securing a host - start [apnic training wiki] · hardware •rule 1: all bets are off with physical...
TRANSCRIPT
Hardeningahost
• Differsperoperatingsystem• Windows:userscannotbetrustedtomakesecurityrelateddecisionsinalmostallcases• OSX:makethingsworkmagicallyforusers.Trytohandlesecurityissuesinthebackground• Linux:variesbydistribution:
• Ubuntu:trylikeOSXtomakethingsjustwork.• RedHat:includeveryusefultoolsbutturnedoffbydefault
• BSD:userswillfigureitout• Changeswithtime
3
Generalconsideration
• Defineapersonalusageprofileandpolicy.• Whathardwaredoyouuse?• Whatsoftwaretasksdoyoudoonyourcomputer?• Dothefirsttwochangewhenyoutravel?• Whathabitsfromtheabovetwodoyouneedtochangetobemoresecure?• Decideifyoureally needVPNaccesstoyournetworkwhiletravelling.
4
Generalpractices
• Installonlytheservicesandsoftwareyouactuallyneed.• Uninstallordisableallsoftwareandservicesyoudonotuseorneed.• Periodicallyactivelyscanyourmachineforvulnerabilities.• Haveasfewuseraccountsonyoursystemsaspossible
• Protectyouradministrativeaccount.Haveastrongpassword,donotpermitremotepasswordbasedloginsanddonotloginasanadministratorunlessyouneedtodoanadministrativetask.
5
Hardware
• Rule1:allbetsareoffwithphysicalaccesstoyourdevices.• Considerremovinghardwareyouneveruse– saybluetooth.• DisableinBIOSorEFIoryouroperatingsystemthehardwareorfeaturesyoucannotremovephysically.• wakeonlan• Bluetoothdiscoverability• USBports?
• BIOSpasswordsnotthatuseful• BIOSlevelencryp8on/lockingofharddisksmaynotbeportable
6
OSHardening:General
• Installonlytheservicesandsoftwareyouactuallyneed.• Uninstallordisableallsoftwareandservicesyoudonotuseorneed.• Periodicallyactivelyscanyourmachineforvulnerabilities.• Haveasfewuseraccountsonyoursystemsaspossible• Protectyouradministrativeaccount.Haveastrongpassword,donotpermitremotepasswordbasedloginsanddonotloginasanadministratorunlessyouneedtodoanadministrativetask.
7
OSHardening:Windows
• ConsideranUbuntuinstallationCD.• Multiplewindowseditionswithinasingleversionmakethisverydifficult.• Somesecurityfeaturesandtoolsonlyavailabletoprofessional/ultimate/enterpriseeditionsofwindows7/8/10:getlicensesforthisonyourenterprisenetwork.
• Installanantivirusapplication• Disableunneededaccounts• Mayneedtousethenetcommandon“low”editionsofwindows
8
OSHardening:Windows
• Editsecuritypolicyforwindows:• Enable accesstotheregistryeditor• Disablebuilt-inaccounts
• Disablehidingoffileextensions• Installanantivirusapplication• Disabletheservicesthatarerunningbydefaultinwindows.• Difficulttodoproperlywiththestartereditionsofwindows
9
OSHardening:Linux
• Availablefeaturesdifferbydistribution.• Useasfewdifferentdistributionsinyourenvironmentaspossible.
• Somedistributionshaveoptionalscriptsto“harden”yoursysteme.g.SuSE,RedHat• Whenpossible,runinstallationswithmachinesofflineuntilyouarereadytorunupdates.
10
OSHardening:Linux
• UNIXsecuritymodelisbasedonpermissions–ensuretheyaresane:• checkforSUID/SGIDapplications
• Somedistros willincludeanightlycheckforsuchapplications.• Manydistros havepermissionprofilesthatrangefrompermissivetoparanoidthatessentiallylimitorpermitpeoplefrom/torun(ning)particularapplicationsoraccessingparticularfileslikelogs.• Runtheperiodicscriptsthatresetthesepermissions.
