security for broadcast it systems william dixon, v6 security, inc. pbs ace security lead april 14,...
Post on 19-Dec-2015
213 views
TRANSCRIPT
Security for Broadcast IT Systems
William Dixon, V6 Security, Inc.PBS ACE Security Lead
April 14, 2005
Agenda
>Changes in Broadcast IT environment>Security Risk Assessment>Threat Modeling>Sources of Security Guidance>Recommendations for Broadcast IT vendors>Recommendations for PBS Stations
>Note: Content Microsoft focused, but generally applicable
Changes in New Broadcast IT Environment> Newer technology offers more functionality for
same or less cost> Digital media, electronic files> Using general purpose computers> Client-server models for computing> Software-based integration of systems> TCP/IP network component communication> Internet connected> Lights-out remote management & operation
> Still use physical security for facility and equipment
> Still trust your people
Microsoft Recommended Practice for Security Risk Assessment
>Microsoft Security Risk Management Process – 15oct04> http://www.microsoft.com/technet/security/topi
cs/policiesandprocedures/secrisk/default.mspx
>New MS Press Book: Threat Modelinghttp://www.microsoft.com/mspress/books/
6892.asp
>Threat Modeling for Developershttp://msdn.microsoft.com/library/default.asp?
url=/library/en-us/secmod/html/secmod76.asp
Microsoft Recommended Practice: Threat Modeling
>Analyze and document architecture> Objects: Assets, Applications, Data,
People> Document Security Profile> Trust boundaries> Data Flow & communications> Entry points> Privileged operations
Document Security Profile> Input Validation> Authentication> Authorization> Configuration Management> Sensitive Data> Session Management> Cryptography> Parameter manipulation> Exception management> Auditing and Logging
Microsoft Recommended Practice: Threat Modeling
>Identify & rank threats with S.T.R.I.D.E.(S) analysis> Spoofing> Tampering> Repudiation> Information Disclosure> Denial of Service> Elevation of Privilege> (S)ocial Engineering
> Example: Denial of Service possible due to blank admin passwords
Microsoft Recommended Practice: Threat Modeling
>Use attack trees to identify how top level attack goal is composed of more detailed goals
>Use attack patterns to help identify techniques for detailed goals
Attack Tree Example5.3. Gain privileged access to ACME Web serverAND 1. Identify ACME domain name
2. Identify ACME firewall IP addressOR 1. Interrogate domain name server
2. Scan for firewall identification3. Trace route through firewall to Web server
3. Determine ACME firewall access control (* see attack pattern)
OR 1. Search for specific default listening ports2. Scan ports broadly for any listening port
4. Identify ACME Web server operating system and typeOR 1. Scan OS services’ banners for OS identification
2. Probe TCP/IP stack for OS characteristic information
5. Exploit ACME Web server vulnerabilitiesOR 1. Access sensitive shared intranet resources
directly2. Access sensitive data from privileged account
> Source: Moore et al. http://www.cert.org/archive/pdf/01tn001.pdf
Attack Pattern Example
Goal: Identify firewall access controlsPrecondition: Attacker knows firewall IP addressAttack Techniques:OR 1. Search for specific default listening ports
2. Scan ports broadly for any listening ports3. Scan ports stealthily for listening ports
OR 1. Randomize target of scan2. Randomize source of scan3. Scan without touching target host
Postcondition: Attacker knows firewall access controls
Source: Moore et al. http://www.cert.org/archive/pdf/01tn001.pdf
Attack Pattern ExampleAttack goals: Command or code executionRequired conditions:
Weak input validationCode from the attacker has sufficient privileges on the server
Attack techniques:1. Identify program on target system with an input validation
vulnerability2. Create code to inject and run using the security context of the
target application.3. Construct input value to insert code into the address space of
the target application and force a stack corruption that causes application execution to jump to the injected code.
