module 4 Cyberpatriot Powerpoint

Download Report

Transcript module 4 Cyberpatriot Powerpoint

•Introduction to Computer Security
and Information Assurance
Objectives
• Describe major OS
functions
• Recognize OS related
threats
• Apply major steps in
securing the OS
• Perform a vulnerability
scan to identify
existing vulnerabilities
on an active system
Module 04: 1
•Introduction to Computer Security
and Information Assurance
An Operating System Is…
… a program that acts as an intermediary
between a computer user and computer
hardware.
What does that mean?
Module 04: 2
•Introduction to Computer Security
and Information Assurance
Early Operating Systems
• 1950s
–
–
–
–
Monitor system
Batch processing
Spooling
No interaction with program while running
• 1960s
– Multiprogrammed batch systems
– Graphical displays, pointing devices
– Timesharing (multitasking) – first
interaction with running programs
– MULTICS – multiuser forerunner of Unix
Module 04: 3
•Introduction to Computer Security
and Information Assurance
Operating System Evolution
• 1970s
– Personal computer systems – resident monitor
– Windowing, icons, menus, and pointers are
developed as an interface
• 1980s
– PCs become affordable
– Multiprocessor systems
• 1990s
– Distributed computing
– Mainstream graphical interface
Module 04: 4
•Introduction to Computer Security
and Information Assurance
Operating System Tasks
• Management Tasks
–
–
–
–
–
–
–
–
Process management
Main-memory management
File management
I/O system management
Secondary storage management
Networking management
Protection system
User interface management
• Command Line Interface (CLI)
• Graphical User Interface (GUI)
Module 04: 5
•Introduction to Computer Security
and Information Assurance
Process Management
• Many processes running on a modern computer
system
• Manage schedule, time to execute, and
resources for each process
–
–
–
–
–
Create and delete processes
Suspend and resume of processes
Provide for process synchronization
Provide for communication
Provide deadlock avoidance
Module 04: 6
•Introduction to Computer Security
and Information Assurance
Main Memory Management
• Memory is the storage area the CPU uses
for executing programs
• Each process (including the operating
system) must have its own piece of
memory
– Keep track of which process is where
– Decide which process to load when there is
room
– Allocate and deallocate memory as needed
Module 04: 7
•Introduction to Computer Security
and Information Assurance
File Management
• The basic storage unit from a user
perspective
• Provide structure (directories, file types,
etc.) to storage
– Create and delete files and directories
– Support manipulation of files and directories
– Map files to secondary storage
– Backup files
Module 04: 8
•Introduction to Computer Security
and Information Assurance
I/O System Management
• Hides the specifics of I/O devices from the
user
• Provides tools to handle the speed
difference between CPU and I/O devices
– Memory management for buffering, caching,
and spooling
– General device driver interface
– Hardware specific device drivers
Module 04: 9
•Introduction to Computer Security
and Information Assurance
Secondary Storage Management
• Why? Because main memory is usually
too small to hold all programs and
disappears when power is turned off
• Non-volatile (stays when power is turned
off) and larger than main memory
• Use disk drives (tapes, punch cards, etc.)
– Manage free space
– Allocate storage
– Schedule disk activity
Module 04: 10
•Introduction to Computer Security
and Information Assurance
Network Management
• Network communications for the system is
a special case of I/O
• Manages communication
links by
– Establishing connections
– Scheduling communication
– Directing communication
to correct processes
Module 04: 11
•Introduction to Computer Security
and Information Assurance
Protection System Management
• The operating system plays a basic role in
protecting information, especially on
multitasking and multiuser systems
– Protect memory for processes
– Provide file access mechanism
– Provide authentication and
access control mechanisms
Module 04: 12
•Introduction to Computer Security
and Information Assurance
User Interface Management
• A way to give commands to the computer
• Accomplished via command line and/or
Graphical User Interface (GUI)
• Accepts and acts on user
commands in a timely
manner
Module 04: 13
•Introduction to Computer Security
and Information Assurance
Operating Systems
• Operating system developers determine
which features are implemented and what
capabilities they have
– For example, early personal
computer operating
systems had no
protection mechanism
other than reserving special
memory locations for the
operating system
Module 04: 14
•Introduction to Computer Security
and Information Assurance
So Far
• Operating systems manage computer
resources
– Schedules time
– Allocates space (in memory, on disk)
– Handles I/O
– Protects system and information
Module 04: 15
•Introduction to Computer Security
and Information Assurance
Operating Systems Security
• Goals of operating system security
– Confidentiality: Only let authorized entities
access computer and information
• Corollary: Only run authorized
processes
– Integrity: Only allow authorized
changes to information
– Availability: Manage
resources to permit access
to information and system at
all required times
Module 04: 16
•Introduction to Computer Security
and Information Assurance
Authorization & Authentication
• Who is authorized?
