Security fundamentals

Topic 2Establishing and maintaining baseline

security

Agenda

• Trusted computing base• Evaluation and certification• Security baselines• Security templates and scripts• Maintaining a baseline

Trusted computing base• Represents the most secure computing

environment that the organisation can provide• Includes all the protection mechanisms used to

secure computing devices and infrastructure• Contains security baselines for specific computer

systems• Baseline is the initial configuration that security is

built on• Monitor the differences between your initial

baseline and the current configuration and investigate causes

Trusted computing base goals

• Ensures that only authorised people have access

• They use systems in the manner intended• Data remains confidential

Trusted computing base components

Includes all elements of the computingenvironment• Hardware – computers, peripherals and network devices• Firmware – BIOS chips• Software – operating system, application and custom• Procedures – administrative regulations, access control,

backup schedules, training requirements

Creating a trusted computing base

• Inventory all elements of computer security• Document all elements of computer security• Monitor and account for changes• Make changes and configuration management• Protect from new threats

Threats to a trusted computing base

External threats:• Originate from outside the trusted computing base (not

necessarily outside the organisation)• From attackers, natural disasters, insufficient enforcement

Internal threats:• Problems with the trusted computing base• Inadequate monitoring (for changes and deviations)• Noncompliance with procedures• Poor design• Failure to update the trusted computing base

Evaluation and certification

Compliance with formal standards for security • TCSEC – Trusted Computer System Evaluation Criteria– Orange Book set of standards for commercial operating

systems– Several levels of security– C2 is the highest level for commercial systems

• ITSEC – Information Technology Security Evaluation Criteria– Similar standards to TCSEC

Evaluation and certification

Compliance with formal standards for security • Common criteria

– CCITSE Common Criteria for Information Technology Security Evaluation

– ISO standard – Set of processes for evaluating security features and capabilities– The security rating of a product evaluated in one country is recognised

in other countries• ISO 17799

– Information security standard – Generic security policy that describes general security settings but not

system specific configurations

Security baselines• A detailed description of how to configure and

administer a device or systems so that it provides the best possible security– What hardware to use and BIOS settings– Procedures for physically securing a computer– Media to use for installing an OS or service, installation options

and post installation configuration– Rules regarding content to be used– Procedures for reviewing the installation, monitoring and

making changes to the configuration– Rules for who can access a server and authentication methods

implemented– Documentation and record keeping requirements

Security baseline guidelines

Guidelines for file systems• Use NTFS not FAT and use permission assignments for

access control• Principle of least privilege• Only minimal permissions required to perform a specific

task• Avoid Full Control and the Everyone group• Put users into groups and assign permissions to the group• Use permission inheritance- general permissions at a

higher level and exceptions at a lower level• Assign permissions for local and network access• Encrypt files that must be kept private

Security baseline guidelines

Guidelines for services/daemons• Every running service is a potential entry point• Enable only services that are required• Default configurations are not the most secure• Restrict the actions that can be performed by the service by

running the system in a custom user account and not as administrator or root

• Consider which services start automatically• Apply security updates• Secure files and configurations used by the service/daemon

Security baseline guidelines

Guidelines for critical applications• Only use critical business applications• Typically email, database and accounting• Apply security updates• Secure files and configurations used by the service• Install only required components• Grant appropriate access levels

Security baseline guidelines

Guidelines for other applications• Remove all unnecessary applications – reduce the surface

area of attack• PS or task manager to list running processes• Ensure users don’t install unauthorised programs (standard

user accounts)• Prevent users from accessing system and program files on the

hard drive

Security baseline guidelines

Guidelines for network communications• Disable unnecessary protocols• Network access

– Restrict open ports– Enable packet filters– Require authentication to access network or network resources– IPSec to secure communications and require computers

authenticate with each other• Encrypt network traffic

– IPSec to encrypt for privacy– SSH (Secure Shell)– SSL (Secure Sockets Layer)

Security templatesSystem security settings fall into the followingcategories:• Account policies: User accounts – password requirements, account

lockouts, who can perform tasks• Local policies: How the system is audited, who can access logs, user

rights assignment, and other settings• Event log: Who can access event logs, how event logs are sorted

and retained• Restricted groups: Which users are members of which groups• System services: Specify start up behaviour and permissions for

services• Registry: Sets permissions to access the registry• File systems: Set permissions to access specific files and folders

Scripts

• Automated alternative to using security templates– Windows Scripting Host (WSH)– Shell scripts– Perl scripts– C scripts

Maintaining a security baseline

Existing security benchmarkshttp://www.cisecurity.com

• Remain informed about current threats and vulnerabilities– CERT/CC advisories– Mailing lists (eg SecurityFocus™, Bugtraq)– Hardware/software vendor websites

• Update security baselines to reflect new emerging security requirements

Securing against known vulnerabilities

Apply security updates:• Hotfixes: fast release for one or more issues, perhaps less

testing of hotfix• Security Rollup Packages: several critical hotfixes with more

testing• Service Packs: all fixes available and included in previous

service packs – extensive testing

Securing against known vulnerabilities

Acquiring security updates• Verify the authenticity of the update – is it really from the

vendor? • Check digital certificates – guarantees it is from the author

and that it hasn’t been modified• Checksums: hash MD5 computation to check integrity• Cryptographically sign the hash (eg with Pretty Good Privacy

(PGP))

Summary

• What a trusted computing base is• Security evaluation and certification

criteria available• What security baselines are• Security templates and scripts that

help automate security application• Practises for maintaining our baselines