Security fundamentals Topic 2 Establishing and maintaining baseline security Agenda • • • • • Trusted computing base Evaluation and certification Security baselines Security templates and scripts Maintaining a baseline Trusted computing base • Represents the most secure computing environment that the organisation can provide • Includes all the protection mechanisms used to secure computing devices and infrastructure • Contains security baselines for specific computer systems • Baseline is the initial configuration that security is built on • Monitor the differences between your initial baseline and the current configuration and investigate causes Trusted computing base goals • Ensures that only authorised people have access • They use systems in the manner intended • Data remains confidential Trusted computing base components Includes all elements of the computing environment • • • • Hardware – computers, peripherals and network devices Firmware – BIOS chips Software – operating system, application and custom Procedures – administrative regulations, access control, backup schedules, training requirements Creating a trusted computing base • • • • • Inventory all elements of computer security Document all elements of computer security Monitor and account for changes Make changes and configuration management Protect from new threats Threats to a trusted computing base External threats: • Originate from outside the trusted computing base (not necessarily outside the organisation) • From attackers, natural disasters, insufficient enforcement Internal threats: • • • • • Problems with the trusted computing base Inadequate monitoring (for changes and deviations) Noncompliance with procedures Poor design Failure to update the trusted computing base Evaluation and certification Compliance with formal standards for security • TCSEC – Trusted Computer System Evaluation Criteria – Orange Book set of standards for commercial operating systems – Several levels of security – C2 is the highest level for commercial systems • ITSEC – Information Technology Security Evaluation Criteria – Similar standards to TCSEC Evaluation and certification Compliance with formal standards for security • Common criteria – CCITSE Common Criteria for Information Technology Security Evaluation – ISO standard – Set of processes for evaluating security features and capabilities – The security rating of a product evaluated in one country is recognised in other countries • ISO 17799 – Information security standard – Generic security policy that describes general security settings but not system specific configurations Security baselines • A detailed description of how to configure and administer a device or systems so that it provides the best possible security – What hardware to use and BIOS settings – Procedures for physically securing a computer – Media to use for installing an OS or service, installation options and post installation configuration – Rules regarding content to be used – Procedures for reviewing the installation, monitoring and making changes to the configuration – Rules for who can access a server and authentication methods implemented – Documentation and record keeping requirements Security baseline guidelines Guidelines for file systems • Use NTFS not FAT and use permission assignments for access control • Principle of least privilege • Only minimal permissions required to perform a specific task • Avoid Full Control and the Everyone group • Put users into groups and assign permissions to the group • Use permission inheritance- general permissions at a higher level and exceptions at a lower level • Assign permissions for local and network access • Encrypt files that must be kept private Security baseline guidelines Guidelines for services/daemons • • • • Every running service is a potential entry point Enable only services that are required Default configurations are not the most secure Restrict the actions that can be performed by the service by running the system in a custom user account and not as administrator or root • Consider which services start automatically • Apply security updates • Secure files and configurations used by the service/daemon Security baseline guidelines Guidelines for critical applications • • • • • • Only use critical business applications Typically email, database and accounting Apply security updates Secure files and configurations used by the service Install only required components Grant appropriate access levels Security baseline guidelines Guidelines for other applications • Remove all unnecessary applications – reduce the surface area of attack • PS or task manager to list running processes • Ensure users don’t install unauthorised programs (standard user accounts) • Prevent users from accessing system and program files on the hard drive Security baseline guidelines Guidelines for network communications • Disable unnecessary protocols • Network access – – – – Restrict open ports Enable packet filters Require authentication to access network or network resources IPSec to secure communications and require computers authenticate with each other • Encrypt network traffic – IPSec to encrypt for privacy – SSH (Secure Shell) – SSL (Secure Sockets Layer) Security templates System security settings fall into the following categories: • Account policies: User accounts – password requirements, account lockouts, who can perform tasks • Local policies: How the system is audited, who can access logs, user rights assignment, and other settings • Event log: Who can access event logs, how event logs are sorted and retained • Restricted groups: Which users are members of which groups • System services: Specify start up behaviour and permissions for services • Registry: Sets permissions to access the registry • File systems: Set permissions to access specific files and folders Scripts • Automated alternative to using security templates – – – – Windows Scripting Host (WSH) Shell scripts Perl scripts C scripts Maintaining a security baseline Existing security benchmarks http://www.cisecurity.com • Remain informed about current threats and vulnerabilities – CERT/CC advisories – Mailing lists (eg SecurityFocus™, Bugtraq) – Hardware/software vendor websites • Update security baselines to reflect new emerging security requirements Securing against known vulnerabilities Apply security updates: • Hotfixes: fast release for one or more issues, perhaps less testing of hotfix • Security Rollup Packages: several critical hotfixes with more testing • Service Packs: all fixes available and included in previous service packs – extensive testing Securing against known vulnerabilities Acquiring security updates • Verify the authenticity of the update – is it really from the vendor? • Check digital certificates – guarantees it is from the author and that it hasn’t been modified • Checksums: hash MD5 computation to check integrity • Cryptographically sign the hash (eg with Pretty Good Privacy (PGP)) Summary • What a trusted computing base is • Security evaluation and certification criteria available • What security baselines are • Security templates and scripts that help automate security application • Practises for maintaining our baselines