– Authorized by policy of organization and
operational requirements
• How do we know?
– Accounts (identification)
– Known systems
– Password
– Secure communication channel
Module 04: 17
•Introduction to Computer Security
and Information Assurance
Access Control
• Controls how users and systems
communicate and interact with other
systems and resources
• First line of defense
• Authenticate before
allowing access to
authorized resources
Module 04: 18
•Introduction to Computer Security
and Information Assurance
Operating System Access Controls
• Two basic methods
– Access Control List (ACL)
• For every resource, indicates who has access and
what kind of access
– Permissions based on identification
• User permissions
• Group permissions
• Additional controls
– Passwords for files, resources, etc.
Module 04: 19
•Introduction to Computer Security
and Information Assurance
Managing Identities
• Local user and group accounts
• Directory server
– LDAP
– Microsoft Domain Controller
• Policies and operational requirements
• Introduces need for “trust” relationships
Module 04: 20
•Introduction to Computer Security
and Information Assurance
Auditing – A Trail To Follow
• Detect auditable events
– What is an auditable event?
• Collect and save in secure location
– Where do you save them?
– How do you protect logs?
• Analyze results
– Human readable? Searchable? Prioritized?
– Fix problems
Module 04: 21
•Introduction to Computer Security
and Information Assurance
Access & Audit What?
• Resources
– Computer system
– Processes
– Files
– Memory
– Disk drives
– Printers
– Communication
– Etc.
Module 04: 22
•Introduction to Computer Security
and Information Assurance
Threats To Operating Systems
• Compromise system to gain unauthorized
access to system resources
– Weak/broken identification
– Weak internal security structures
– Programming errors in operating system
Module 04: 23
•Introduction to Computer Security
and Information Assurance
It’s You!
• How do you let people know who you are?
Identification
• How can we tell you are who you say you
are?
Authentication
• Will this allow me to trace actions back to
you?
Non-repudiation
Module 04: 24
•Introduction to Computer Security
and Information Assurance
Once Identified, Authorize
• User accounts are the mechanism used to
identify and authorize people
• Access control is based on identification
• Most common authentication:
password
Joe
• Password and account
policies help improve
security
Module 04: 25
•Introduction to Computer Security
and Information Assurance
Implementing Policies
• Recall: policies can be topic specific
• Procedures can be one way to implement
policies
• Policies can also be implemented in
hardware or software
• Password and account policies are often
implemented using operating system
features
Module 04: 26
•Introduction to Computer Security
and Information Assurance
Password Policy
• What makes a good password policy?
– How many new passwords should you use
before you can reuse an old password?
– How long should a password be valid?
– How long must you use a password before
you change it?
– What is the minimum length for a password?
– Should there be complexity requirements?
– Should the password be stored so it can be
decrypted?
Module 04: 27
•Introduction to Computer Security
and Information Assurance
Account Policy
• Should your account be locked if you don’t
log in correctly? If so, how long should it
be locked?
• How many login failures should occur
before your account is locked?
• How much time should elapse before a
failed login is no longer counted?
Module 04: 28
•Introduction to Computer Security
and Information Assurance
Activity 04.1: Account And Local
Security Policies For Windows
• Purpose:
– Walk you through ways to harden the security
of the Microsoft Windows operating system to
lessen its vulnerability to attack
• Estimated completion time:
– 20 - 25 minutes
• Additional information:
– Account password for Windows machine
Module 04: 29
•Introduction to Computer Security
and Information Assurance
Hints For Activity 04.1
• Student password: XXXXXXXX
• Action on errors:
– Adding new users:
• Click “OK” on error message
• Add “&123” to the end of suggested passwords
• Audit Logs
– Security logging may not be turned on, so
there may be no entries
Module 04: 30
•Introduction to Computer Security
and Information Assurance
Activity 04.1: Account And Local
Security Policies For Windows
• What did you see?
