Upload
hoangcong
View
219
Download
1
Embed Size (px)
Citation preview
Part 1: What is it and Why do we need it
Platform Hardening
CONTACTS
Michael Gough –CISSP, CISA
Senior Risk Analyst - Comptroller of Public Accounts
Author –‘SkypeMe!’and ‘Video Conferencing overIP’by Syngress Press
Contributor to the Center for Internet SecurityBenchmarks.
AGENDA
Part 1 –What is Platform Hardening and Whydo we have to do it
Part 2 –What do we need to do and How do weneed to prepare to Harden systems
Part 3 –How to Harden (Win, *NIX, Cisco,Handhelds)
WHAT
Is Platform Hardening?
WHAT IS A PLATFORM?
A Platform consist of all components that are a part of and can beconfigured on any type of, or group of Information Systems including but notlimited to the following components:
BIOS
Hardware included in or on the system
The booting or Base Operating System (Bos)
Any Virtual Operating System (Vos)
Any Guest operating system
Any applications
Any middleware
Any databases
Any storage device
Network that connects it all (firewalls, routers, switches, VoIP)
Any security applications installed on the completed system
And of course…ALL configuration settings (auditing, options, etc.)
PLATFORMS
TYPICAL NETWORK
WHAT IS HARDENING?
Bret Hartman, CTO at RSA says it is“appropriate (security) settings and removingunused code,”
Hardening is a goal of deploying a system in themost secure state as possible, yet maintainfunctionality and reducing as many threatvectors as possible.
WHAT IS HARDENING?
Hardening is the process of securely deploying systems. Hardening is the practice of ‘least privilege’ Hardening is not just the operating system Hardening includes:
Understanding what you actually need to run on the system !!! DOCUMENTATION !!! (Policy, Standards & Guidelines) Operating systems Virtual servers Coding Application settings Database setup & configuration Network devices Portable devices Etc., etc. etc…
WHAT IS PLATFORM HARDENING?
Platforms are depended upon to deliver data in asecure, reliable fashion. There must be assurancethat data integrity, confidentiality and availabilityare maintained.
One of the required steps to attain this assuranceis to ensure that the platforms are installed andmaintained in a manner that preventsunauthorized access, unauthorized use, anddisruptions in service.
* From UT Medical Branch
DEFINITIONS
Hardened System
(H) Is the final state we are trying to achieve
Baseline OS Hardening
(BOS) Is the Baseline Operating System hardening.CIS Benchmark ‘Baseline’settings.
Application / System Function Hardening
(AF) Is any hardening of applications that may reside on topof the operating system, such as Apache, IIS, Oracle orspecific functions, such as File/Print, DNS/DHCP, etc.
DEFINITIONS
Base Hardening Base Hardening = Baseline Operating System hardening +
Application or System Function hardening
(B)= (BOS) + (AF)
Custom Hardening (C) Is any additional hardening applied to the system, such
as ‘Specialized Security Limited Functionality’settings, DMZsettings, addition system service settings (KIOSK, BastionHost, etc), custom OS specific security controls(TCPWrappers, Bastille, etc.)
DEFINITIONS
Virtual System (Needs Host OS)
(V) Is the Virtual Machine hardening
Virtual OS Hardening (Bare Metal OS)
(VOS) Is the Virtual Server hardening - VM Ware ESXi
HARDENING FORMULA
Putting System Hardening into a mathematicalformula:
H = Hardened System
B = Base Hardening
C = Custom Hardening
So…
H = B+C
HARDENING FORMULA
Also stated:
Hardened System or Secure Deployment
Custom Hardening
Baseline OSHardening
Application /Function
Hardening
HARDENING FORMULA
Also stated as layered security:
Hardened System or Secure Deployment
Custom Hardening
Baseline OSHardening
Application /Function
Hardening
Virtual Server Hardening
Baseline OS Hardening
HARDENING VIRTUAL SYSTEMS
For Virtual Operating System:
H = Hardened System
Vos = Virtual OS Hardening
B = Base Hardening
C = Custom Hardening
So…
H = Vos+B+C
HARDENING FORMULA
Also stated as layered security:
Hardened System or Secure Deployment
Custom Hardening
Baseline OSHardening
Application /Function
Hardening
Virtual OS Hardening
WHY ?
