CS423/523 - Eastern Washington University
Download
Report
Transcript CS423/523 - Eastern Washington University
CSCD 303
Essential Computer
Security
Winter 2014
Lecture 9 - Desktop Security
Recovery, Prevention and Hardening
Reading: Links are in Lecture
Overview
• Host Defense Mechanisms
• Defense in Depth
• Recovery
• Antivirus/Antitrojan
• Restore System
Restore – Windows
• Boot disks
Defense in Depth or
Layered Security
• Defense in depth is an information assurance (IA)
concept
• Multiple layers of security controls (defense) are
placed throughout a system
• Its intent is to provide redundancy in the event a
security control fails
• Defense in depth is originally a military strategy that
seeks to delay, rather than prevent, advance of an
attacker by yielding space in order to buy time
Purpose of
Defense In Depth
• Defense in depth,
• Philosophy that no real possibility of achieving total,
complete security against threats by implementing
collection of security solutions
• Rather, layered security strategy will be stumbling blocks
that hinder progress of a threat,
• Slowing and frustrating it until either it ceases to threaten
or some additional resources not strictly technological in
nature can be brought to bear
Defense in Depth Examples
• Using more than one of the following layers constitutes
defense in depth.
Anti-virus software
Authentication and password security
Biometrics
Firewalls (hardware or software)
Intrusion detection systems (IDS)
Physical security (e.g. deadbolt locks)
Internet Security Awareness Training
Virtual private network (VPN)
Hardening Systems
The Attack Surface
• Security people talk about “Reducing the
Attack Surface”
–What does that mean?
– Get Secure
• Reduce the Attack Surface
• Patch
• Harden
– Stay Secure
• Maintain secure infrastructure
–
–
–
–
Patches
Updates
Upgrades
Read, Research, Results
The Attack Surface
• What is an Attack Surface?
Weak
Passwords
Open File
Shares
Open Ports
Systems
too complex
Unknowns
People
Unused Services Left
On
Un-patched
Web Server
Excessive privileges
No
Policies
No Auditing
The Attack Surface
• Now for The Attacks ...
Port Scanners
Viruses
Password
Cracking
Trojan Horses
Unknowns
People
Network
Spoofing
Denial of
Service
Packet Sniffing
Worms
Poisons
(Packets, DNS,
etc.)
Recovery
Anti-virus
• Anti-virus
– Will identify infections, viruses, trojans, worms
– Not always able to exactly identify what got you
– First step,
•
•
Detect something is wrong
Try to identify it - Key
– Next step
•
Try to remove it and restore the files if
possible
Updated signatures
• Anti-virus companies must release new
signatures each time a new virus is
discovered
– A virus’s spread is unimpeded for a while…
– According to Andreas Marx of AV-Test.org,
•
Took Symantec 25hours to release an
updated signature file in response to
W32/Sober.C worm attack
The arms race
• Viruses can Morph
–
–
–
Make it hard for virus scanners to detect
their viruses, virus writers can add
morphing behavior to their creations:
A polymorphic virus ‘morphs’ itself in
order to evade detection. …
Metamorphic viruses attempt to evade
heuristic detection techniques by using
more complex obfuscations
Morphing
• A virus may morph itself by
– Encrypting part of itself using a different key for each
infection
– Changing variable names (in a script virus)
– Binary obfuscation techniques
• Polymorphic virus examples
– Chameleon -- first polymorphic virus, 90’s
– A partial list of the viruses that can be called 100 percent
polymorphic (late 1993)
– Bootache, CivilWar (four versions), Crusher, Dudley, Fly,
Freddy, Ginger, Grog, Haifa, Moctezuma (two versions),
MVF, Necros, Nukehard, PcFly (three versions), Predator,
Satanbug, Sandra, Shoker, Todor, Tremor, Trigger, Uruguay
(eight versions)
Anti-virus
• Two main ways – Treating Infection
• Quarantine
• Disinfect
Anti Virus Software
• Quarantine
– Only temporary until user decides how to handle
it, user asked to make a decision
Anti Virus Software
• Why do Anti-Virus Programs Quarantine?
