Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Security for Broadcast IT Systems

advertisement 
Security for Broadcast IT Systems
William Dixon, V6 Security, Inc.
PBS ACE Security Lead
April 14, 2005
Agenda
>
>
>
>
>
>
Changes in Broadcast IT environment
Security Risk Assessment
Threat Modeling
Sources of Security Guidance
Recommendations for Broadcast IT vendors
Recommendations for PBS Stations
> Note: Content Microsoft focused, but generally
applicable
Changes in New Broadcast IT Environment
> Newer technology offers more functionality for same or
less cost
>
>
>
>
>
>
>
Digital media, electronic files
Using general purpose computers
Client-server models for computing
Software-based integration of systems
TCP/IP network component communication
Internet connected
Lights-out remote management & operation
> Still use physical security for facility and equipment
> Still trust your people
Microsoft Recommended Practice for
Security Risk Assessment
> Microsoft Security Risk Management Process –
15oct04
> http://www.microsoft.com/technet/security/topics
/policiesandprocedures/secrisk/default.mspx
> New MS Press Book: Threat Modeling
http://www.microsoft.com/mspress/books/6892.asp
> Threat Modeling for Developers
http://msdn.microsoft.com/library/default.asp?url=/li
brary/en-us/secmod/html/secmod76.asp
Microsoft Recommended Practice:
Threat Modeling
> Analyze and document architecture
> Objects: Assets, Applications, Data, People
> Document Security Profile
> Trust boundaries
> Data Flow & communications
> Entry points
> Privileged operations
Document Security Profile
>
>
>
>
>
>
>
>
>
>
Input Validation
Authentication
Authorization
Configuration Management
Sensitive Data
Session Management
Cryptography
Parameter manipulation
Exception management
Auditing and Logging
Microsoft Recommended Practice:
Threat Modeling
> Identify & rank threats with S.T.R.I.D.E.(S)
analysis
>
>
>
>
>
>
>
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege
(S)ocial Engineering
> Example: Denial of Service possible due to blank
admin passwords
Microsoft Recommended Practice:
Threat Modeling
> Use attack trees to identify how top level
attack goal is composed of more detailed
goals
> Use attack patterns to help identify
techniques for detailed goals
Attack Tree Example
5.3. Gain privileged access to ACME Web server
AND
1. Identify ACME domain name
2. Identify ACME firewall IP address
OR
1. Interrogate domain name server
2. Scan for firewall identification
3. Trace route through firewall to Web server
3. Determine ACME firewall access control (* see attack pattern)
OR
1. Search for specific default listening ports
2. Scan ports broadly for any listening port
4. Identify ACME Web server operating system and type
OR
1. Scan OS services’ banners for OS identification
2. Probe TCP/IP stack for OS characteristic information
5. Exploit ACME Web server vulnerabilities
OR
1. Access sensitive shared intranet resources directly
2. Access sensitive data from privileged account
>
Source: Moore et al. http://www.cert.org/archive/pdf/01tn001.pdf
Attack Pattern Example
Goal: Identify firewall access controls
Precondition: Attacker knows firewall IP address
Attack Techniques:
OR
1. Search for specific default listening ports
2. Scan ports broadly for any listening ports
3. Scan ports stealthily for listening ports
OR
1. Randomize target of scan
2. Randomize source of scan
3. Scan without touching target host
Postcondition: Attacker knows firewall access controls
Source: Moore et al. http://www.cert.org/archive/pdf/01tn001.pdf
Attack Pattern Example
Attack goals: Command or code execution
Required conditions:
Weak input validation
Code from the attacker has sufficient privileges on the server
Attack techniques:
1. Identify program on target system with an input validation
vulnerability
2. Create code to inject and run using the security context of the target
application.
3. Construct input value to insert code into the address space of the
target application and force a stack corruption that causes application
execution to jump to the injected code.
Attack results: Code from the attacker runs and performs malicious
action
Source: http://msdn.microsoft.com/library/default.asp?url=/library/enus/secmod/html/secmod76.asp
Microsoft Recommended Practice:
Threat Modeling
> Evaluate Risk with D.R.E.A.D.