Attack results: Code from the attacker runs and performs malicious action
Source: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod76.asp
Microsoft Recommended Practice: Threat Modeling
>Evaluate Risk with D.R.E.A.D.> Damage Potential ($$ cost estimate)> Reproducibility (% probability as 1-10)> Exploitability (% probability as 1-10)> Affected Users (% users as 1-10)> Discoverability (% probability 1-10)
> Rank Risks = Probability * Damage Potential
> Risk Rating scheme: High, Medium, Low
Document Threats> Threat Description
> Attacker obtains authentication credentials by monitoring the network
> Threat target> Web application user authentication process
> Risk rating> High (based on DREAD ranking)
> Attack techniques> Use of commonly available network monitoring software
> Countermeasures> Use SSL, IPsec end-to-end, or VPN to provide stronger
authentication, or encrypted channel through which weaker authentication methods are used (e.g. HTTP Basic, Digest)
Conduct Decision Support
>Define Functional Requirements>Identify Control Solutions>Review Solution Against Requirements>Estimate Risk Reduction>Estimate Solution Cost>Select Risk Mitigation Strategy
Free Microsoft Security Training> https://www.microsoftelearning.com/security/> Free Security Courses - Updates for XP SP2 and Win2k3 SP1
soon.> Login w/.NET Passport ID, provide email address> Click on link provided in email> 180-day subscription activated
> Clinic 2801: Microsoft® Security Guidance Training I> Clinic 2802: Microsoft® Security Guidance Training II> Clinic 2806: Microsoft® Security Guidance Training for Dev
elopers> Hands-On Lab 2811: Applying Microsoft® Security Guidanc
e Training> Choose Content tab. Watch each section, or download
offline player and course for offline viewing
Microsoft Security Guidance>Microsoft.com/security - guidance for
Home, Small Business, IT Pro, Developer>Technet Security Centers for many
productshttp://www.microsoft.com/technet/Security/prodtech/
default.mspx
>Microsoft Security Guides for Win2k, XP and Server 2003> Expect problems if applying “high security”
templates> Enterprise client template should not cause too
many problems> Threats and Countermeasures Guide
> Details on threats and each security setting
Microsoft Security Guidance>KB 885409 “Security configuration
guidance support” - 9nov04> Discusses problems with particular settings
that break applications or Windows services> If you use 3rd party templates, contact them for
support>KB 891597 “How to apply more restrictive
security settings on a Windows Server 2003-based cluster server” – 18feb05> Provides discussion & new security template
tested for clusters
FCC Security Guidance
> FCC Media Security And Reliability Council> http://www.mediasecurity.org/msrcmeetings/index.html> Note: Communications Infrastructure Security, Access
and Restoration Committee> Best Practice Recommendations
> FCC Network Reliability and Interop Council> http://www.nric.org/fg/index.html> Note: Homeland Security Cybersecurity focus group
> Best Practice Recommendations
IT Best Practices: NIST
>US Government Natl Institute of Standards & Technology (NIST)> Cybersecurity R&D Act directed NIST to
develop checklists and Security Technical Implementation Guides (STIG)
> Operates Computer Security Resource Center (CSRC)http://csrc.nist.gov/itsec/
>NOTE: Windows XP Security Guide 800-68 published Jun04
> Important because it is a collaboration of NIST, Microsoft, CIS, DISA and NSA
Recent NIST CSRC Guides: DISA> Application Security Checklist DISA 2/17/05> Desktop Application STIG DISA 2/14/05> Desktop Application Security Checklist v1r1.7 DISA 2/17/05> Macintosh OS-X STIG v1r1 DISA 11/24/04> UNIX Security Checklist DISA 2/17/05> Web Server Security Checklist Version 4, Release 1.4 DISA 2/17/05> Windows 2000 Security Checklist DISA 2/17/05> Windows NT Security Checklist DISA 2/17/05> Windows XP Security Checklist DISA 2/17/05> Windows 2003 Addendum Version 4, Release 0.0 DISA
2/17/05
IT Best Practices: NSA> OS Security guides for Windows 2000, Windows XP> None for Windows Server 2003 – Use Microsoft’s
“The "High" security settings in Microsoft's "Windows Server 2003 Security Guide" track closely with the security level historically represented in the NSA guidelines. It is our belief that this guide establishes the latest best practices for securing the product and recommend that traditional customers of our security recommendations use the Microsoft guide when securing Windows Server 2003”
> Microsoft .NET Framework Security Guide (Oct 04)> Microsoft Office XP/2003 Executable Content Security Risks
and Countermeasures Guide (Oct 04)> Apple Mac OS Security Configuration Guide> Linux Security Configuration Guide> Solaris Security Configuration Guide
> Online at:http://www.nsa.gov/snac/index.cfm?MenuID=scg10.3.1
Call to Action for Broadcast IT Vendors
> Use current, commercially supported platforms> Red Hat Enterprise Linux 3.0> Windows XP Pro or Embedded version> Windows Server 2003 or Embedded version
> Plan on testing patch updates within 7 days of patch availability
> Plan to test on beta or release candidates of service packs
> Write applications as a background process/service, not a user application
Call to Action for Broadcast IT Vendors
> Review & improve security of products> Analyze security – attack surface, threat model for your product> Document security profile for customers> Practice secure design & implementation
> Writing Secure Code 2nd Edition, Michael Howard, David LeBlanc> Require authentication for all network access
> Strong protection for passwords in network traffic> Evaluate/adopt a baseline security for standard product release
> Apply OS hardening, minimize services> Use system security vulnerability assessment tools (e.g. MBSA)
> Use secure remote administration connections> Admin level access protected to higher degree> Every packet signed & encrypted> 2-factor auth capable protocols where possible> Use SSL/TLS, SSH, PPTP/L2TP/IPsec VPN, Windows Terminal Services
> Change embedded passwords during installation/setup, at least per site
Call to Action for PBS Member Stations
> Understand that internal systems might be infected via TCP/IP network connections> Must secure internal, external clients and servers> Secure external communications
