Mitigation And Deterrence: Hardening

2y ago
9 Views
3 Downloads
950.95 KB
25 Pages
Last View : 1m ago
Last Download : 5m ago
Upload by : Elise Ammons
Transcription

Mitigation and Deterrence: HardeningTable of ContentsSystem Hardening . 2Scanners . 5Anti-Malware . 7Software Security . 8Secure Coding Practices . 10Security Baselines . 11Common Criteria (CC) . 13Internal Security Baselines . 14Hardening OS and NOS . 16Keep Systems Patched . 18Hardening Host Systems – Updates. 20Install Only Necessary Software . 21What Services Are Necessary?. 22Secure Necessary Services . 24Notices . 25Page 1 of 25

System HardeningSystem HardeningChange default passwordsInstall an anti-virus clientRoutinely update applications, drivers and operating systemsTurn-off unnecessary services, processes and portsUse encrypted management protocols like SSH, HTTPS orSCPRemove unnecessary user accountsLimit the creation of privileged accounts130**130 Whenwe talk about system hardening wewant to look at this both from asingle system and from anenvironmental standpoint. First whatis the password policy for thisorganization? How many charactersshould it be? How long should itremain intact? How often should wechange it? Should we forcesomebody to log off? How are weinstalling our antivirus clients? Do weallow that agent to step up and turnon?One of the key tools that I've seenbefore with a couple of companies isthis posturing where what happens isPage 2 of 25

a host plugs into the network andsays "Hi, I'm here. Give me Internetconnectivity." And what those toolsdo like NAC and NAP and otherposturing tools is they say "You knowwhat? Do you have antivirus running?I don't see any virus there. We're notgoing to let you connect to ournetwork. You can go out to theInternet." "But I want to connect.""Okay, install antivirus and thencome then come back and checkback in with us." "I've got myantivirus on." "Okay so now I seeyour antivirus. When's the last timeyou did a database definition update?Where did you get that from and whowere you using? Did you get it fromus? Did it you get it from somebodyelse? Tell me all that stuff aboutyourself before I allow you toconnect."We get a profile or a posture of thatparticular machine to know that ithas been updated with the latestpatches. That it has done it withinthe prescribed time, and that doesn'thave any malware on it from thereporting.Now we'll let you on to our networkand you can get to a subset of ourresources. In system hardening wealso do things like shut down. Weactively seek out a way to provideleast privilege. Just enough to do thejob.Do you need an FTP server on yourmachine? No. Turn it off. Do youneed Internet information services?No, I'm not a webserver. Do youPage 3 of 25

need web printing enabled in order tobe able to share your local printer?No, I don't. Turn it off. And everysingle time you look at these things,go and say do I need it? No? Turn itoff. Now, here's the problem. Thisvendor, that vendor, and that vendorover there are all going to be saying"But I need." And you go "Hey look,there's got to be a way around this."Now if your organization is bigenough, you can say "We've got 'X'number of licenses and we want youto- we're going to demand thisparticular requirement for yourorganization. Can you help us out ornot? If not, we're going to go tosomebody else that can actuallyprovide that."Hopefully they are not the onlyvendor on the planet that does thatparticular activity for you or they arenot unique in the market. Go back tothem and say "We'd like you to trimthis down." The classic example ofthis is all agent-based systems thatare querying the local box. And whatkind of privilege they need.In all these cases, whatwe're doing in system hardening iswe're saying what is the least amountof services we need to get the jobdone? And if you need somethingelse, please tell us so that we canreview it.Page 4 of 25

ScannersScannersA myriad of anti-virus, anti-spyware, and general anti-malwareprograms are available, both free and commercial.Most use the following in identifying malcode: Signature - an algorithm or hash that uniquely identifies a specificvirus, worm or variant of malicious code Heuristics – detection based on patterns of behavior of previouslyknown malcode designed to detect new or previously unseenmalware Integrity checkers – calculate hashes for known good files andvalidate the hashes against the last known good hashes for thespecific files131**131 Next thing we'd like to do iswe'd like to have some scanners inour shop that can actually tell uswhat's going on. We have that localantivirus but maybe we scan the boxin another way. Maybe we look formalicious code with another tool.Maybe we use integrity checkers tomake sure that files haven't changed.My favorite integrity checker outthere is Tripwire. We don't use thison all machines. We use this on somemachines. It says to us, file integritychecker says let's find theexecutables on this machine that arethe most important to this machinethat could cause us problems if theyPage 5 of 25