– Virus detection was generic, can’t determine
how to clean it off of system
– Wants user, you, to make a decision
– Quarantine Actions
• Copy infected file to quarantine directory
• Remove original infected file
• Disable file permissions so user can’t
accidentally transfer it out of directory
Anti Virus Software
• Disinfect Files
• a. Disinfection by Specific Virus
– Multiple ways to disinfect files
– Depends on the type of virus
– From virus DB, get file executable start address
• Run generic clean-up routine with start address
• Can derive this information by running virus in test
lab, recording information from infected file
• Store this information for specific virus
Anti Virus Software
• b. Disinfect by Virus Behavior
– Disinfect based on assumptions from virus behavior
• Prepend or Appended viruses
• Restore original program header
• Move original byte contents back to original location
– Can store in advance for each executable file on an
uninfected system, system file
• Program header, file length, checksum of executable file
contents, which is a computed check of the file contents
• Compute various checksums until you get the exact
checksum of the file, can be tricky need to figure out which
part of the file is original, look for checksum match
Best Recommended Free Antivirus
Programs 2013
• A number of recommended programs are free to
help keep your computer malware free
– Avast Free
– Panda Cloud
– Emisoft Emergency Kit
– Zone Alarm Free
– Malwarebytes Antivirus
– Avira Free Antivirus
http://www.techradar.com/us/news/software/applications/bestfree-antivirus-9-reviewed-and-rated-1057786
Test Your Virus Scanner
• Good to test your anti-virus software to see how well
it does
• There is test file you can use to test your anti-virus
software
–The Anti-Virus or Anti-Malware test file
• From European Expert Group for IT Security,
www.eicar.org
• Run this file against your virus scanner to
determine its effectiveness
http://www.eicar.org/anti_virus_test_file.htm
Other Defenses
Restore, Boot Options and More
System Restore Windows
• Purpose of System Restore
– Create snapshot of system's configuration
– Want to return a system back to a known good
configuration
• System Restore is designed to automatically
create a restore point
– Each time system recognizes a significant change
in the file or application
http://www.bleepingcomputer.com/tutorials/system-restore-fromwindows-vista-recovery-environment/
System Restore
Go to Start>> All Programs>> Accessories>> System
Tools>> System Restore
System Restore and Malware
May Not Work
• Malware authors intentionally write viruses with same
extensions as Windows files that are backed up by System
Restore … How dare they !!!!
• Common people with virus, run virus scans to remove it
– But, once System Restore recovers computer to an
earlier date, very possible to introduce that same virus
back to system
• When malware is found on a system,
• System Restore should be completely disabled, all Restore
Points should be deleted ...
– So, whats the point? System restore not for malware!!
• After scanning computer, restore can be turned back on
Making a Boot Disk Vista and Other
OS's
Blue Screen
of Death
• If your computer is un-bootable, what do you do?
– Try to use a recovery disk.
– How many know where your recovery disk is?
– Do you know how to make one?
Vista Recovery Disk
• Recovery Disk or a Recovery Partition
• Will allow you to restore your computer to original
settings from hardware manufacturer,
– Will not be able to use it to repair your
Windows Vista installation
– For that, you will need an actual
– Windows Vista DVD that contains the Windows
Recovery Environment
Making a Boot Disk Vista/Windows 7/8
• Yes, you can make an installation disk if your
computer didn't come with one
– Complete burnable images for Vista/Windows 7
– And ... a DVD or CD writer
http://www.howtogeek.com/howto/windows-vista/how-tomake-a-windows-vista-repair-disk-if-you-dont-have-one/
Versions of 32 and 64 bit and Windows 7/8
http://neosmart.net/blog/2008/download-windowsvista-x64-recovery-disc/
Boot Disk for Ubuntu
• Ubuntu or Debian
– Can make Ubuntu/Debian into a live image CD
– Really easy, Use it to boot and possibly fix
Ubuntu
Instructions are here for Ubuntu
https://help.ubuntu.com/community/LiveCD
Instructions are here for Debian
http://www.debian.org/CD/live/
Live CD Restore
Windows
Live CD for non-Windows may be used to repair
Windows
- Fix Windows problems on a machine that doesn't have
a dual-boot
- Fix anti-virus problems on a Windows system
- Data recovery such as corrupted or deleted files
Live CD Backtrack
• Backtrack Live CD
– Used for mostly attacking other systems but can be
used for defense
http://www.backtrack-linux.org/downloads/
• Recover Windows passwords with Backtrack
http://webistricky.blogspot.com/2013/01/
how-to-reset-windows-password-using.html
Recover Windows 8 passwords in Easy Steps
http://shishirceh.blogspot.com/2013/06/reset-windows-8password-using.html#!/2013/06/reset-windows-8-passwordusing.html
Live CD Backtrack
• Backtrack Live CD
Fix Windows Registry with Backtrack
– Often times, we mess up with the registry leaving the system
in hanged state
– In such situations BackTrack plays major role to put you
back on track.
http://securityxploded.com/backtrackregistry.php
• With a little experimentation, for example, you can learn how to
access almost any file on the failed PC
– This offers a way to recover and back up data files before
you erase the hard drive and completely reinstall Windows
http://www.jagtutorials.com/VideoPages/V_CorruptedSystem.ht
ml
Prevention
Patching
• What is patching?
