Embed Size (px)
Citation preview
Essentials of SecurityEssentials of Security
Steve LambSteve Lamb
Technical Security AdvisorTechnical Security Advisor
http://blogs.msdn.com/steve_lambhttp://blogs.msdn.com/steve_lamb
[email protected]@microsoft.com
Session PrerequisitesSession Prerequisites
Hands-on experience installing, configuring, Hands-on experience installing, configuring, administering, and planning the deployment of administering, and planning the deployment of Windows 2000 Server or Windows Server 2003Windows 2000 Server or Windows Server 2003
Knowledge of Active Directory and Group Policy Knowledge of Active Directory and Group Policy conceptsconcepts
Level 200
Business CaseBusiness Case
Business CaseBusiness Case
Security Risk Management DisciplineSecurity Risk Management Discipline
Defense in DepthDefense in Depth
Security Incident ResponseSecurity Incident Response
Best PracticesBest Practices
10 Immutable Laws of Security10 Immutable Laws of Security
Impact of Security BreachesImpact of Security Breaches
Loss of RevenueLoss of Revenue Damage to ReputationDamage to Reputation
Loss or Compromise of Data
Loss or Compromise of Data
Damage to Investor Confidence
Damage to Investor Confidence
Legal ConsequencesLegal Consequences
Interruption of Business Processes
Interruption of Business Processes
Damage to Customer Confidence
Damage to Customer Confidence
The cost of implementing security The cost of implementing security measures is not trivial; however, it is a measures is not trivial; however, it is a fraction of the cost of mitigating security fraction of the cost of mitigating security compromisescompromises
Benefits of Investing in SecurityBenefits of Investing in Security
Reduced downtime and costs associated with non-availability of systems and applicationsReduced downtime and costs associated with non-availability of systems and applications
Reduced labor costs associated with inefficient security update deploymentReduced labor costs associated with inefficient security update deployment
Reduced data loss due to viruses or information security breachesReduced data loss due to viruses or information security breaches
Increased protection of intellectual propertyIncreased protection of intellectual property
Security Risk Management Security Risk Management DisciplineDiscipline
Business CaseBusiness Case
Security Risk Management DisciplineSecurity Risk Management Discipline
Defense in DepthDefense in Depth
Security Incident ResponseSecurity Incident Response
Best PracticesBest Practices
10 Immutable Laws of Security10 Immutable Laws of Security
Security Risk Management Security Risk Management Discipline (SRMD) ProcessesDiscipline (SRMD) Processes
AssessmentAssessmentAssess and valuate assetsAssess and valuate assets
Identify security risks and threats Identify security risks and threats
Analyze and prioritize security risksAnalyze and prioritize security risks
Security risk tracking, planning, and schedulingSecurity risk tracking, planning, and scheduling
Development and ImplementationDevelopment and ImplementationDevelop security remediationDevelop security remediation
Test security remediationTest security remediation
Capture security knowledgeCapture security knowledge
OperationOperationReassess assets and security risks Reassess assets and security risks
Stabilize and deploy new or changed countermeasuresStabilize and deploy new or changed countermeasures
Assessment: Assess and Valuate Assessment: Assess and Valuate AssetsAssets
Asset Priorities (Scale of 1 to 10) – Example
*
* For example purposes only – not prescriptive guidance
Types of threatsTypes of threats ExamplesExamples
SSpoofingForge e-mail messagesForge e-mail messages
Replay authentication packetsReplay authentication packets
TTamperingAlter data during transmissionAlter data during transmission
Change data in filesChange data in files
RRepudiationDelete a critical file and deny itDelete a critical file and deny it
Purchase a product and later deny itPurchase a product and later deny it
IInformation disclosure
Expose information in error messagesExpose information in error messages
Expose code on Web sitesExpose code on Web sites
DDenial of service
Flood a network with SYN packetsFlood a network with SYN packets
Flood a network with forged ICMP Flood a network with forged ICMP packetspackets
EElevation of privilege