> Damage Potential ($$ cost estimate)
> Reproducibility (% probability as 1-10)
> Exploitability (% probability as 1-10)
> Affected Users (% users as 1-10)
> Discoverability (% probability 1-10)
> Rank Risks = Probability * Damage Potential
> Risk Rating scheme: High, Medium, Low
Document Threats
> Threat Description
> Attacker obtains authentication credentials by monitoring the
network
> Threat target
> Web application user authentication process
> Risk rating
> High (based on DREAD ranking)
> Attack techniques
> Use of commonly available network monitoring software
> Countermeasures
> Use SSL, IPsec end-to-end, or VPN to provide stronger
authentication, or encrypted channel through which weaker
authentication methods are used (e.g. HTTP Basic, Digest)
Conduct Decision Support
>
>
>
>
>
>
Define Functional Requirements
Identify Control Solutions
Review Solution Against Requirements
Estimate Risk Reduction
Estimate Solution Cost
Select Risk Mitigation Strategy
Free Microsoft Security Training
> https://www.microsoftelearning.com/security/
> Free Security Courses - Updates for XP SP2 and Win2k3 SP1 soon.
> Login w/.NET Passport ID, provide email address
> Click on link provided in email
> 180-day subscription activated
> Clinic 2801: Microsoft® Security Guidance Training I
> Clinic 2802: Microsoft® Security Guidance Training II
> Clinic 2806: Microsoft® Security Guidance Training for
Developers
> Hands-On Lab 2811: Applying Microsoft® Security Guidance
Training
> Choose Content tab. Watch each section, or download offline
player and course for offline viewing
Microsoft Security Guidance
> Microsoft.com/security - guidance for Home,
Small Business, IT Pro, Developer
> Technet Security Centers for many products
http://www.microsoft.com/technet/Security/prodtech/defau
lt.mspx
> Microsoft Security Guides for Win2k, XP and
Server 2003
> Expect problems if applying “high security”
templates
> Enterprise client template should not cause too
many problems
> Threats and Countermeasures Guide
> Details on threats and each security setting
Microsoft Security Guidance
> KB 885409 “Security configuration guidance
support” - 9nov04
> Discusses problems with particular settings that
break applications or Windows services
> If you use 3rd party templates, contact them for
support
> KB 891597 “How to apply more restrictive
security settings on a Windows Server 2003based cluster server” – 18feb05
> Provides discussion & new security template tested
for clusters
FCC Security Guidance
> FCC Media Security And Reliability Council
> http://www.mediasecurity.org/msrcmeetings/index.html
> Note: Communications Infrastructure Security, Access and
Restoration Committee
> Best Practice Recommendations
> FCC Network Reliability and Interop Council
> http://www.nric.org/fg/index.html
> Note: Homeland Security Cybersecurity focus group
> Best Practice Recommendations
IT Best Practices: NIST
> US Government Natl Institute of Standards &
Technology (NIST)
> Cybersecurity R&D Act directed NIST to develop
checklists and Security Technical Implementation
Guides (STIG)
> Operates Computer Security Resource Center
(CSRC)
http://csrc.nist.gov/itsec/
> NOTE: Windows XP Security Guide 800-68
published Jun04
> Important because it is a collaboration of NIST,
Microsoft, CIS, DISA and NSA
Recent NIST CSRC Guides: DISA
>
>
>
>
>
>
>
>
>
>
Application Security Checklist
Desktop Application STIG
Desktop Application Security Checklist v1r1.7
Macintosh OS-X STIG v1r1
UNIX Security Checklist
Web Server Security Checklist Version 4, Release
Windows 2000 Security Checklist
Windows NT Security Checklist
Windows XP Security Checklist
Windows 2003 Addendum Version 4, Release 0.0
DISA 2/17/05
DISA 2/14/05
DISA 2/17/05
DISA 11/24/04
DISA 2/17/05
1.4 DISA 2/17/05
DISA 2/17/05
DISA 2/17/05
DISA 2/17/05
DISA 2/17/05
IT Best Practices: NSA
> OS Security guides for Windows 2000, Windows XP
> None for Windows Server 2003 – Use Microsoft’s
“The "High" security settings in Microsoft's "Windows Server 2003 Security Guide"
track closely with the security level historically represented in the NSA
guidelines. It is our belief that this guide establishes the latest best practices
for securing the product and recommend that traditional customers of our
security recommendations use the Microsoft guide when securing Windows
Server 2003”
> Microsoft .NET Framework Security Guide (Oct 04)