– Allows it to limp along until the next major
version
• Windows XP before Vista
• Vista then quickly Windows 7 etc.
– Software producers give you patches to fix
“holes” in between major software versions
• Security updates, new devices supported or old
devices not supported, performance issues,
– Can patching cause problems?
Yes or No.
Study on
Unpatched Computers
http://www.computerworld.com/s/article/9109938/Unpatched_Windows_PCs_fall_to_hackers
_in_under_5_minutes_says_ISC?taxonomyId=82&intsrc=kc_top&taxonomyName=cybercrim
e_and_hacking
• 2008
• Computerworld - “It takes less than five minutes for
hackers to find and compromise an unpatched
Windows PC after it's connected to the Internet”
• The SANS Institute's Internet Storm Center (ISC)
currently estimates "survival" time of an Internetconnected computer running Windows at around four
minutes if it's not equipped with the latest Microsoft
Corp. security patches
More Patching Stories
http://www.circleid.com/posts/20090915_major_organizations_
overlooking_high_priority_security_risks/
• Security report by SANS Institute, TippingPoint and
Qualys, Sept. 2009
– Number of vulnerabilities found in applications is
far greater than number of vulnerabilities
discovered in operating systems
– "On average, major organizations take at least
twice as long to patch software vulnerabilities as
they take to patch operating system vulnerabilities”
Patching
• Types of Patches
– Patch – Simple small fix, one or two problems
– Update – Add or fix problem or earlier patch
– Cumulative – Includes all previously released
patch for one application
– Service Pack – Generally, large files, typically
include lots of patches to many problems
• Vista is up to service pack 2
• Windows 7 - Service pack 1
• Windows 8 – None yet, but we have 8.1
out
What Should you Patch?
• Microsoft releases Windows security updates
on second Tuesday of every month
– Recommended you turn on automatic updates,
all versions of Windows
– Configure this in control panel
Updates for Microsoft Vista/7
• What gets updated?
– Updates OS & Internet Explorer,also other
Microsoft Windows software, such as Microsoft
Office, Windows Live applications, and
Microsoft Expression
– But, older versions of Windows updated only
OS components,
• Windows Updates vs. Microsoft update
• Users had to go to Microsoft update to update their
Office suite and SQL Server ... etc.
http://arstechnica.com/microsoft/news/2010/04/isvs-toblame-for-vista7-infections-office-updates-ignored.ars
Updates for Microsoft Vista/7
• Does it update other software on your
computer? Like Adobe Flash Player ...
• Microsoft does not, update other software running
on your computer
Updates for Ubuntu, Mac OS X
• Ubuntu updates
– All the software on its distribution automatically
– Built into the system as a service
– Need to turn it on,
update manager
• Mac OS X
– Updates all software on Mac
Patching
• Third party Software
– Vendors often provide free patches on their
web sites
• Should know how vendor supplies patches
• Automatically contact their web sites and install
them or
• Automatic updates tell you when patches are
available, you download them, and install them
Patching
• Boring but ...
– Make a list of the software on your computer
• Games, office, document readers, Adobe, media
players
– Adobe, Database, Multi-media,
– Voip – Skype
– Security software
– Device Drivers
• What is their patching strategy?
• Websites? Auto-update?
Patch Management
• Patches are issued for good reasons
– Should test before deploying
• Can get an Automation Tool
– Monitoring/Alerting
– Data Collection/Archiving
• HfNetChk – weird name, great tool!
– Windows machines queries it for up-to-date
patches
http://majorgeeks.com/HFNetChk-FE_d1103.html
Harden OS
OS Hardening Defined
• What does it mean to Harden an Operating
System?
Reconfiguring an OS to be more secure, stable
and resistant to attacks.
• Examples:
– Removing unnecessary processes.
– Setting file permissions.
– Patching or updating software.
– Setting network access controls.
Linux Hardening
• Examine Linux System Features
– In Design
• Linux is more modular than Windows
• Multi-user design from beginning
– Main Challenge in cracking Linux
• Gain Root access !!!!