> IPsec or VPN tunnel for all access into secure area> Use strong passwords !> Protect passwords from theft !> Prevent laptops from directly connecting inside secure
area> Very careful & trained configuration and change control of
core security devices (e.g. firewall, VPN server)> Request security information from vendors> Try Microsoft Security Risk Management Process> Designate someone to learn security administration> Train users & operators for security awareness
Backup & Details
Windows Client Security Summary> Member of an Active Directory domain - for better management through
Group Policy> User not administrator if possible, uses strong password> Automatic updates enabled - either through Windows Update, Update
Services or Systems Management Server (SMS)> Anti-virus - set for autoupdate of definitions daily and periodic full scans> Anti-spyware - set for autoupdate of definitions and periodic full scans> Windows Firewall on - exceptions disabled by default> Enterprise client security template applied for hardening (update with new
XP SP2 settings)> Additional settings & administrative template settings should be developed> Software restriction policies should be configured
> NTFS and Encrypting File System used to protect confidential data after theft
> Centralized monitoring with MACS, MOM, SMS, Systems Center or 3rd party> System backup - Automatic System Restore enabled in XP, full disk remote
backup, remote backups daily for user data> Domain startup script run to check status of these daily or weekly
> http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx
Additional Microsoft Security Help>Technet IT Pro Security Community Page
> http://www.microsoft.com/technet/community/en-us/security/default.mspx
> Lots of news groups
>MS IT Security Papers> http://www.microsoft.com/technet/itsolutions/msit/default.mspx#EDBAA
A
>PSS Support Webcasts> TCP/IP port and process auditing: Tuesday, December 14, 2004> TechNet Support WebCast: How to isolate servers and applications,
March 22 2005 10am Pacific> See http://support.microsoft.com/pwebcasts
Windows Server SP1 Released
> Top reasons to use SP1:> Reduced attack surface – higher default security for RPCs
and DCOM> New Security Configuration Wizard (SCW)- whitepapers
coming soon> More secure new installations by Post-Setup Security
Update to block incoming traffic while and until latest patches are installed
> Windows Firewall replaces Internet Connection Firewall> Group policy for Windows Firewall added in Active
Directory> RRAS VPN Server Quarantine capabilities, see
http://www.microsoft.com/vpn > IIS 6.0 auditing for XML configuration metabase> Additional IE hardening
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/servicepack/default.mspx
Technet webcast for Security Configuration Wizard available
> “Join this session as we walk you through the Wizard end-to-end, focusing on role-based server configuration, security configuration template design and development, and security configuration deployment. We will demonstrate the technologies as well as go in depth on customization of SCW and how to customize the database to support non-Microsoft applications”
> http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?EventID=1032268013&EventCategory=5&culture=en-US&CountryCode=US
Active Directory Security Links> AD Security Center:
> http://www.microsoft.com/technet/security/prodtech/ActiveDirectory.mspx> Best Practice Guides for Securing Active Directory
> Windows Server 2003 Best Practice Guide for Securing Windows Server Active
Directory Installations http://www.microsoft.com/windowsserver2003/techinfo/overview/adsecurity.mspx (Jan 8 2004)
> Windows 2000 Best Practice Guide for Securing Active Directory Installations and
Day-to-Day Operations http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/bpguide/default.mspx (Feb 28 2004)
> Securing DNS Zone transfers in Windows Server 2003> http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deplo
yguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbd_dns_wzwd.asp
> Active Directory in Segmented Networks> http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-
9767-a9166368434e&DisplayLang=en> Provides detail for how to use Ipsec to secure all traffic between AD servers
> TCP/IP Exploits and Countermeasures> http://www.microsoft.com/technet/security/prodtech/windows2000/secmod150.m
spx
Windows tools for investigating problems with hardening> Full System Backup with ASR Diskette/CD
> Many changes can not be undone by SCE or SCW rollback, such as registry and file ACLs> System Restore – could try checkpoint prior to hardening. Not sure if it can undo
everything…> Backup Windows event logs to baseline behaviors prior to hardening. Make logs
bigger.> Network Sniffers
> Windows Netmon – light version in Win2k or Win2k3 as optional install networking component. Full version in Systems Management Server
> Ethereal – open source http://www.ethereal.com/> Dependency Walker (depends.exe, XP or Win2k3 Resource Kit)> Portqry.exe v2.0 – port scanning tool - see KB 832919> Port Reporter – installs as service to monitor app port usage - see KB 837243> If Windows Firewall or IPsec filters are blocking UDP ports, watch out for false “port
open” messages from remote port scanning tools. Some scan tools expect ICMP destination port unreachable packet in response. Sniff to confirm what tool reports
> Group Policy Resultant Set of Policy (RSoP) MMC snapin – shows where setting is being defined
> Set auditing for failure on registry keys – look for errors in Security Log> Tlist.exe – process viewer (DDK debugging tools)> File Monitor (sysinternals.com)> Registry Monitor (sysinternals.com)> Process Explorer (sysinternals.com)
Developer References> “Creating a simple Win32 service in C++“> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndllpro/ht
ml/msdn_ntservic.asp> MSDN “About Services” development help> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/
base/about_services.asp> “Example of installing an application as a service”> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/exchserv/
html/example_0001.asp> Microsoft Security Risk Management Process – 15oct04> http://www.microsoft.com/technet/security/topics/policiesandprocedures/
secrisk/default.mspx> New MS Press Book: Threat Modeling> http://www.microsoft.com/mspress/books/6892.asp> Threat Modeling for Developers> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/
html/secmod76.asp