Security fundamentals Topic 2 Establishing and maintaining baseline security
Jan 20, 2016
Security fundamentals
Topic 2Establishing and maintaining baseline
security
Agenda
• Trusted computing base• Evaluation and certification• Security baselines• Security templates and scripts• Maintaining a baseline
Trusted computing base• Represents the most secure computing
environment that the organisation can provide• Includes all the protection mechanisms used to
secure computing devices and infrastructure• Contains security baselines for specific computer
systems• Baseline is the initial configuration that security is
built on• Monitor the differences between your initial
baseline and the current configuration and investigate causes
Trusted computing base goals
• Ensures that only authorised people have access
• They use systems in the manner intended• Data remains confidential
Trusted computing base components
Includes all elements of the computingenvironment• Hardware – computers, peripherals and network devices• Firmware – BIOS chips• Software – operating system, application and custom• Procedures – administrative regulations, access control,
backup schedules, training requirements
Creating a trusted computing base
• Inventory all elements of computer security• Document all elements of computer security• Monitor and account for changes• Make changes and configuration management• Protect from new threats
Threats to a trusted computing base
External threats:• Originate from outside the trusted computing base (not
necessarily outside the organisation)• From attackers, natural disasters, insufficient enforcement
Internal threats:• Problems with the trusted computing base• Inadequate monitoring (for changes and deviations)• Noncompliance with procedures• Poor design• Failure to update the trusted computing base
Evaluation and certification
Compliance with formal standards for security • TCSEC – Trusted Computer System Evaluation Criteria– Orange Book set of standards for commercial operating
systems– Several levels of security– C2 is the highest level for commercial systems
• ITSEC – Information Technology Security Evaluation Criteria– Similar standards to TCSEC
Evaluation and certification
Compliance with formal standards for security • Common criteria
– CCITSE Common Criteria for Information Technology Security Evaluation
– ISO standard – Set of processes for evaluating security features and capabilities– The security rating of a product evaluated in one country is recognised
in other countries• ISO 17799
– Information security standard – Generic security policy that describes general security settings but not
system specific configurations
Security baselines• A detailed description of how to configure and
administer a device or systems so that it provides the best possible security– What hardware to use and BIOS settings– Procedures for physically securing a computer– Media to use for installing an OS or service, installation options
and post installation configuration– Rules regarding content to be used– Procedures for reviewing the installation, monitoring and
making changes to the configuration– Rules for who can access a server and authentication methods
implemented– Documentation and record keeping requirements
Security baseline guidelines
Guidelines for file systems• Use NTFS not FAT and use permission assignments for
access control• Principle of least privilege• Only minimal permissions required to perform a specific
task• Avoid Full Control and the Everyone group• Put users into groups and assign permissions to the group• Use permission inheritance- general permissions at a
higher level and exceptions at a lower level• Assign permissions for local and network access• Encrypt files that must be kept private
Security baseline guidelines
Guidelines for services/daemons• Every running service is a potential entry point• Enable only services that are required• Default configurations are not the most secure• Restrict the actions that can be performed by the service by
running the system in a custom user account and not as administrator or root
• Consider which services start automatically• Apply security updates• Secure files and configurations used by the service/daemon
Security baseline guidelines
Guidelines for critical applications• Only use critical business applications• Typically email, database and accounting• Apply security updates• Secure files and configurations used by the service• Install only required components• Grant appropriate access levels
Security baseline guidelines
Guidelines for other applications• Remove all unnecessary applications – reduce the surface
area of attack• PS or task manager to list running processes• Ensure users don’t install unauthorised programs (standard
user accounts)• Prevent users from accessing system and program files on the
hard drive
Security baseline guidelines
Guidelines for network communications• Disable unnecessary protocols• Network access
– Restrict open ports– Enable packet filters– Require authentication to access network or network resources– IPSec to secure communications and require computers
authenticate with each other• Encrypt network traffic
– IPSec to encrypt for privacy– SSH (Secure Shell)– SSL (Secure Sockets Layer)
Security templatesSystem security settings fall into the followingcategories:• Account policies: User accounts – password requirements, account
lockouts, who can perform tasks• Local policies: How the system is audited, who can access logs, user
rights assignment, and other settings• Event log: Who can access event logs, how event logs are sorted
and retained• Restricted groups: Which users are members of which groups• System services: Specify start up behaviour and permissions for
services• Registry: Sets permissions to access the registry• File systems: Set permissions to access specific files and folders
Scripts
• Automated alternative to using security templates– Windows Scripting Host (WSH)– Shell scripts– Perl scripts– C scripts
Maintaining a security baseline
Existing security benchmarkshttp://www.cisecurity.com
• Remain informed about current threats and vulnerabilities– CERT/CC advisories– Mailing lists (eg SecurityFocus™, Bugtraq)– Hardware/software vendor websites
• Update security baselines to reflect new emerging security requirements
Securing against known vulnerabilities
Apply security updates:• Hotfixes: fast release for one or more issues, perhaps less
testing of hotfix• Security Rollup Packages: several critical hotfixes with more
testing• Service Packs: all fixes available and included in previous
service packs – extensive testing
Securing against known vulnerabilities
Acquiring security updates• Verify the authenticity of the update – is it really from the
vendor? • Check digital certificates – guarantees it is from the author
and that it hasn’t been modified• Checksums: hash MD5 computation to check integrity• Cryptographically sign the hash (eg with Pretty Good Privacy
(PGP))
Summary
• What a trusted computing base is• Security evaluation and certification
criteria available• What security baselines are• Security templates and scripts that
help automate security application• Practises for maintaining our baselines