Exploit buffer overruns to gain system Exploit buffer overruns to gain system privilegesprivileges
Obtain administrator privileges Obtain administrator privileges illegitimatelyillegitimately
Assessment: Identify Security Risks and Threats – Assessment: Identify Security Risks and Threats – STRIDESTRIDE
Assessment: Analyze and Assessment: Analyze and Prioritize Security Risks – Prioritize Security Risks – DREADDREADDREADDREAD
DDamageamage
RReproducibilityeproducibility
EExploitabilityxploitability
AAffected Usersffected Users
DDiscoverabilityiscoverability
Risk Exposure = Asset Priority x Threat RankRisk Exposure = Asset Priority x Threat Rank
Example Worksheet
Assessment: Security Risk Assessment: Security Risk Tracking, Planning, and Tracking, Planning, and SchedulingSchedulingTypes of threatsTypes of threats ExamplesExamples
SSpoofingpoofingForge e-mail messagesForge e-mail messages
Replay authentication packetsReplay authentication packets
TTamperingamperingAlter data during transmissionAlter data during transmission
Change data in filesChange data in files
RRepudiationepudiation
Delete a critical file and deny itDelete a critical file and deny it
Purchase a product and later Purchase a product and later deny itdeny it
IInformation nformation disclosuredisclosure
Expose information in error Expose information in error messagesmessages
Expose code on Web sitesExpose code on Web sites
DDenial of enial of serviceservice
Flood a network with SYN Flood a network with SYN packetspackets
Flood a network with forged Flood a network with forged ICMP packetsICMP packets
EElevation of levation of privilegeprivilege
Exploit buffer overruns to gain Exploit buffer overruns to gain system privilegessystem privileges
Obtain administrator privileges Obtain administrator privileges illegitimatelyillegitimately
Detailed Security Action Plans
Example Worksheets
Development and ImplementationDevelopment and Implementation
Configuration managementConfiguration management
Patch managementPatch management
System monitoringSystem monitoring
System auditingSystem auditing
Operational policiesOperational policies
Operational proceduresOperational procedures
Detailed Security Action Plans
Testing LabTesting Lab
Knowledge Documented for Future UseKnowledge Documented for Future Use
Security Remediation StrategySecurity Remediation Strategy
Production EnvironmentProduction
Environment
Operation: Reassess Assets and Operation: Reassess Assets and Security RisksSecurity Risks
New Web Site
New Web Site
Internet Services
Reassess risks when there is a significant change Reassess risks when there is a significant change in assets, operation, or structurein assets, operation, or structure
Assess risks continuallyAssess risks continually
Testing LabTesting Lab
Documented KnowledgeDocumented Knowledge
Production EnvironmentProduction Environment
Operation: Stabilize and Deploy Operation: Stabilize and Deploy New or Changed CountermeasuresNew or Changed Countermeasures
System Administration
Team
System Administration
TeamNew or
ChangedCountermeasures
New orChanged
Countermeasures
Network Administration
Team
Network Administration
Team
Security Administration
Team
Security Administration
Team
Production EnvironmentProduction
Environment
Defense in DepthDefense in Depth
Business CaseBusiness Case
Security Risk Management DisciplineSecurity Risk Management Discipline
Defense in DepthDefense in Depth
Security Incident ResponseSecurity Incident Response
Best PracticesBest Practices
10 Immutable Laws of Security10 Immutable Laws of Security
The Defense-in-Depth ModelThe Defense-in-Depth Model Using a layered approach:Using a layered approach:
Increases an attacker’s risk of detection Increases an attacker’s risk of detection
Reduces an attacker’s chance of successReduces an attacker’s chance of success
OS hardening, authentication, patch management, HIDS
Firewalls, Network Access Quarantine Control
Guards, locks, tracking devices
Network segments, IPSec, NIDS
Application hardening, antivirus
ACLs, encryption, EFS
Security documents, user educationPolicies, Procedures, & AwarenessPolicies, Procedures, & Awareness
Physical SecurityPhysical Security
Perimeter
Internal Network
Host
Application
Data
Description of the Policies, Description of the Policies, Procedures, and Awareness Procedures, and Awareness LayerLayer
I think I will use my first name as
a password.