11
OSHardening:Linux
• Sandboxapplicationswherenecessaryusingchroot• SELinux givescomprehensivesystemaccesscontrol• AppArmor forrolebasedapplicationprotection• Forservers,considerrecompilingkernelswithsupportforonlythedriversyouneed.• Mostdriverstodayareloadablemodulessoyoucanalsodeletetheonesyoudonotneed.
12
OSHardening:Linux
• Forservers,alwayspickthe“minimal”installationtoensureasfewpackagesaspossibleenduponthesystembydefault.• Usesystemtoolstodisableservicesthatarerequiredbyotherpackagesbutdonotneedtoberunning.E.g somepackageswillnotinstallifyoudonothaveanSMTPserver.
13
OSHardening:Linux
• Periodicsecuritychecks:• Checksumsofsystemfileskeptofflineandcheckedagainsttherunningsystem• tripwire• fcheck
• Periodicscansofthesystem.• nmap• Openvas
• Realtime checks• incrond /inotify – kernelfeaturetonotifyyouassoonasaspecifiedwatchlist ofinodes arechanged.
14
OSHardening:MacOSX
• SimilartoLinuxandFreeBSD• Readandunderstandsecurityguidesathttp://www.apple.com/support/security/guides/(onlyforSnowLeopard)• Editpreferencesforsafaritodisableunsafedefaultslikeautomaticallylaunching“safe”filesafterdownloading
15
OSHardening:MacOSX
• Disableunusedservices• Someneedtobedisabledfromthecommandlineorbyeditingplist files.• Filesharingonbydefault• Considerdisablingbonjour– Apple’simplementationofzeroconf
• Bepickyaboutinstallationsourcesforapplications:ifit’sintheapplicationstore,usethatversion
16
Softwaremanagement:general
• Usesystempackagemanagertoinstallthirdpartysoftwarewhereavailable.• Installaslittle softwarepackagesonhostsaspossible.• Uninstallasmuch softwarethatcomesbydefaultonoperatingsystemsaspossible.• Subscribetoatminimumthe–announcemailinglistofeveryserverpieceofsoftwareyourun• Considertheversionsyouwanttouseandupgradeto.Latest≠greatest
18
Softwaremanagement:Windows
• Keepallsoftwareuptodate– automaticallywherepossibleforyourpersonalsystem.• Considerimplicationstoyour3gdataplan
• Useasoftwareupdateserverforenterprises.• IfusingActiveDirectorythenusepoliciestopushoutsoftwareupdatesforthirdpartyapplicationstoallusersaswellasenterpriseantivirussoftware.• Considerimplicationswhensomeonesignsonremotely
19
Softwaremanagement:Windows
• Mostsoftwaredistributionisbinaryonlysonowaytodoincrementalupdates.• Avoidcrackedsoftware– besidesthelegalissuesinvolvedyouhavenowaytoverifytheintegrityoftheapplicationsyouareinstalling.• Consideropensource equivalentswhereavailableinstead.
20
Softwaremanagement:Linux
• Wherepossibleusethesystem’spackagemanagertoinstallsoftware.• Learnhowtocompileapplicationsfromsource:sometimessecuritypatchesaredistributedassourcecode.• Hugenumbersofcomputersrequirecertainconsiderationstosaveenterprisebandwidth:• Centralizedsoftwarecaches/mirrors• Puppettomanagesoftwareversionsondifferentmachines
21
Softwaremanagement:OSX
• MoresimilartoLinuxthanWindows.• Inparticular,OSXserverisdead:usepuppetinsteadtomanagelargenumbersofOSXmachinesonanetwork.• InstallpackagemanagersforthirdpartyOSS–macports orfinkorhomebrew.• Runupdatersforperiodicupdatesofanythingyouinstall.
