1 / 83

Ch 5: Securing Hosts and Data

Ch 5: Securing Hosts and Data. CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide Darril Gibson. Implementing Host Security. Hardening Systems. A host is any device with an IP address; such as servers, workstations, printers, etc.

pstubbs
Download Presentation

Ch 5: Securing Hosts and Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ch 5: Securing Hosts and Data CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide Darril Gibson

  2. Implementing Host Security

  3. Hardening Systems • A host is any device with an IP address; such as servers, workstations, printers, etc. • Hardening is the practice of making the system more secure than a default installation • Disabling unnecessary services • Disabling unneeded applications • Protecting management interfaces and applications

  4. Disabling Unnecessary Services • Improves overall security posture • Less susceptible to attacks • Reduces the attack surface • Prevents both known and 0day attacks against the disabled services • Reduces risks from open ports • Ports won’t be open when scanned

  5. Other Hardening Steps • Uninstall Unneeded Applications • For best protection • Disable unnecessary accounts • Watch for default and backdoor accounts • Protect management interfaces and applications • Change default passwords • Disallow administration from WAN, or limit it to specific source IP addresses

  6. Using Baselines • Security baseline • Configuration baseline • Host software baseline • Application configuration baseline • Performance baseline

  7. Security Baseline • Starting point for OS or application • Deployed by • Group policy • Group Policy Objects (GPOs) • On Windows domains • Security templates • Imaging

  8. Security Templates • Preconfigured settings for various common computer types • Domain Controller • Email server • Web server • etc.

  9. Security Templates • Image from css-security.com

  10. Security Templates • Security Templates contain • Account polices (like disabling Guest) • Password and lockout settings • Audit policies • User rights • System services • Software restrictions

  11. Understanding Imaging

  12. Capturing and Deploying Images • Prepare a reference computer with everything installed and configured properly • Capture an image of the reference computer • Deploy the image to many computers

  13. Image Deployment Tools • Norton Ghost • Acronis TrueImage • Microsoft Windows Image Backup • Windows Automated Installation Kit • Windows Deployment Services • Many others

  14. Imaging Benefits • Secure starting point • Reduced costs • Maintenance is much simpler • Laptops are often sold with built-in images, to restore factory default settings • Reduces Total Cost of Ownership

  15. Virtualization and Images • Images can be deployed to virtual or physical computers • Physical machines can be converted to virtual machines, and vice versa

  16. Configuration Baseline • A record of all the settings on a system, including non-security settings and security settings • The security baseline contains only the security settings • Every time a system is changed, the configuration baseline must be updated • Change management

  17. US Gov't Configuration Baseline(USGCB) • First: Standard Desktop Core Configuration (SDCC) in the Air Force • Then: Federal Desktop Core Configuration (FDCC) • Mandated by the Office of Management and Budget (OMB) for all federal agencies • Current version is the USGCB, also mandated by the OMB

  18. Link Ch 4b

  19. Link Ch 4c

  20. Link Ch 4d

  21. Host Software Baseline • Lists all software installed on a system • Lists all approved software • Also called Application baseline • Can be compared with a scan that finds all installed software • Unauthorized software is not maintained and often vulnerable

  22. Application Configuration Baselines • Proper settings for applications • Makes it easier to audit servers to ensure compliance

  23. Performance Baselines • Documents the overall performance of a system at a point in time • Useful for reference later when performance changes

  24. Performance Monitor

  25. Baseline Reporting • The process of comparing systems to a baseline to identify discrepancies or anomalies • Can be used to identify abnormal activity • Similar to anomaly-based IDS baselines

  26. Whitelisting v. Blacklisting Applications • Whitelist • A list of approved applications • Blacklist • A list of applications to block • Both can be implemented with Microsoft's Software Restriction Policies • Kaspersky maintains a whitelist database

  27. Trusted OS (Operating System) • Meets predetermined requirements, which emphasize authentication and authorization • Prevents modifications or movement of data by unauthorized entities • Common Criteria includes requirements for a Trusted OS • Intended for Gov't systems