– Main Goal in Defense of Linux
• Make unauthorized root access impossible
Linux Hardening
• Setuid and Setgid
– Everything in Linux is a file
• Files have read, write and execute permissions
• One more permission is setuid (similar with setgid)
• Executable programs run with same privileges of file
owner
• If owner is root ... gain root privileges
• Goal is to use buffer overrun or some other means
of gaining a root shell session, attacker can do
anything after that
Linux Programs Running Setuid
Examples of some SetUID programs
-rwsr-xr-x 1 root
root
27256 2010-01-29 00:02 /bin/fusermount
-rwsr-xr-x 1 root
root
78096 2009-10-23 09:58 /bin/mount
-rwsr-xr-x 1 root
root
35600 2009-05-12 03:13 /bin/ping
-rwsr-xr-x 1 root
root
31368 2009-05-12 03:13 /bin/ping6
-rwsr-xr-x 1 root
root
36864 2009-07-31 19:29 /bin/su
-rwsr-xr-x 1 root
root
56616 2009-10-23 09:58 /bin/umount
-rwsr-xr-x 1 root
root
42856 2009-07-31 19:29 /usr/bin/passwd
-rwsr-xr-x 1 root
root
14880 2009-10-16 17:13 /usr/bin/pkexec
-rwsr-xr-x 1 root
root
852296 2009-05-23 06:01 /usr/bin/schroot
-rwsr-xr-x 1 root
root
143656 2009-06-22 21:45 /usr/bin/sudo
Linux Hardening
• Example
chmod 4755 removemyfiles.sh
-rwsr-xr-- 1 ctaylor fac removemyfiles.sh
Assume remove my files is a script
#! /bin/bash
rm -rf /home/ctaylor/*.*
The -rws in above permissions on file, says to run
this program with the privileges of ctaylor
Linux Servers – Web, File, DB
• Limited use machines, user services not
needed
• Don't install some software
– X - windows
– RPC Services
– R-Services, rlogin, rpc - ssh instead
– Inetd daemon
– SMTP daemons - enabled by default
– Telnet, ftp, pop3 and Imap
– Might want to disable LKM - Loadable Kernel
Linux Security Checklist
http://www.sans.org/score/checklists/linuxchecklist.pdf
Can follow a security checklist from Security Firm like
Sans
Boot and Rescue Disk
System Patches
Disabling Unnecessary Services
Check for Security on Key Files
Default Password Policy
Other things … too
Hardening Utilities
http://bastillelinux.sourceforge.net/
• Bastille Linux
– Automated security
program, Security wizard
• SUID restrictions
• SecureInetd
• DoS attack detection
and prevention
• Automated firewall
scripting
• User privileges
• Education
Windows Hardening
Overview
•
•
•
•
•
Services
Policies for different Account Types
Software Restrictions
Windows Firewall
Data lock down
– Bit Locker
– EFS
Windows Vista and 7 Security Features
• Windows Service Hardening
– Most Windows exploits, install malware, result of
flaws in Windows services
– Windows services changed as follows:
•
•
•
•
Each service is given an SID number, Security ID
Services run with a lower privilege level by default
Unnecessary privileges for services have been removed
Services are isolated and cannot interact with users
Windows Vista and 7
Security Features
• Windows Service Hardening
– There are still services that may come enabled by
default and should be turned off
•
•
•
•
•
•
Telnet
IMAP
NetBios
SNMP
TFTP
SMTP
All these services run across the network, open ports and
potentially allow access
Microsoft Services
One complete list for Windows 7
http://www.blackviper.com/serviceconfigurations/black-vipers-windows-7-serviceconfigurations/
User Accounts
Disable or remove non-user accounts
1)Start > search bar> lusrmgr.msc
2) Go to: Users
3) Disable or remove all Accounts that you do not use
Make sure to look up accounts you are unsure about
Verify the default administrator and guest accounts are disabled
..they should be by default with windows 7.