changed. We'll take each one ofthose files and we'll run an MD5 hashagainst that file and we'll get thevalue from that file. We will do thatfor every single one of those criticalfiles. We will pull all those hashes upand we'll put them into a databasenot on that machine.At regular intervals, whatever thatinterval is, we'll go back and we'llquery that machine again, rehashthose files, and compare those twohashes. If the hashes match, that fileon that machine has not changed. Ifthey do not match at that moment intime what we will say is "This is analert. Hey, that file has changed."Now if we couple this with ourchange control process, in ourchange control we said well we haveupdated the machine, and these arethe things that we updated on thatmachine.So what should see in Tripwire is infact that those particular, well ifwe're tracking them, those particularexecutables and DLLs have changed.We should match that up in ourreport and say yes, the things thatwe said were going to change,Tripwire has told us that they arechanged if we have that definition inour Tripwire database for hashingthose particular files. If you say "Iwant to hash the temp files on thatmachine every single time it's goingto be changed." Is that a critical file?No. Okay so then don't do that. Doesthat change that often? Yes. Okaythen don't check that. Scanners don'thave to be antivirus. They can bePage 6 of 25

antivirus, spyware, anti-malware.There are a whole bunch of scannersout there that you can use. Some arefree. Some cost money.Anti-MalwareAnti-MalwareAnti-Virus, more specifically, any single product can’t catcheverythingProducts like: Spybot - Search and DestroyMalwarebytesSuper Anti-Spyware ScannerAdWare SE . helps protect against other forms of Spyware, Adware, and Scarewarethat AV doesn’t always check forUsually is run as a manual scan, with some products providingReal-time Registry Protection132**132 Anti-malware. A lot of theoperating systems are actuallycreating anti-malware scanners.Microsoft has done one now that theyusually roll out every single monthwith their Super Tuesday patches.But there are other ones out there,like Spybot and Malwarebytes andSuperAntiSpyware scanner, and AdAware SE. By the way, Ad-Aware SEalso happens to have a plugin thatworks with a couple of differentPage 7 of 25

browsers out there. I like these toolsbecause they make the user aware ofwhat's going on. Now you can runthese as manual scanners if you wantto, but I think that some sort ofautomation in place and reportingthat you review on a regular basis isa good idea.Software SecuritySoftware SecurityCode Signing provides assurances to the end-user that thedigitally signed executables and scripts were developed by thetrusted software author and provides guarantees that the codehas not been altered or corrupted since being signed by use ofa cryptographic hash.Use or require secure coding practices during softwaredevelopmentTest and audit each program used by your organizationKeep authorized applications up to date with regard to patchesand updates133**133 Software that we produce orwe purchase from others other thanthe operating system needs to haveproof that this is correct andconsistent software. One of the waysthat we do that is for smallerapplications, we actually take thatexecutable if we are the developers,Page 8 of 25

and we actually sign that code. Weuse public key infrastructure to writeto this file a unique fingerprint orsignature against that particular file.Once we hash that file and use ourprivate key to generate a signaturehere, the way that we can unlock thisis with the public key that's freelyavailable.This security of software tells thepeople that are downloading thissoftware that it came from us if theyverify it. Another way to do this thatmight be a little bit easier for otherorganizations that can't do the codesigning themselves is to when theypost up their software to actually runthe MD5 hash or SHA. It could beSHA-1 or SHA-256 at this point, thehashing algorithm. Against thatsoftware and to get a unique stringthat is associated with that piece ofsoftware.They could post the string to the sitewhere the download is or they couldpost this in another location and askpeople to request it via email so thatthey could send it out of band. Whatthis would do is this would stopevildoers from attacking that website,pulling that software off, and puttingnew software in that could be Trojan.Because now what happens is thatTrojan when we run the MD5 hashagainst it or the SHA-1 hash againstit, it's not going to match that valuethat was sent to us on an email orposted to their website.Page 9 of 25