Do we need to harden
WHY DO WE NEED TO HARDEN?
Any Information System that is visible to the public, such as a web server or mailserver, must be "hardened" to minimize the risk of successful attacks against it.
Hardening is the process of preparing an operating system for use as a firewall orother public server by removing as many vulnerabilities as possible(1).
The following areas need careful attention when hardening an operating system:
File System Security User Account Security Logging and Auditing Removing Unnecessary Services Running Essential Services with Unprivileged Accounts Physical Security Network Protocol Vulnerabilities Other related security settings and configuration
(1) Technology Training Limited (UK)
TIME BASED SECURITY
In Winn Schwartau’s words the concept is this:
Pt > Dt + Rt
Protection (Pt), Detection (Dt) and Reaction (Rt).
“The amount of time offered by the Protection device or system‘P-sub-t’, must be greater than the amount of time it takes todetect the attack ‘Dsub-t’, plus the amount of time it takes toreact to the detection, ‘R-sub-t’.
MOBIUS DEFENSE?
Pete Herzog
Defense-in-Depth is the delaying versus theprevention of the advance of an attacker
Isn’t this just Time Based Security ?
HARDENING & TIME BASED SECURITY
Platform Hardening falls under the or Protection(Pt) category.
The goal of Platform Hardening is to improve theprotection of our assets to provide more time todetect and react to a security incident.
A good hardening process improves the ability toaudit our systems and the platforms they reside on
WHY SHOULD WE CARE?
Our own Policies, Standards & Guidelines Audits SANS Top 20 CSI / FBI Security Survey PCI TAC / TGC FISMA - NIST IRS 1075 Best Practice… Minimize attack vectors
WHY SHOULD WE CARE?
We have and use more and more complexapplications and features.
More and more coding and more and moresystems and applications facing the Internet
.NET, Java, PHP
Windows services
*NIX daemons
All those security settings and configuration
SANS TOP 20 VULNERABILITIES:
S2 –Windows Services
RPC, Services, Registry
S3 –UNIX Services
Brute-force attacks against remote services such as SSH, FTP,and telnet are still the most common form of attack tocompromise servers facing the Internet
H.1b Excessive User Rights and Unauthorized software
Local Admin, root, sa, etc…
H3. Unencrypted Laptops and Removable Media
USB ports still active –really???
SANS TOP 20 CRITICAL SECURITY CONTROLS:
CAG: Critical Control 3:
Secure Configurations for Hardware and Software onLaptops, Workstations, and Servers
CAG: Critical Control 4:
Secure Configurations for Network Devices such asFirewalls, Routers, and Switches
CAG: Critical Control 7:
Application Software Security
CSI/FBI SECURITY SURVEY 2008:
The Exploits…
Many of these could beprevented or detected byHardening
CSI/FBI SECURITY SURVEY 2008:
These are all Products…
Where is the Process ?
Where is the Practice of Least Privilege ?
CSI/FBI SECURITY SURVEY 2008:
Where is “Improved Internal Processes”?
CSI/FBI SECURITY SURVEY 2008:
BENEFITS OF PLATFORM HARDENING
More secure deployments of information systems.
Improve Configuration Management for securityrelated settings
Compliance and Regulatory requirements
Ability to implement Security Configuration toolslike Tripwire
Easier ability to Audit our systems…we now havesomething to measure against…assuming wehave implemented a hardening process
THE END
Part 2 –What do we need to do and How do we need toprepare to Harden systems
Thank you !
Contact me at: [email protected]
Security is not a goal, it is a process, Security is not a product, it is amindset. Security is a never ending task. If you think you aresecure... just wait a few minutes until the next sploit is released.
Security is like breathing - If you stop, you die... (Pezzo - May 2001)