Now establish another admin account and set your main account to
limited standard user
The limited account should be used on a daily basis and the admin
account only when you need to perform admin tasks
Account Policies
http://www.thewindowsclub.com/customizing-the-password-policyin-windows-7
• Can set Local Policies for your system
• Password policy
– Controls password
characteristics for local
user accounts
– Available settings
•
•
•
•
Enforce password history
Maximum, Minimum password age
Minimum, Maximum password length
Complexity requirements
59
Account Policies
• Account lockout policy
– Prevents unauthorized access to Windows
Vista and 7
– Can configure an account to be temporarily
disabled after a number of incorrect log-on
attempts
60
More Account Policies
61
Software Restriction Policies
AppLocker for Enterprise Windows
http://technet.microsoft.com/enus/library/ee424367%28v=ws.10%29.aspx
• AppLocker new feature of Windows 7/8
– Defines which programs are allowed or
disallowed in system
– Can control executables, scripts and DLL's
• Used in corporate environments
• Set default security level for applications
– Disallowed
– Basic User
– Unrestricted
62
Software Restriction Policies cont.
• Software not affected by software
restriction policies
– Drivers or other kernel mode software
– Programs run by SYSTEM account
– Macros in Microsoft Office 2000 or Microsoft
Office XP documents
– .NET programs that use runtime
63
Software Restriction Policies
• Software restriction configuration options
– Policies are evaluated each time an
executable file is accessed
– Executable files are identified by file extension
• You can customize list of extensions
– Many Windows applications use DLL files
when they are executing
– DLL files are considered a lower risk than
executable files and are not evaluated by
default
64
Data Security
• NTFS permissions
– Most basic level of data security in Windows Vista/7
– Stop logged-on users from accessing files and
folders that they are not assigned read or write
permission to
• Problem: Relatively easy to work around NTFS
permissions!!!!
– When you have physical access to the computer
• To really secure data on desktop computers and
laptops, encryption is required
Vista includes
– Encrypting File System (EFS) and
– BitLocker Drive Encryption
65
Encryption Algorithms
• Symmetric Encryption
One Key
– What is Symmetric Encryption?
– Same key used to encrypt data and decrypt
data
– Symmetric encryption is strong and fast
• Good for encrypting large volumes of data such as
files
– Used by both EFS and BitLocker Drive
Encryption
– Biggest problem is securing the key
– Or Losing the Key !!!
66
Encrypting File System
• Encrypting File System (EFS)
– First included with Windows 2000 Professional
– Encrypts individual files and folders on a
partition
– Suitable for protecting data files and folders on
workstations and laptops
– Can also be used to encrypt files and folders
on network servers
• File or folder must be located on an NTFS-formatted
partition
MCTS Guide to Microsoft Windows Vista
67
BitLocker Drive Encryption
• BitLocker Drive Encryption
– Data encryption feature included with Windows
Vista, only Windows 7 Ultimate or Enterprise
• An entire volume is encrypted when you use
BitLocker Drive Encryption
– Also protects the operating system
• Designed for Trusted Platform Module (TPM)
– Part of your motherboard and used to store
encryption keys and certificates
– Can also use a USB drive to store the keys
68
BitLocker Drive Encryption
MCTS Guide to Microsoft Windows Vista
69
Windows Firewall
Enable Windows Firewall
Firewall is enabled by default
If you do not need to share anything with other people and
computers, you can safely choose to drop all inbound
connections
Make sure all inbound connections are automatically
dropped
No one can access anything on your computer from
the network.
Possible to filter on outgoing traffic in Windows firewall as well
It can be a good idea to filter outgoing traffic and application
access as well.
Why do you want to do this?
Microsoft Baseline
Security Analyzer
Microsoft Baseline Security Analyzer
(MBSA) an easy-to-use tool that
helps determine security state of
your computer based on Microsoft
security recommendations
After tool completes scan on your
computer, you receive specific
remediation suggestions
Finds weak passwords,
unpatched software and
other vulnerabilities
http://www.microsoft.com/enus/download/details.aspx?id=7558
References
Linux security checklist
http://one.utsa.edu/sites/oit/OITConnect/security/Documents/linux
checklist.pdf
Windows Security Primer – Nice Series
http://www.windowsecurity.com/articlestutorials/misc_network_security/Windows-7-Security-PrimerPart1.html
Securing Windows for College and Standalone Use
http://www.ucs.cam.ac.uk/docs/leaflets/m511/m511#heading3
BitLocker Explained
http://crashctrl.com/2013/02/bitlockersecure-your-data/
Nice site for all versions Windows settings
http://www.blackviper.com/sitemap/
Summary
• Recovery, Prevention and Hardening
– Learn about restoring your computer and
preventing problem before bad things happen
– Learn how to use some tools now, while your
computer is still running
– Learn how to restore your system, learn how to
patch and to keep updated on patches
– What else to do to Harden your system beyond
the usual default configuration
– Backups not mentioned … should be backing
up your computer
The End
• Moving on to Internet Security