Secure Coding PracticesSecure Coding PracticesInput ValidationError Handling and LoggingOutput EncodingData ProtectionAuthentication and PasswordManagementCommunication SecuritySession ManagementAccess ControlCryptographic PracticesSystem ConfigurationDatabase SecurityFile ManagementMemory ManagementSource: The Open Web Application Security Project (OWASP), OWASP Secure CodingPractices Quick Reference Guide, http://www.owasp.org134**134 When we talk about securecoding, when we are the programmerand we're doing this, we have to gobeyond just oh, I write good code.We have to do the smart things forourselves like input validation, outputencoding, and we're going to look ateach one of these.Page 10 of 25

Security BaselinesSecurity BaselinesEstablish the security needs of your organizationDrive design, implementation, and administration decisions asthey relate to networks and systemsBaseline example: Common Criteria135**135 Security baselines.You've got to reach outthere, read this, pay attention to thisand say these settings, they will workin our environment and thosesettings won't work in ourenvironment and you have toestablish your own baseline that isacceptable for your businesspractices and the way you run yourshop.Some applications that you havewon't tolerate those settings andyou'll break those applications. So bevery careful and do lots and lots oftesting before you inflict your securitybaseline on the general population.Page 11 of 25

Now what we could do instead ofdoing baselines for ourselves on thesettings is we could look to others todo third party validation of the toolsthat we are choosing. That's thecommon criteria. We could say"When we purchase any kind ofsecurity device, we're going to expecta level of rigor of third partyvalidation on that that is EAL 4 forargument sake. That works well forcommercial entities.For those who have been around areally long time, common criteria isan upgrade to the orange book if youwill.So we go to a third party and we sayhey, we want to use these firewallshere. Are they on your list? And wego, we can go literally to the commoncriteria website and get a list of allthe products that are actuallyvalidated by all the different labs thatare out there. What's really niceabout this is when we talk about EALversion 4 and below, that can bedone internationally.So a product that is made in Israeland a product that's made in Canadaand a product that's made in the U.S.that are EAL 4 and make thesestatements we know that those arerelatively equal at this point in theirassertions because all the labs haveto play the game the same way. Sonow what we have is internationalcompetition, international companiescompeting for our dollars and that isgoing to keep the price at a reasonablelevel for these security tools.Page 12 of 25

Common Criteria (CC)Common Criteria (CC)An international standard for evaluation criteria of securityof networks and systemsSeven ‘levels’ within the CC, know as EvaluationAssurance Levels (EAL), determine postureEAL 1 - no security requirementsEAL 2 - product developers must use good designEAL 3 - product development to moderate securityEAL 4 - positive security engineering (commercial std.)EAL 5 - security engineered in product from early stagesEAL 6 - high levels of specialized security engineeringEAL 7 - extremely high levels of security engineering136**136 When we look at the commoncriteria, unless you actually dig downinto these documents and payattention to these different EAL levelsand know what they mean, it's betterfor that we just step back from it andsay "Hey, these seven levels meanthat there is an ever increasing set ofrequirements as we move up the listhere." So everything that's done inEAL 4 means that there's some extrathing done here and then all theprevious states are actually included.Notice that EAL 1 there's no securityrequirements at all so we can kind ofwash that one away. Remember thisis only on security products. This isnot on every single product in the market.Page 13 of 25

Sometimes what we'll have to do ifwe can't find something here, we cango look to other organizations forwhat they call a security bake-off or acontest to see what the throughputis. You probably don't want to rely onwhat the vendors say about theirproduct because they are going tosay "Hey, I'm great. This is the bestfirewall in the entire world." I'm sureyou think so. "I'm the greatest teacherin the entire world." I'm sure I think sobut that doesn't mean that it's true. Goask others. Go talk to other people thatare using these products.Internal Security BaselinesInternal Security BaselinesWhat’s normal?Behavior patterns can be learned so abnormal activity isidentified.Once internal baseline is determined Harden the OS Harden the Network Harden the Application137**137 Internal security baselinesPage 14 of 25

respect the fact that yourorganization is different fromeverybody else's organization. Youwant to tighten it down to that pointjust before it squeaks. You want toharden the O.S. the way that worksfor your business. You want toremove the services that areunneeded for your business. Youwant to make the network only havethis particular type of traffic and youwant to deny that other type oftraffic.Let's talk about hardening thenetwork. We could harden thenetwork device but what we can alsodo is through our intrusion detectionand intrusion prevention systems iswe can say these protocols areunacceptable. These websites areunacceptable. Now, here's the goodthing about that. If we limit thetraffic that's flowing, now we havemore bandwidth, more availability forthe real resources of business.Page 15 of 25