Hey, I need to configure a firewall. Which ports should I
block?
I think I will wedge the computer room door open. Much
easier.
They have blocked my favorite Web
site. Lucky I have a modem.
Policies, Procedures, and Policies, Procedures, and Awareness Layer CompromiseAwareness Layer Compromise
Say, I run a network too. How do you configure your
firewalls?
I can never think of a good
password. What do you use?
Hi, do you know where the
computer room is?
Hey, nice modem. What's the number
of that line?
Policies, Procedures, and Policies, Procedures, and Awareness Layer ProtectionAwareness Layer Protection
Firewall Configuration Procedure Physical Access Security Policy
User Information Secrecy Policy
Device Request Procedure
Employee security training helps users support theEmployee security training helps users support thesecurity policysecurity policy
Description of the Physical Security Description of the Physical Security LayerLayer
All of the assets within an organization’s All of the assets within an organization’s IT infrastructure must be physically IT infrastructure must be physically securedsecured
Physical Security Layer Physical Security Layer CompromiseCompromise
Install Malicious CodeInstall Malicious Code
Damage HardwareDamage HardwareView, Change, or Remove Files
View, Change, or Remove Files
Remove HardwareRemove Hardware
Physical Security Layer ProtectionPhysical Security Layer Protection
Lock doors and install alarmsLock doors and install alarms
Employ security personnelEmploy security personnel
Enforce access proceduresEnforce access procedures
Monitor accessMonitor access
Limit data input devicesLimit data input devices
Use remote access tools to enhance securityUse remote access tools to enhance security
Description of the Perimeter LayerDescription of the Perimeter Layer
Business PartnerBusiness Partner
Internet Services
LAN
Main OfficeMain Office
LAN
Internet Services
Branch OfficeBranch Office
Wireless Network
LAN
Network perimeters can include connections to:Network perimeters can include connections to:
The InternetBranch officesBusiness partnersRemote usersWireless networksInternet applications
The InternetBranch officesBusiness partnersRemote usersWireless networksInternet applications
Remote UserRemote User
Internet
Perimeter Layer CompromisePerimeter Layer Compromise
Business PartnerBusiness Partner
Internet Services
LAN
Main OfficeMain Office
LAN
Internet Services
Remote UserRemote User
Internet
Branch OfficeBranch Office
Wireless Network
LAN
Network perimeter compromise may result in a successful:Network perimeter compromise may result in a successful:
Attack on corporate networkAttack on remote users Attack from business partnersAttack from a branch officeAttack on Internet servicesAttack from the Internet
Attack on corporate networkAttack on remote users Attack from business partnersAttack from a branch officeAttack on Internet servicesAttack from the Internet
Perimeter Layer ProtectionPerimeter Layer Protection
Business PartnerBusiness Partner
Internet Services
LAN
Main OfficeMain Office
LAN
Internet Services
Branch OfficeBranch Office
Wireless Network
LAN
Remote UserRemote User
Internet
Network perimeter protection includes:Network perimeter protection includes:
FirewallsBlocking communication portsPort and IP address translationVirtual private networks (VPNs)Tunneling protocolsVPN quarantine
FirewallsBlocking communication portsPort and IP address translationVirtual private networks (VPNs)Tunneling protocolsVPN quarantine
Description of the Internal Network Description of the Internal Network LayerLayer
SalesSales
Wireless NetworkWireless Network
MarketingMarketing
FinanceFinanceHuman ResourcesHuman Resources
Internal Network Layer Internal Network Layer CompromiseCompromise
Unauthorized Access to Systems
Unauthorized Access to Systems
Access All Network Traffic
Access All Network Traffic
Unauthorized Access to Wireless Networks
Unauthorized Access to Wireless Networks
Unexpected Communication Ports
Unexpected Communication Ports
Sniff Packets from the Network
Sniff Packets from the Network
Internal Network Layer ProtectionInternal Network Layer Protection
Require mutual authenticationRequire mutual authentication
Segment the networkSegment the network
Encrypt network communicationsEncrypt network communications
Restrict traffic even when it is segmentedRestrict traffic even when it is segmented
Sign network packetsSign network packets