> Microsoft Office XP/2003 Executable Content Security Risks and
Countermeasures Guide (Oct 04)
> Apple Mac OS Security Configuration Guide
> Linux Security Configuration Guide
> Solaris Security Configuration Guide
> Online at:
http://www.nsa.gov/snac/index.cfm?MenuID=scg10.3.1
Call to Action for Broadcast IT
Vendors
> Use current, commercially supported platforms
> Red Hat Enterprise Linux 3.0
> Windows XP Pro or Embedded version
> Windows Server 2003 or Embedded version
> Plan on testing patch updates within 7 days of patch
availability
> Plan to test on beta or release candidates of service
packs
> Write applications as a background process/service,
not a user application
Call to Action for Broadcast IT
Vendors
> Review & improve security of products
> Analyze security – attack surface, threat model for your product
> Document security profile for customers
> Practice secure design & implementation
> Writing Secure Code 2nd Edition, Michael Howard, David LeBlanc
> Require authentication for all network access
> Strong protection for passwords in network traffic
> Evaluate/adopt a baseline security for standard product release
> Apply OS hardening, minimize services
> Use system security vulnerability assessment tools (e.g. MBSA)
> Use secure remote administration connections
>
>
>
>
Admin level access protected to higher degree
Every packet signed & encrypted
2-factor auth capable protocols where possible
Use SSL/TLS, SSH, PPTP/L2TP/IPsec VPN, Windows Terminal Services
> Change embedded passwords during installation/setup, at least per
site
Call to Action for PBS Member
Stations
> Understand that internal systems might be infected
via TCP/IP network connections
> Must secure internal, external clients and servers
> Secure external communications
> IPsec or VPN tunnel for all access into secure area
>
>
>
>
>
>
>
>
Use strong passwords !
Protect passwords from theft !
Prevent laptops from directly connecting inside secure area
Very careful & trained configuration and change control of
core security devices (e.g. firewall, VPN server)
Request security information from vendors
Try Microsoft Security Risk Management Process
Designate someone to learn security administration
Train users & operators for security awareness
Backup & Details
Windows Client Security Summary
>
>
>
>
>
>
>
Member of an Active Directory domain - for better management through Group
Policy
User not administrator if possible, uses strong password
Automatic updates enabled - either through Windows Update, Update Services or
Systems Management Server (SMS)
Anti-virus - set for autoupdate of definitions daily and periodic full scans
Anti-spyware - set for autoupdate of definitions and periodic full scans
Windows Firewall on - exceptions disabled by default
Enterprise client security template applied for hardening (update with new XP SP2
settings)
>
>
>
>
>
Additional settings & administrative template settings should be developed
Software restriction policies should be configured
>
NTFS and Encrypting File System used to protect confidential data after theft
Centralized monitoring with MACS, MOM, SMS, Systems Center or 3rd party
System backup - Automatic System Restore enabled in XP, full disk remote backup,
remote backups daily for user data
Domain startup script run to check status of these daily or weekly
>
http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx
Additional Microsoft Security Help
> Technet IT Pro Security Community Page
> http://www.microsoft.com/technet/community/en-us/security/default.mspx
> Lots of news groups
> MS IT Security Papers
> http://www.microsoft.com/technet/itsolutions/msit/default.mspx#EDBAAA
> PSS Support Webcasts
> TCP/IP port and process auditing: Tuesday, December 14, 2004
> TechNet Support WebCast: How to isolate servers and applications, March 22
2005 10am Pacific
> See http://support.microsoft.com/pwebcasts
Windows Server SP1 Released
> Top reasons to use SP1:
> Reduced attack surface – higher default security for RPCs and
DCOM
> New Security Configuration Wizard (SCW)- whitepapers coming
soon
> More secure new installations by Post-Setup Security Update to
block incoming traffic while and until latest patches are
installed
> Windows Firewall replaces Internet Connection Firewall
> Group policy for Windows Firewall added in Active Directory
> RRAS VPN Server Quarantine capabilities, see
http://www.microsoft.com/vpn