Hardening OS and NOSHardening OS and NOSMinimize and isolate! Figure out what is minimum essential and remove the rest Separate service wherever possible Uninstall all unnecessary software apps and servicesDisable guest accounts/accessPatch and update!Use access controls and authentication (including add-ons likeTCP Wrappers)138**138 Hardening the operatingsystem. The rules are minimize andisolate. So figure out exactly whatyou need and rip all the other stuffout. Now this is not as easy in aMicrosoft operating system as it iswith a Linux operating systembecause you have these core utilitiesthat are required in Microsoft, andyou can't strip it down nearly asmuch as you want to. With Linux wecan make a single purpose devicethat says these are the only thingsthat we need and rip everything elseout.We can actually build up our ownkernel as a monolithic kernel, we canPage 16 of 25

build it up and add things in thatwork just for what we're doing here.We can put in access control andauthentication that make it so tightthat it doesn't do anything else. Sotight that it could break. One of thethings that we can do in OShardening is we can convert over to amandatory access control system.Now today in Windows we havediscretionary access control systemwhich allows us at our discretion todo certain activities. We can limit thatby saying to an end user "You're notallowed to install software." Butsomeone is allowed to install software.On a Linux machine if we dosomething like SE Linux, what we cando is we can say we have mappedevery single executable to aparticular action and a level ofauthentication. Every single activityon the system has been mapped andapproved. And anything that's not onthis list of mapped and approved willnot run.So when we install- even if we havethe right to install new software, thatsoftware won't run because it's not inthis profile. Now if you have arelatively stable machine, this is not abad way to go.Do you have that manychanges going on? It might beinappropriate to use mandatoryaccess control lists. There are othertools that you could use forhardening the OS but this is the mostdraconian, the most brutal way to doit. And if your whole business reliesPage 17 of 25

on that particular thing, then that'swhat you're going to do.Keep Systems PatchedKeep Systems Patchedof intrusions result from exploitation of knownvulnerabilities or configuration errors wherecountermeasures were available.139**139 I love patching. I thinkpatching is a great thing to do and Ithink it's the hardest thing to keep upwith not because the operatingsystem doesn't patch itself, butbecause we have to control thepatching that works for ourenvironment and do all of theinvestigation that is required of us tosay "This will work for our system.This won't work for our system. Ourbusiness is the same, our business isdifferent."Page 18 of 25

Maybe you don't patch untilWednesday morning and you look atTuesday and you see oh my God,there's 100 people that are saying"This patch is horrible." And by theway, there's a lot more than 100people on that list. What's great isprobably by about the end ofTuesday or the beginning ofWednesday, somebody has figuredout what's broken and they can tellyou how to either not do that thingor how to fix it. If you keep systemspatched the likelihood of beingattacked goes down by at least anorder of magnitude.Page 19 of 25

Hardening Host Systems – UpdatesHardening Host Systems – UpdatesHotfixes - used to repair system in normal operationPatches - temporary repair to keep the application operatinguntil there is an updated releaseService Packs (aka Support Packs) - set of repairs packagedtogether into one set140**140 Hardening host systems andupdates. So patching also comes inother flavors. It could be little tinypieces like a hotfix that does this onething. A whole bunch of hotfixes arerolled up into either a set of patchesor it can be even rolled up intosomething really big called a servicepack. And service packs areregression tested against each other.They make sure that all thesepatches don't hurt each other anddon't go backwards in time.Page 20 of 25

Install Only Necessary SoftwareInstall Only Necessary SoftwareComputer system must have a designed goal.All installed software supports that goal.Some OSes are packaged better for only necessary software. LINUX— Packaged in many small packages— Easier to select only what is needed and nothing more141**141 If we don't have thatsoftware on the machine, we don'thave to patch that software. If wedon't have that utility there, we don'thave to patch it. So what you can dois you can reduce the amount ofsoftware that's there. You can't dothat completely with Windowssystems but you can get really, reallyfine-tuned and accurate with theLINUX systems that are out there.Page 21 of 25