  28. Understanding Virtualization

  29. Virtualization Terms • Hypervisor • Software that creates, runs, and manages Virtual Machines (VMs) • Host • The physical server on which the hypervisor runs • Typically requires multiple processors, lots of RAM, fast and abundant storage, and one or more fast network cards

  30. Virtualization Terms • Guest • A virtual machine running in a hypervisor • Patch compatibility • VMs require patches, just like physical machines • Host availability/elasticity • Elasticity is the ability to resize computing capacity based on the load • Meets demand and lowers cost

  31. Snapshots • A copy of a VM at a moment in time • Useful as a backup • You can revert a VM back to the snapshot • Typically, administrators take a snapshot before any risky operation • Applying patches or updates • Installing new applications

  32. Sandboxing and Security Control Testing • VMs can run in an isolated environment called a sandbox • Prevents the VM from interacting with other VMs, the host, or other devices on the network • Can test antivirus against malware in the sandbox, or test patches

  33. VMs as Files • A VM is just a set of files • VHD files: virtual hard disk • XML files: configuration derails • AVHD files: Automatic VHDs—hold difference between the current disk and a snapshot • VSV files: Saved state for VM that was not shut down, like hibernation • BIN files: memory for VMs in a saved state

  34. Virtual Networks • NAT mode: puts the VM behind a virtual router • Bridged: connects directly to host's NIC • Host-only: networks only with the host • Isolated: no network connection at all

  35. Virtualization Technologies • VMware • VMware Workstation • VMware Player (free) • VMware Server (free) • VMware ESXi (Enterprise solution) • Microsoft's Hyper-V • Also Virtual PC • Sun's VirtualBox (free)

  36. Virtualization Risks • VM Escape • An attack that starts in a VM and accesses the host system

  37. Loss of Confidentiality • Each VM may have confidential company data • So there are more copies of the data that could be lot or stolen • Encrypt VMs as well as physical machines

  38. Implementing Patch Management

  39. Importance of Updates • Every software product has bugs and vulnerabilities • Patches must be deployed promptly to reduce vulnerabilities

  40. Deploying Patches • Automatic Updates on workstations • Appropriate for home or very small business networks • Not all machines will always be patched to the same level

  41. Deploying Patches • Patch management server • Company controls patch distribution • All machines are updated at once • Only approved patches are used (test them first)

  42. Testing Patches • Some patches create problems • All patches must be tested before deployment onto a large company network • Test them in an environment that mirrors the production network • Regression testing • Administrators run a series of known tests on a system • Compare results to tests run before patching

  43. Scheduling Patches • Patch Tuesday • Microsoft issues patches on 2nd Tues of month • Exploit Wednesday • Attackers reverse-engineer the patches and attack systems the next day • This is why Microsoft keeps vulnerabilities secret and doesn't patch them till there are attacks in the wild

  44. Mitigating Risk in Static Environments • Some systems don't change much • Supervisory Control and Data Acquisition Systems (SCADA) • Embedded systems • Mobile systems (Android and iOS) • Mainframes • Game consoles • In-vehicle computing systems

  45. Protecting Static Systems • Redundancy and diversity controls • Ensure that system continues to operate even when one component fails • Network segmentation • Makes it harder for an attacker to find and attack the protected system • Security layers • Firewall, NIPS, etc.

  46. Protecting Static Systems • Application firewalls • Manual updates • Firmware version control • Wrappers • TCP Wrappers filter traffic, like a host-based firewall • Only allow connections from specified source IP addresses

  47. Supervisory Control and Data Acquisition Systems (SCADA) • Industrial control systems • Such as power plants or water treatment facilities • Should be in isolated LANs, not connected to the Internet

  48. Embedded Systems • Inside printers, smart TVs, HVAC • Point of Sale (PoS) systems

  49. Link Ch 4t

  50. Understanding Stuxnet • Infect Windows systems through infected USB drives • Search through network to find target • Update the worm if the target is found • Compromise target • Control target • Deceive and destroy target systems

More Related