Establishing and maintaining baseline security

advertisement
Security fundamentals
Topic 2
Establishing and maintaining baseline
security
Agenda
•
•
•
•
•
Trusted computing base
Evaluation and certification
Security baselines
Security templates and scripts
Maintaining a baseline
Trusted computing base
• Represents the most secure computing
environment that the organisation can provide
• Includes all the protection mechanisms used to
secure computing devices and infrastructure
• Contains security baselines for specific computer
systems
• Baseline is the initial configuration that security is
built on
• Monitor the differences between your initial
baseline and the current configuration and
investigate causes
Trusted computing base goals
• Ensures that only authorised people have
access
• They use systems in the manner intended
• Data remains confidential
Trusted computing base components
Includes all elements of the computing
environment
•
•
•
•
Hardware – computers, peripherals and network devices
Firmware – BIOS chips
Software – operating system, application and custom
Procedures – administrative regulations, access control,
backup schedules, training requirements
Creating a trusted computing base
•
•
•
•
•
Inventory all elements of computer security
Document all elements of computer security
Monitor and account for changes
Make changes and configuration management
Protect from new threats
Threats to a trusted computing base
External threats:
• Originate from outside the trusted computing base (not
necessarily outside the organisation)
• From attackers, natural disasters, insufficient enforcement
Internal threats:
•
•
•
•
•
Problems with the trusted computing base
Inadequate monitoring (for changes and deviations)
Noncompliance with procedures
Poor design
Failure to update the trusted computing base
Evaluation and certification
Compliance with formal standards for security
• TCSEC – Trusted Computer System Evaluation Criteria
– Orange Book set of standards for commercial operating
systems
– Several levels of security
– C2 is the highest level for commercial systems
• ITSEC – Information Technology Security Evaluation Criteria
– Similar standards to TCSEC
Evaluation and certification
Compliance with formal standards for security
• Common criteria
– CCITSE Common Criteria for Information Technology Security
Evaluation
– ISO standard
– Set of processes for evaluating security features and capabilities
– The security rating of a product evaluated in one country is recognised
in other countries
• ISO 17799
– Information security standard
– Generic security policy that describes general security settings but not
system specific configurations
Security baselines
• A detailed description of how to configure and
administer a device or systems so that it provides
the best possible security
– What hardware to use and BIOS settings
– Procedures for physically securing a computer
– Media to use for installing an OS or service, installation options
and post installation configuration
– Rules regarding content to be used
– Procedures for reviewing the installation, monitoring and
making changes to the configuration
– Rules for who can access a server and authentication methods
implemented
– Documentation and record keeping requirements
Security baseline guidelines
Guidelines for file systems
• Use NTFS not FAT and use permission assignments for
access control
• Principle of least privilege
• Only minimal permissions required to perform a specific
task
• Avoid Full Control and the Everyone group
• Put users into groups and assign permissions to the group
• Use permission inheritance- general permissions at a
higher level and exceptions at a lower level
• Assign permissions for local and network access
• Encrypt files that must be kept private
Security baseline guidelines
Guidelines for services/daemons
•
•
•
•
Every running service is a potential entry point
Enable only services that are required
Default configurations are not the most secure
Restrict the actions that can be performed by the service by
running the system in a custom user account and not as
administrator or root
• Consider which services start automatically
• Apply security updates
• Secure files and configurations used by the service/daemon
Security baseline guidelines
Guidelines for critical applications
•
•
•
•
•
•
Only use critical business applications
Typically email, database and accounting
Apply security updates
Secure files and configurations used by the service
Install only required components
Grant appropriate access levels
Security baseline guidelines
Guidelines for other applications
• Remove all unnecessary applications – reduce the surface
area of attack
• PS or task manager to list running processes
• Ensure users don’t install unauthorised programs (standard
user accounts)
• Prevent users from accessing system and program files on the
hard drive
Security baseline guidelines
Guidelines for network communications
• Disable unnecessary protocols
• Network access
–
–
–
–
Restrict open ports
Enable packet filters
Require authentication to access network or network resources
IPSec to secure communications and require computers
authenticate with each other
• Encrypt network traffic
– IPSec to encrypt for privacy
– SSH (Secure Shell)
– SSL (Secure Sockets Layer)
Security templates
System security settings fall into the following
categories:
• Account policies: User accounts – password requirements, account
lockouts, who can perform tasks
• Local policies: How the system is audited, who can access logs, user
rights assignment, and other settings
• Event log: Who can access event logs, how event logs are sorted
and retained
• Restricted groups: Which users are members of which groups
• System services: Specify start up behaviour and permissions for
services
• Registry: Sets permissions to access the registry
• File systems: Set permissions to access specific files and folders
Scripts
• Automated alternative to using security
templates
–
–
–
–
Windows Scripting Host (WSH)
Shell scripts
Perl scripts
C scripts
Maintaining a security baseline
Existing security benchmarks
http://www.cisecurity.com
• Remain informed about current threats and vulnerabilities
– CERT/CC advisories
– Mailing lists (eg SecurityFocus™, Bugtraq)
– Hardware/software vendor websites
• Update security baselines to reflect new emerging security
requirements
Securing against known vulnerabilities
Apply security updates:
• Hotfixes: fast release for one or more issues, perhaps less
testing of hotfix
• Security Rollup Packages: several critical hotfixes with more
testing
• Service Packs: all fixes available and included in previous
service packs – extensive testing
Securing against known vulnerabilities
Acquiring security updates
• Verify the authenticity of the update – is it really from the
vendor?
• Check digital certificates – guarantees it is from the author
and that it hasn’t been modified
• Checksums: hash MD5 computation to check integrity
• Cryptographically sign the hash (eg with Pretty Good Privacy
(PGP))
Summary
• What a trusted computing base is
• Security evaluation and certification
criteria available
• What security baselines are
• Security templates and scripts that
help automate security application
• Practises for maintaining our baselines
Download