22
Softwaremanagement:OSX
• Checktheapplicationstore– comeswithsomelevelofcodeassuranceandfreeautomatedsoftwareupdateservice.• Carefullyconsidertheversion(s)ofOSXyourun:• Thirdpartysupportmeansthelatestversionmaynotbesogreate.g dynamips onML• Oldversionssoonstopgettingupdatesofothersoftwaree.g JavaonSL
23
Malware
• Thegenerictermforcomputervirus,worms,spywareandothermalicioussoftware• Skilledattackercanmakeit,funattackercanuseit.• eventherearemalwarebuildtoolswithGUIL
25
Infection
• Attackerstrytomakeyourdevicesinfectedinmanyways• Securityholes,e-mail,web• USBmemory,fileservers
26
Causes
• Vulnerability• 0-daysecurityholes• oldsecurityholesarestillusedtoinfect
• Auto-executionforremovalmedia• USBmemory,CDloading
• Users’carelessopen• infectedfiles• sometimeshappentoexecutemalwares
27
Detection
• Signature-baseddetection• blacklistofmalwares• checkafilewiththesignatures• updateneededtodetectnewermalware
• Heuristicsdetection• behavior,characteristiccode
28
Hiding
• Attackersmodifymalwares• nottobedetectedbyanti-virusdetectors• theycancheckthislocally
• UpdatingyoursignatureDBisneeded30
Compromisedsystem
• Anyfileonthesystemisalreadysuspicious• Youmaybeabletoremoveamalware• therecouldbeanotheronethatyoucannotdetect
32
Wipe
• Don’tusefilesinthecompromisedsystem• programs• documents• images
• Cleanupthestoragesthatwasconnectedtothesystem• HDD• SSD• flashmemory
33
Howcanwerescueinformationfromsuspiciousdatafiles•Convertitintoanotherformat• png ->jpg,jpg ->png• doc->txt• excel->csv• pdf->png/jpg
• Infectedcodecannotsurvivesuchadrasticmodification
34
Wipetogiveaway
• Dataisstillthereevenifit’sformatted• expertscanreadthedatabyusingspecialtools• anelectricmicroscopecanreadmore• leakageofsecretdata
• Youneedtomakesurethedataiserased• #dd if=/dev/urandom of=/dev/<disk>bs=16M
35
Recover
• ‘cleaninstall’fromascratch• formatthedisk,useaproperOSimage
• ApplylatestOSpatchestobeup-to-date• itcouldbevulnerablebeforepatched• doupdateinasecurenetwork
• Installneededapplications• checkupgrades,ofcourse
36
Recover(cont.)
• Disableunnecessaryservices• Thesameashardeningprocedure
• Checkconfigurations• Ifanyweakness
• Changeallpasswordonthesystem• Anypasswordmightbestolen
37
Replacingmightbeyourchoice
• Securingthecompromisedsystemasis• forfurtherinvestigation• malwarethatstaysinthememoryonly
• Justreplacethecompromisedsystem• sparehardware
38
Encryption
• Assumetheftandlost• Yourbackupsmusthaveatminimumthesameencryptionlevelasthesourcedata
40
Automation
• Wearelazy!• Easytoforget
• Automatedbackupwillhelpyou• Mostsystemshavescheduledbackup
41
Generations
• Youshouldhavea‘good’versionofbackupthere• ifasystemiscompromised,malwaremightbealsobackupinthearchive,youwon’twanttorestorethatthough• ifsomethinggoeswrongbychange,youmayrestorethepreviousversion
• Finda‘good’versionfromyourarchives
42
Off-sitearchives
• 2011Tohokuearthquakeandtsunami• flushedbuildings,datacenters• 4localgovernmentslostwholedataonthefamilyregistrationsystem
• Theyhaveoff-sitebackupsJ• tookabout1monthtorecoverthough• wantedtomakesurenothingismissed
43
Securingemail
• Donotusepop,itisintheclear• Usepop3s,port995overTLS• Donotuseimap,itisintheclear• Useimaps,port993overTLS• Donotusesmtp forposting,itisintheclear• Usesubmission,port587overTLS