> IIS 6.0 auditing for XML configuration metabase
> Additional IE hardening
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/ser
vicepack/default.mspx
Technet webcast for Security Configuration
Wizard available
> “Join this session as we walk you through the Wizard end-to-end,
focusing on role-based server configuration, security configuration
template design and development, and security configuration
deployment. We will demonstrate the technologies as well as go in
depth on customization of SCW and how to customize the database
to support non-Microsoft applications”
>
http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?EventID=103226801
3&EventCategory=5&culture=en-US&CountryCode=US
Active Directory Security Links
>
AD Security Center:
>
>
Best Practice Guides for Securing Active Directory
>
>
>
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide
/enus/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/enus/dnsbd_dns_wzwd.asp
Active Directory in Segmented Networks
>
>
>
Windows Server 2003 Best Practice Guide for Securing Windows Server Active Directory
Installations
http://www.microsoft.com/windowsserver2003/techinfo/overview/adsecurity.mspx (Jan 8
2004)
Windows 2000 Best Practice Guide for Securing Active Directory Installations and Day-toDay Operations
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedir
ectory/maintain/bpguide/default.mspx (Feb 28 2004)
Securing DNS Zone transfers in Windows Server 2003
>
>
http://www.microsoft.com/technet/security/prodtech/ActiveDirectory.mspx
http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767a9166368434e&DisplayLang=en
Provides detail for how to use Ipsec to secure all traffic between AD servers
TCP/IP Exploits and Countermeasures
>
http://www.microsoft.com/technet/security/prodtech/windows2000/secmod150.mspx
Windows tools for investigating problems
with hardening
>
Full System Backup with ASR Diskette/CD
>
>
>
>
System Restore – could try checkpoint prior to hardening. Not sure if it can undo everything…
Backup Windows event logs to baseline behaviors prior to hardening. Make logs bigger.
Network Sniffers
>
>
>
>
>
>
>
>
>
>
>
>
Many changes can not be undone by SCE or SCW rollback, such as registry and file ACLs
Windows Netmon – light version in Win2k or Win2k3 as optional install networking component. Full version
in Systems Management Server
Ethereal – open source http://www.ethereal.com/
Dependency Walker (depends.exe, XP or Win2k3 Resource Kit)
Portqry.exe v2.0 – port scanning tool - see KB 832919
Port Reporter – installs as service to monitor app port usage - see KB 837243
If Windows Firewall or IPsec filters are blocking UDP ports, watch out for false “port open”
messages from remote port scanning tools. Some scan tools expect ICMP destination port
unreachable packet in response. Sniff to confirm what tool reports
Group Policy Resultant Set of Policy (RSoP) MMC snapin – shows where setting is being defined
Set auditing for failure on registry keys – look for errors in Security Log
Tlist.exe – process viewer (DDK debugging tools)
File Monitor (sysinternals.com)
Registry Monitor (sysinternals.com)
Process Explorer (sysinternals.com)
Developer References
> “Creating a simple Win32 service in C++“
>
http://msdn.microsoft.com/library/default.asp?url=/library/enus/dndllpro/html/msdn_ntservic.asp
> MSDN “About Services” development help
>
http://msdn.microsoft.com/library/default.asp?url=/library/enus/dllproc/base/about_services.asp
> “Example of installing an application as a service”
>
http://msdn.microsoft.com/library/default.asp?url=/library/enus/exchserv/html/example_0001.asp
> Microsoft Security Risk Management Process – 15oct04
>
http://www.microsoft.com/technet/security/topics/policiesandprocedures/secrisk
/default.mspx
> New MS Press Book: Threat Modeling
>
http://www.microsoft.com/mspress/books/6892.asp
> Threat Modeling for Developers
>
http://msdn.microsoft.com/library/default.asp?url=/library/enus/secmod/html/secmod76.asp
Related documents
Application software assignment
Application software assignment
Chapter 1Computer Concept
Chapter 1Computer Concept
Activities 1-5 - Classroom Websites
Activities 1-5 - Classroom Websites
MET 1103 Introduction to Computing
MET 1103 Introduction to Computing
Nichole Klocke de Rodriguez
Nichole Klocke de Rodriguez
Lecture Assignment 5 - Oakton Community College
Lecture Assignment 5 - Oakton Community College
Download
advertisement