virtual networks
    • You can configure full VLANs on VM servers to segment traffic
    • This also helps testing malware because you can see how it will operate across a network, though some Malware can detect when its in a virtual environment and change its behavior
  • VM Risks
    • VM Escape
      • A very serious threat where a malware program tries to get access to the hypervisor from within the virtual machine.
      • Hypervisor runs with elevated admin privileges, so gaining access to hypervisor allows it to take control of the physical system and all the virtual hosts
    • Loss of Confidentiality
      • Because all VM is just files, whole systems can be fairly easy to steal
      • Encrypt every’tang

Patches

  • Patches keep software secure, kinda
  • Auto-deployment of patches works sometimes, but if a conflict occurs, it can be a serious issue
  • Patch tuesday is a big day when microsoft releases patches, so wednesdays are dangerous
  • Also if a patch crashes a system, it can crash a thousand. Test out patches on systems very like the deployed systems

 

Security in Static Environments

  • System Examples
    • Supervisory Control and Data Acquisition Systems (SCADA) – Industrial control systems within power plants and water treatment facility. These are typically disconnected from the internet
    • Embedded Systems – Computing components in printers, HVAC, etc. Not usually connected to the internet so unlikely attack vectors, but dangerous if someone figures out how to control them. (Haywire HVAC is lethal)
    • Mobile Systems – Smart Phones and such, but becoming much less static.
    • Mainframes – High powered systems specific to an organization. Might be contained on isolated networks, but often connected to the primary network so personnel can access it.
    • Game Consoles
    • In-Vehicle computing systems – Cars can be hacked now cool
  • Stuxnet
    • Stuxnet was a worm designed to attack a specific embedded system in an Iranian Nuclear Facility
    • It made all the centrifuges spin fast enough to tear themselves apart
    • Methodology:
      • Infection – Hidden on a flashdrive
      • Search – Worm located the target systems
      • Update – Downloaded updated version of the worm
      • Compromise – Takes advantage of zero-day vulnerabilities
      • Control – Makes the system go nuts
      • Deceive and Destroy – send false data to engineers
    • Protecting Static Systems
      • Redundancy – Like RAID, make sure there are backups for failure. This means firewalls from different vendors, SCADA backup controls, etc.
      • Network Segmentation – An extreme form keeps all systems off primary network, like SCADA talking to each other, but only that.
      • Security Layers – Firewall, NIPS, etc
      • Application Firewalls – Can identify specific commands in a protocol, good for services that don’t use many protocols
      • Manual Updates – Only install verified updates
      • Firmware Version Control – keep firmware up to date
      • Wrappers – Like TCP wrappers, use these to filter traffic
    • Securing Mobile Devices
      • Encryption
      • Authentication and Device Access Control – Username/Password
      • Locator Services – Lost Mode
      • GPS can be used to track you
      • Removable Storage Risks – If you don’t encrypt your data, removable storage is easily lost or easily taken
      • Storage Segmentation – Keep low-security data separate from secure data
      • Screen Locks
      • Lockout – Limited password attempts or Lost Mode
      • Remote Wiping
      • Disabling Unused Features
      • Asset Tracking – Where is the thing
      • Inventory Control – RFID tracking
    • BYOD Concerns
      • Are the devices secure enough? Are users tracking out data?
      • Acceptable Use Policy – User responsibilities in return for privileges
      • Privacy – Not everything is private on company time
      • User Acceptance – User must agree to the rules and the privacy restrictions
      • Data Ownership – Org owns everything done internally, including emails
      • Support Ownership – Does IT have to help with BYOD?
      • Architecture/Infrastructure – What access do users have? What VLAN segmentation do they have?
      • Forensics – Can you see in-depth what users are using?
      • Legal Concerns – If a company doesn’t set policy clearly, trouble.
      • On-Boarding/Off-Boarding – Employees must read BYOD policies and there must be rules for adding or removing devices
      • On-board camera/video – Should there be restrictions for security?
    • Mobile Device Management
      • Many configuration managers like Microsoft ConfigMgr 2012 support mobile devices
      • Patch Management
      • Antivirus Management
      • Application Control
      • If devices don’t meet regulations, they cannot connect.
      • Application Security –
        • Many apps have credential managers and caches which are risky
        • Many cameras have geo-tagging features which are also risky