• What policies are in place in your
organization? Do they help with security?
Module 04: 31
•Introduction to Computer Security
and Information Assurance
Activity 04.2: Account And Local
Security Policies For Fedora
• Purpose:
– Walk you through ways to harden the security
of the Fedora Linux operating system to
lessen its vulnerability to attack
• Estimated completion time:
– 25 - 30 minutes
• Additional information:
– Account password for Fedora Linux virtual
machine
Module 04: 32
•Introduction to Computer Security
and Information Assurance
Hints For Activity 04.2
• student password: student
• root password: student
• Action on errors:
– Adding new users:
• Click “YES” on error message that says “Use
Anyway?”
• If password is too short, add “123” and try again
• Remember, Linux is case sensitive
Module 04: 33
•Introduction to Computer Security
and Information Assurance
Activity 04.2: Account And Local
Security Policies For Fedora
• What did you see?
• Could you implement the same policies in
both Windows and Fedora?
• Which seemed more secure to you?
Module 04: 34
•Introduction to Computer Security
and Information Assurance
Vulnerabilities
• Protection function – Access control
– Compromise access control to attack other
functions
• Process management
– Unauthorized processes
– Hidden processes
– Affect other processes
• Main memory management
– Access other processes’ memory
Module 04: 35
•Introduction to Computer Security
and Information Assurance
More Vulnerabilities
• File management
– Unauthorized access to files
– Create unauthorized files
• I/O system management
– Unauthorized I/O
– Affect authorized I/O
• Secondary storage
– Access or corrupt
Module 04: 36
•Introduction to Computer Security
and Information Assurance
Even More Vulnerabilities
• Network
– Unauthorized connections/communications
– Disable or compromise
– Affect authorized use
• User interface
– Eavesdrop
– Deny access to
authorized users
– Permit access to unauthorized users
Module 04: 37
•Introduction to Computer Security
and Information Assurance
Threats
• How do threats affect the system?
– Affect availability
– Compromise confidentiality or integrity
• How do you tell if you have a problem?
– Process listing
– Memory check
– Auditing logs
– Network connections
– Storage size
• What if management tools are
compromised?
Module 04: 38
•Introduction to Computer Security
and Information Assurance
Specific Operating System Attacks
•
•
•
•
•
DoS
Hack (or crack) the system
Backdoor
Memory issues
Escalation of
privileges
• Default settings
Module 04: 39
•Introduction to Computer Security
and Information Assurance
Denial of Service (DoS)
• An attack on availability
• Consume resources
– CPU or memory
– Communication
• Recall terms
– ping, Smurf, botnet
CIA
Availability
Module 04: 40
•Introduction to Computer Security
and Information Assurance
Hack The System
• Exploit a vulnerability to gain unauthorized
access to the system
• Access as an existing user
• Perform other actions
– Add unauthorized
account
– Add malicious
software
– Use system
resources
CIA
Availability
Module 04: 41
•Introduction to Computer Security
and Information Assurance
Backdoor
• What is a backdoor?
– An access method that
bypasses the normal
security of the system
• How does it get there?
• What impact might
it have?
CIA
Availability
Module 04: 42
•Introduction to Computer Security
and Information Assurance
Memory Issues
• Memory is not erased before
given to another process
– Gives new process
access to information
from old process
– What is the impact?
• Memory is not
released by a
process
– What is the impact?
CIA
Availability
Module 04: 43
•Introduction to Computer Security
and Information Assurance
Escalation Of Privileges
• User exploits vulnerability to
gain unauthorized
access
– Gain administrator
access
– Gain access as a
specific account
– What is the impact?
CIA
Availability
Module 04: 44
•Introduction to Computer Security
and Information Assurance
Default Settings
• Most operating systems ship in the simplest
configuration…
unsecure
• Security features disabled
• Default accounts
enabled with standard
passwords
CIA
• Available services
(programs) running
Availability
Module 04: 45
•Introduction to Computer Security
and Information Assurance
How Do They Do It?