Implement IPSec port filters to restrict traffic to serversImplement IPSec port filters to restrict traffic to servers
Description of the Host LayerDescription of the Host Layer
Contains individual computer systems on the networkContains individual computer systems on the network
Often have specific roles or functionsOften have specific roles or functions
The term “host” is used to refer to both clients and serversThe term “host” is used to refer to both clients and servers
Host Layer CompromiseHost Layer Compromise
Exploit Unsecured Operating System
Configuration
Exploit Operating System
Weakness
Unmonitored Access
Distribute Viruses
Host Layer ProtectionHost Layer Protection
Harden client and server operating systemsHarden client and server operating systems
Disable unnecessary servicesDisable unnecessary services
Keep security patches and service packs up to dateKeep security patches and service packs up to date
Monitor and audit access and attempted accessMonitor and audit access and attempted access
Install and maintain antivirus softwareInstall and maintain antivirus software
Use firewallsUse firewalls
Windows XP SP2 Advanced Windows XP SP2 Advanced Security TechnologiesSecurity Technologies
Network protection
Memory protection
Safer e-mail handling
More secure browsing
Improved computer maintenance
Get more information on Windows XP Service Pack 2 at http://www.microsoft.com/sp2preview
Network protection
Memory protection
Safer e-mail handling
More secure browsing
Improved computer maintenance
Get more information on Windows XP Service Pack 2 at http://www.microsoft.com/sp2preview
Description of the Application LayerDescription of the Application Layer
Layer includes both client and server network applicationsLayer includes both client and server network applications
Functionality must be maintainedFunctionality must be maintained
Client ApplicationsExamples: Microsoft
Outlook, Microsoft Office Suite
Server Applications Examples: Web Servers,
Exchange Server, SQL Server
Application Layer CompromiseApplication Layer Compromise
Loss of application functionalityLoss of application functionality
Execution of malicious codeExecution of malicious code
Extreme use of application – DoS attackExtreme use of application – DoS attack
Undesirable use of applicationUndesirable use of application
Application Layer ProtectionApplication Layer Protection
Enable only required services and functionalityEnable only required services and functionality
Secure internally developed applicationsSecure internally developed applications
Install security updates for all applicationsInstall security updates for all applications
Install and update antivirus softwareInstall and update antivirus software
Run applications with least privilege necessaryRun applications with least privilege necessary
Use latest security practices when developing new applicationsUse latest security practices when developing new applications
Description of the Data LayerDescription of the Data Layer
Documents
Directory Files
Application Files
Data Layer CompromiseData Layer Compromise
DocumentsDirectory Files
Application Files
View, Change, or Remove Information
View, Change, or Remove Information
Interrogate Directory Files
Interrogate Directory Files
Replace or Modify Application Files
Replace or Modify Application Files
Data Layer ProtectionData Layer Protection
Encrypt files with EFSEncrypt files with EFS
Use a combination of access control lists and encryptionUse a combination of access control lists and encryption
Move files from the default locationMove files from the default location
Perform regular backups of dataPerform regular backups of data
Protect documents and e-mail with Windows Rights Management ServicesProtect documents and e-mail with Windows Rights Management Services
Use NTFS for file and folder-level securityUse NTFS for file and folder-level security
Security Incident ResponseSecurity Incident Response
Business CaseBusiness Case
Security Risk Management DisciplineSecurity Risk Management Discipline
Defense in DepthDefense in Depth
Security Incident ResponseSecurity Incident Response
Best PracticesBest Practices
10 Immutable Laws of Security10 Immutable Laws of Security
Incident-Response ChecklistIncident-Response Checklist
Identify the attackIdentify the attack
Communicate the attackCommunicate the attack
Contain the attackContain the attack
Implement preventive measuresImplement preventive measures
Document the attackDocument the attack