45
Authenticateservers
• AssumetheWireisTapped• AssumeSomeonewillSpoofServers• KnowYourServers’RootCertificates• ConfirmCertificatesonConfiguration• ChooseGoodPassphrases
46
Encryptcriticalemails
• BasicallyusePGP
• Enigma+pgp forThunderbird• Mailvelope forwebmail• CryptUp forGmail• https://cryptup.org/
47
Itunnel&email
$ ssh <ssh.server> -L 4465:<smtp.server>:465
ssh.serverMacBook
POP3S/SMTPS
StepHost
PortonMacBook
TunnelEndPoint
sshtunnel
$ ssh <ssh.server> -L 9955:<pops.server>:995
smtp.server pops.server
49
Example:LocalForward
.ssh/config
$ssh mail
HostmailHostName <step.host>LocalForward 4465<smtp.server>:465LocalForward 9995<pops.server>:995
50
Example:stephost
.ssh/config
$ssh internal
HoststephostHostName <step.host>
HostinternalHostName <internal.ssh.server>ProxyCommand ssh -W%h:%pstephost
51
Letbrowsersrememberpassword
• OnlyifyouuseFullDiskEncryption• OnlyifyourLaptopLocksQuickly• LoseLaptopandLoseyourBankAccount• Or,useotherpasswordmanagers• 1Password,LastPass,gpg textfile
54
UsefulPlug-ins
• NoScript SecuritySuite• Allowactivecontenttorunonlyfromsitesyoutrust,andprotectyourselfagainstXSSandClickjackingattacks
• Lightbeam• a Firefox add-onthatenablesyoutoseethefirstandthirdpartysitesyouinteractwithontheWeb
56
PrivateorSecretmode
• Browserwillerasedataafteryourbrowsing• cookies,histories,cachefiles,passwords
• Usefulonashareddevice
• Itdoesn’tprovideanonymity
57
BasicFeaturesofGoogleSearch
• Automatic“AND”Queries• Bydefault,Googleonlyreturnspagesthatincludeallofyoursearchterms.• Thereisnoneedtoinclude“AND”betweenterms.
• AutomaticExclusionofCommonWords• Googleignorescommonwordsandcharacterssuchasand,or,in,of,beetc.aswellascertainsingledigitsandsingleletters,becausetheytendtoslowdownyoursearchwithoutimprovingtheresults.Googlewillindicateifacommonwordhasbeenexcludedbydisplayingdetailsontheresultspagebelowthesearchbox.
58
BasicFeaturesofGoogleSearch
• Capitalization• GooglesearchareNOTcasesensitive.Forexamplesearchesfor“APNIC”,• “Apnic”and“apnic”willallretrievethesameresults.
• SpellChecker• Google’sspellcheckingsoftwareautomaticallylooksatyourquerytoseeifyouareusingthemostcommonversionofaword’sspelling.Ifitislikelythatanalternativespellingwouldretrievemorerelevantresults,itwillas”Did youmean:(morecommonspelling)?”
59
DifferentSearchOperators
• +Searches• - Searches• ~Searches• PhraseSearches• DomainRestrictSearches• DefinitionSearches• FileTypeSearches• OrSearches
• FillintheBlank• CurrencyConversion• CalculatorFunction• UnitConversion• TimeCheck
60
AdvancedOperators
• Googleadvancedoperatorshelprefinesearches.• TheyareincludedaspartofastandardGooglequery.• Advancedoperatorsuseasyntaxsuchasthefollowing:
operator:search_term• There’snospacebetweentheoperator,thecolon,andthesearchterm!
61
AdvancedOperatorsataGlance
Operators Purpose
intitle Searchpagetitle
allintitle Searchpagetitle
inurl SearchURL
allinurl SearchURL
filetype Searchspecificfiles
allintext Searchtextofpageonly
site Searchspecificsite
link Searchforlinkstopages
inanchor Searchlinkanchortext
Operators Purpose
numrange Locatenumber
daterange Searchindaterange
author Groupauthorsearch
group Groupnamesearch
insubject Groupsubjectsearch
msgid Groupmsgid search
62