• The key is gaining access
• Break an operating system management
function to gain command access
– Connect to print server, cause process to
create a command line as administrator
– Send special packets to network controller to
cause a buffer overflow to execute program
– And many more
Module 04: 46
•Introduction to Computer Security
and Information Assurance
Securing Systems
• Perform system “hardening”
• Find out what vulnerabilities are still
present
– Perform a vulnerability scan
• Fix them
Module 04: 47
•Introduction to Computer Security
and Information Assurance
Activity 04.3: Vulnerability Scanning
Using Nessus 3
• Purpose:
– Demonstrate that port scanning is one of the most
common forms of attacks and can be used to gather
information about a target environment
• Estimated completion time:
– 20 - 25 minutes
• Additional information:
– We need to perform one or two scans using Nessus
– IP address ranges to scan
Module 04: 48
•Introduction to Computer Security
and Information Assurance
Hints For Activity 04.3
• Perform Nessus scans on the indicated
IP ranges
• First Scan
– Start IP:
– End IP:
XX.XX.XX.XX
XX.XX.XX.XX
• Second Scan
– Start IP:
– End IP:
XX.XX.XX.XX
XX.XX.XX.XX
Module 04: 49
•Introduction to Computer Security
and Information Assurance
Activity 04.3: Vulnerability Scanning
Using Nessus 3
• What vulnerabilities did you discover?
• Would this be useful for system
administrators?
• Does this tool identify all vulnerabilities?
Module 04: 50
•Introduction to Computer Security
and Information Assurance
Countermeasures: DoS
• Set network and host firewall filters for
known bad traffic
• Apply operating system patches for known
vulnerabilities
• Limit time and resources for
processes
• Monitor for threat activity on
the network and host using
Intrusion Detection Systems
Module 04: 51
•Introduction to Computer Security
and Information Assurance
Countermeasures: Hack The System
• Use account and password policies
– Reduce likelihood of password guessing or cracking
– Limit privileges of users to those they need
– Manage by responsibilities (group permissions)
• Change default accounts, settings, passwords
• Use restricted accounts for
services (don’t run everything
as administrator)
• Apply operating system patches
for known vulnerabilities
• Turn off unnecessary services
• Watch for social engineering
Module 04: 52
•Introduction to Computer Security
and Information Assurance
Countermeasures: Backdoor
• Disable any unnecessary default accounts
• Apply operating system patches for known
vulnerabilities
• Scan system periodically
• Monitor system
Module 04: 53
•Introduction to Computer Security
and Information Assurance
Countermeasures: Memory Issues
• Apply operating system patches for known
vulnerabilities
• Turn on security features (some operating
systems will clear memory
before reallocating it)
• Reclaim memory on process
termination
Module 04: 54
•Introduction to Computer Security
and Information Assurance
Countermeasures: Escalation Of
Privileges
• Apply operating system patches for known
vulnerabilities
• Monitor system
• Establish restricted accounts
for services (don’t run
everything as administrator)
Module 04: 55
•Introduction to Computer Security
and Information Assurance
Countermeasures: Default Settings
• Disable unnecessary accounts and
services
• Apply operating system patches for known
vulnerabilities
• Follow lockdown procedures
when possible
• Monitor system
Module 04: 56
•Introduction to Computer Security
and Information Assurance
Additional Countermeasures
• HIDS
– Provides system monitoring function
– Can raise alert when changes occur
• Backups
– Allow restoration of system to
known good state
• Physical security – Don’t
allow unauthorized access
to systems
Module 04: 57
•Introduction to Computer Security
and Information Assurance
Are We Done?
• Not yet
• Recurring theme
– Apply operating system patches for known
vulnerabilities
– Disable unnecessary accounts and services
– Monitor system
• Always balance security and ease of use
Module 04: 58
•Introduction to Computer Security
and Information Assurance
Operating System Security: System
Specific Stuff
• History and general functions of operating
systems
• Major vulnerabilities and threats for
operating systems
• Steps in securing system accounts
• Using a vulnerability scanner to test
systems
• Countermeasures for operating system
threats
Module 04: 59