What Services Are Necessary?What Services Are Necessary?What services are offered? Host perspective— netstat— lsof Network perspective— nmap Kernel perspective— Usually only ICMP— Disable and test142**142 So what services arenecessary? I think the best way tohandle this is to use some othertools. I think the best way to handlethis is to do something like useWireshark and listen on your networkfor the protocols that are there andthen map those protocols that arebeing used back to a particularservice on the network. And for allthe things that don't fit, really startdigging down deep inside of that.You could also if you wanted to, usesomething like NMAP, that's NetworkMapper. And Network Mapper alsohas an interface for a graphical userinterface, but Network Mapper willlook at all the hosts that are on yourPage 22 of 25

network and look at all the ports thatthey are talking, and tell you exactlywhat operating system is runningthere in most cases.Now when you pull all of that data offof that machine, you are going tohave to take the time to workthrough it and pick through it. If youare doing something locally from ahost perspective like Netstat or LSOF.If the machine is alreadycompromised it could be that therootkit will lie to you about what'srunning and what ports are open soyou always need to do this fromanother perspective.Page 23 of 25

Secure Necessary ServicesSecure Necessary ServicesTwo choices Disable— OS differences— System startup or server server (inetd-like) Configure/constrain— TCP wrappers— Application-specific— May not be possible143**143 When we talk about services,do you need it? If they answer is no,turn it off. If the answer is yes, thenhow do we constrain it and makesure that it's only doing one thing?Well we might use something likeTCP wrappers so that it only talksabout that one protocol. We can bevery, very application specific in someinstances but some two-tiered, threetiered processes that are out therewon't allow us to be that specific andwe'll start breaking things very fast.Always look to the vendors that havereleased the software to give you theinformation about what has beenbroken in the past. They may not tellyou but at least they can tell youPage 24 of 25

about the possible problems that yourun into.NoticesPage 25 of 25

Spybot - Search and Destroy Malwarebytes Super Anti-Spyware Scanner AdWare SE . helps protect against other forms of Spyware, Adware, and Scareware that AV doesn’t always check for Usually is run as a manual scan, with some products providing Real-time Registry Protection **132 Anti-malware. A lot of the . operating systems .File Size: 950KB

Related Documents:

Case Study: Laser Hardening By Markus A. Ruetering The hardening of materials by laser is a specialized and fast-growing field, as it offers improved wear resistance, . the industry — e.g., oven hardening, flame hardening, and induction hardening — mill - ing, shaping, and grinding are necessary after hardening. Hence, the necessary material

Thermal Methods of Hardening by Comparison FLAME HARDENING METHOD ADVANTAGES DISADVANTAGES 0,4% C 0,7% (Steel casting) Large parts Wall thickness 15 mm Localized hardening of functional surfaces Low technical complexity Poor reproducibility; Ledeburite hardening at high carbon content INDUCTIVE HARDENING LASER HARDENING Focus on Steel .

this study is IPv6-only hardening. Any other type of hardening (e.g. DC hardening, web server hardening, database hardening, etc.) are beyond the scope of this study. The services provided by the IPv6-capable servers do not rely on any IPv6 Extension header, or on any multicast traffic.

SUBJECT: Final Report of the Defense Science Board (DSB) Task Force on Cyber Deterrence The final report of the DSB Task Force on Cyber Deterrence is attached. The Cyber Deterrence Task Force was asked to consider the requirements for deterrence of the full range of potential cyber attacks against the United States and U.S. allies/partners, and to identify critical capabilities (cyber and non .

mix of passive and active actions is the key to building a successful strategy. Passive cyber deterrence (deterrence by denial) alone will not inflict the necessary fear in an adversary to prevent attacks. There must be a credible threat to impose an undesirable set of penalty measures (active deterrence) to have a successful and effective strategy

6 conventional deterrence of north korea conventional deterrence of north korea 7 below the nuclear level.3 As with Russia and China, the central challenge for U.S. de- terrence posture is the risk that North Korea could attempt to impose a fait accompli,

FLAME- /INDUCTION HARDENING. Temperature: 850-870 C (1560-1600 F). Cooling: freely in air. Surface hardness: 54-56 HRC. Hardening depth: 41 HRC at a depth of 3.5- 4 mm (0.14-0.16 inch) when flame hardening. Can be increased when induction hardening depend - ing on the coil and the power input. Flame or induction hardening can be done

The three important surface hardening methods from left to right are case hardening, nitriding, and induction-flame-hardening respectively . 4 13FTM22 Surface hardening is carried out at treating temperatures 50 C - 100 C above the material-specific hardening temperature. The heating can be done by flame, induction, laser- or electron beam.