Recognize that an attack is under wayRecognize that an attack is under way
Containing the Effects of the AttackContaining the Effects of the Attack
Shut down affected serversShut down affected servers
Remove affected computers from the networkRemove affected computers from the network
Block inbound and outbound network trafficBlock inbound and outbound network traffic
Take precautionary measures to protect computers not yet compromisedTake precautionary measures to protect computers not yet compromised
Preserve the evidencePreserve the evidence
Best PracticesBest Practices
Business CaseBusiness Case
Security Risk Management DisciplineSecurity Risk Management Discipline
Defense in DepthDefense in Depth
Security Incident ResponseSecurity Incident Response
Best PracticesBest Practices
10 Immutable Laws of Security10 Immutable Laws of Security
Security Best PracticesSecurity Best Practices
Follow the defense-in-depth modelFollow the defense-in-depth model
Strive for systems that are secure by designStrive for systems that are secure by design
Apply the principle of least privilegeApply the principle of least privilege
Learn from experienceLearn from experience
Use monitoring and auditingUse monitoring and auditing
Train users to be aware of security issuesTrain users to be aware of security issues
Develop and test incident-response plans and proceduresDevelop and test incident-response plans and procedures
Security ChecklistSecurity Checklist
Create security policy and procedure documentsCreate security policy and procedure documents
Subscribe to security alert e-mailsSubscribe to security alert e-mails
Keep up to date with patch managementKeep up to date with patch management
Maintain regular backup and restore proceduresMaintain regular backup and restore procedures
Think like an attackerThink like an attacker
10 Immutable Laws of Security10 Immutable Laws of Security
Business CaseBusiness Case
Security Risk Management DisciplineSecurity Risk Management Discipline
Defense in DepthDefense in Depth
Security Incident ResponseSecurity Incident Response
Best PracticesBest Practices
10 Immutable Laws of Security10 Immutable Laws of Security
The 10 Immutable Laws of The 10 Immutable Laws of Security, Part 1Security, Part 1
1If an attacker can persuade you to run his program on your computer, it is not your computer anymore
2If an attacker can alter the operating system on your computer, it is not your computer anymore
3If an attacker has unrestricted physical access to your computer, it is not your computer anymore
4If you allow an attacker to upload programs to your Web site, it is not your Web site any more
5 Weak passwords prevail over strong security
The 10 Immutable Laws of The 10 Immutable Laws of Security, Part 2Security, Part 2
http://www.microsoft.com/technet/columns/security/essays/10imlaws.asp
6A computer is only as secure as the administrator is trustworthy
7Encrypted data is only as secure as the decryption
key
8Out-of-date antivirus software is only marginally better than no antivirus software at all
9Absolute anonymity is not practical in real life nor on the Web
10 Technology is not a panacea
Session SummarySession Summary
Business CaseBusiness Case
Security Risk Management DisciplineSecurity Risk Management Discipline
Defense in DepthDefense in Depth
Security Incident ResponseSecurity Incident Response
Best PracticesBest Practices
10 Immutable Laws of Security10 Immutable Laws of Security
Next StepsNext Steps
Find additional security training events:Find additional security training events:
http://www.microsoft.com/seminar/events/secuhttp://www.microsoft.com/seminar/events/security.mspxrity.mspx
Sign up for security communications:Sign up for security communications:
http://www.microsoft.com/technet/security/signhttp://www.microsoft.com/technet/security/signup/up/default.mspxdefault.mspx
Get additional security tools and content:Get additional security tools and content:
http://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance
Event InformationEvent InformationWhat’s Next?What’s Next?
Technical Roadshow Post Event WebsiteTechnical Roadshow Post Event Website
www.microsoft.com/www.microsoft.com/uk/techroadshow/posteventsuk/techroadshow/postevents
Available from Monday 18Available from Monday 18thth April April
Please complete your Evaluation Form!Please complete your Evaluation Form!
© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
http://www.microsoft.com/TwC