 Protecting Data

  • Data Categories
    • Data at Rest – Any data stored on HDD, be that flashdrive, backups, or mobile phone
    • Data in Transit – Any data traveling over a network. Data Loss Prevention (DLP) analyze and detect sensitive data over a network, and you can also encrypt data using IPsec, SSH, or SFTP
    • Data in Use – Data in temporary memory, typically protected by the application using it
  • Protecting Data with Confidentiality
    • ENCRYPT
    • Be careful to encrypt stored data, and keep it encrypted when its transmitted.
    • Other tools besides encryption are less secure; such as NTFS ACL permissions. If someone takes your NTFS hard-drive and puts it in another computer, they can give themselves access.
    • Software Based Encryption
      • Slower than hardware encryption, but secure with strong algorithms
      • File- Level Encryption
        • Linux uses GNU privacy guard (GPG) which is a command line tool used to encrypt and decrypt files with a password.
        • NTFS includes Encrypting File System (EFS) in windows explorer.
        • File/folder encryption allows you to add one more layer of security, even against Admin privileges
          • One risk to this is that if you copy to a file system that doesn’t support NTFS encryption, it may decrypt the files before copying.
        • Full Disk Encryption
          • TrueCrypt is available to do this on linux and many OS
          • Requires a password and encrypts/decrypts drive on the fly
        • Encrypting Database Content
          • Oracle and Microsoft SQL and others allow you to encrypt specific elements, or the entire database.
          • You could, for example, not encrypt customer first names, but only their credit card and security code info. This saves processing power
        • Hardware Based Encryption
          • You can use a Trusted Platform Module or other hardware security module for higher performance encryption.
          • TPM
            • Chip in Mobo
            • Full disk encryption
            • Performs platform authentication (ensures drive not moved)
            • Includes Three keys
              • Endorsement key (burned into chip)
              • Endorsement key is Rivest, Shamir, Adleman (RSA)
              • Storage Root Key generates and protects other keys
              • Application Keys – derived from Storage Root key
            • To active the TPM, you often use an application like bitlocker.
            • Without access to the TPM chip and authenticated credentials, the data remains secure
          • Hardware Security Module
            • A security device that can be added to a machine to manage, generate, and securely store keys.
            • High-performance HSM are connected to a network with TCP/IP
            • Smaller HSM are merely expansion cards plugged into a server
            • HSM performs very similar to TPM, but it is removable
          • Data Leakage
            • Data Exfiltration – When data is transferred outside of an organization
            • Data Loss Prevention (DLP)
              • Examines data looking for unauthorized leaks
              • Can examine stored data, moving data, and data in use
              • Data in Motion
                • UTM devices include DLP to scan emails and files
                • A lot of data is labeled as Classified, confidential, private, and sensitive.
                • Once data is labelled, it can be inspected in transit and blocked if necessary
              • Endpoint Protection
                • Can include preventing flash drive usage or printing

Understanding SANS

  • Might include Hard-drives, disks, tape, and optical media
  • Often configured in fault-tolerant arrays for high-performance
  • Robotic devices often assist in loading/unloading optical jukeboxes or tape libraries
  • SANs often rely on high speed internal transfers
  • Virtual SANS are a newer tech
  • Fibre Channel
    • Speeds of up to 16 gigabits per second
    • Require special hardware and cabling
    • Expensive, albeit efficient
    • Some support copper, not just fiber
  • iSCSI – Internet Small Computer System Interface
    • Transfers SCSCI commands over IP
    • Utilize existing network infrastructure
    • Allows SAN without specialized hardware
  • FCoE – Fibre Channel over Ethernet
    • Uses FC commands, but transmits them over ethernet networks
    • FCoE encapsulated the commands within standard protocols
    • Allows ethernet LAN to act like Fibre Channel without the cost
  • Handling Big Data
    • Data sets, like Amazons, that are too large for traditional tools to analyze them
    • Use many of the same tools, plus some special ones

Understanding Cloud Computing

  • For example, Gmail is a SaaS (software as a service) cloud application
  • Amazon’s Elastic Compute Cloud (EC2) service provides elastic, on-demand servers to companies with variable traffic demands
  • Software as a Service
    • Gmail, GDocs, etc
    • Management as a Service (MaaS)
      • Third party helps run IT resources, monitoring logs, etc
    • Multi-Tenancy Architecture
      • Like running multiple tabs in a web browser- one application instance for multiple users
      • Gdocs
    • Single Tenancy Architecture
      • Individual app instance for each user
    • Platform as a Service (PaaS)
      • Preconfigured computing platform for customers
      • Also known as Managed Hardware Solution
      • Buying servers as web hosts
      • Can include OS, antivirus, spam protection, security, etc
        • Often includes up-to-date patches
      • You can manage the software you need for your uses, and let the rest of the server be handled by the company
    • Infrastructure as a Service
      • The IaaS provider owns the equipment, the data center, and performs hardware maintenance, but the customer rents access to the equipment’s functionality
      • Also known as Self-Managed Solution
      • Customer must configure the OS, software, etc
      • This means less hardware per company, so saves money on equipment, power, HVAC, and personnel
    • Public v Private Cloud
      • Public is like Boxsync or Google Drive
      • Private is specific for a corporation
      • Hybrid clouds exist
    • Cloud Computing Risks
      • You lose physical control of the data
      • You don’t always even know where the data is
      • You don’t control the security for your data, and cloud employees can be thieves themselves

“Only data you should put on a cloud is data you’re willing to give away”

Advertisements
Advertisements

I post all things that interest me. Mainly computers.

%d bloggers like this: