Essentials of Security
Download
Report
Transcript Essentials of Security
Essentials of Security
Steve Lamb
Technical Security Advisor
http://blogs.msdn.com/steve_lamb
[email protected]
Session Prerequisites
Hands-on experience installing, configuring,
administering, and planning the deployment of
Windows 2000 Server or Windows Server 2003
Knowledge of Active Directory and Group Policy
concepts
Level 200
Business Case
Business Case
Security Risk Management Discipline
Defense in Depth
Security Incident Response
Best Practices
10 Immutable Laws of Security
Impact of Security Breaches
Loss of Revenue
Damage to
Reputation
Damage to Investor
Confidence
Loss or Compromise
of Data
Damage to Customer
Confidence
Interruption of
Business Processes
Legal Consequences
The cost of implementing security
measures is not trivial; however, it is a
fraction of the cost of mitigating security
compromises
Benefits of Investing in Security
Reduced downtime and costs associated with
non-availability of systems and applications
Reduced labor costs associated with inefficient
security update deployment
Reduced data loss due to viruses or information
security breaches
Increased protection of intellectual property
Security Risk Management
Discipline
Business Case
Security Risk Management Discipline
Defense in Depth
Security Incident Response
Best Practices
10 Immutable Laws of Security
Security Risk Management
Discipline (SRMD) Processes
Assessment
Assess and valuate assets
Identify security risks and threats
Analyze and prioritize security risks
Security risk tracking, planning, and scheduling
Development and Implementation
Develop security remediation
Test security remediation
Capture security knowledge
Operation
Reassess assets and security risks
Stabilize and deploy new or changed
countermeasures
Assessment: Assess and Valuate
Assets
Asset Priorities (Scale of 1 to 10) – Example
*
* For example purposes only – not prescriptive guidance
Assessment: Identify Security Risks and Threats –
STRIDE
Types of threats
Examples
Forge e-mail messages
Spoofing
Replay authentication packets
Alter data during transmission
Tampering
Change data in files
Delete a critical file and deny it
Repudiation
Purchase a product and later deny it
Information
disclosure
Expose information in error messages
Expose code on Web sites
Flood a network with SYN packets
Denial of service
Elevation of
privilege
Flood a network with forged ICMP
packets
Exploit buffer overruns to gain system
privileges
Obtain administrator privileges
illegitimately
Assessment: Analyze and
Prioritize Security Risks –
Example Worksheet
DREAD
DREAD
Damage
Reproducibility
Exploitability
Affected Users
Discoverability
Risk Exposure = Asset Priority x Threat Rank
Assessment: Security Risk
Tracking, Planning, and
Scheduling
Types of threats
Examples
Forge e-mail messages
Spoofing
Replay authentication packets
Alter data during transmission
Tampering
Change data in files
Delete a critical file and deny it
Repudiation
Information
disclosure
Purchase a product and later
deny it
Expose information in error
messages
Expose code on Web sites
Denial of
service
Elevation of
privilege
Flood a network with SYN
packets
Flood a network with forged
ICMP packets
Exploit buffer overruns to gain
system privileges
Obtain administrator privileges
illegitimately
Example Worksheets
Detailed
Security
Action
Plans
Development and Implementation
Security Remediation Strategy
Detailed
Security
Action
Plans
Configuration management
Patch management
System monitoring
System auditing
Operational policies
Operational procedures
Production
Environment
Testing Lab
Knowledge Documented for Future Use
Operation: Reassess Assets and
Security Risks
Reassess risks when there is a significant change
in assets, operation, or structure
Assess risks continually
Production Environment
Documented Knowledge
Testing Lab
New Web
Site
Internet Services
Operation: Stabilize and Deploy
New or Changed Countermeasures
System
Administration
Team
New or
Changed
Countermeasures
Production
Environment
Security
Administration
Team
Network
Administration
Team
Defense in Depth
Business Case
Security Risk Management Discipline
Defense in Depth
Security Incident Response
Best Practices
10 Immutable Laws of Security
The Defense-in-Depth Model
Using a layered approach:
Increases an attacker’s risk of detection
Reduces an attacker’s chance of success
Data
ACLs, encryption, EFS
Application
Application hardening, antivirus
Host
OS hardening, authentication,
patch management, HIDS
Network segments, IPSec, NIDS
Internal Network
Perimeter
Physical Security
Policies, Procedures, & Awareness
Firewalls, Network Access
Quarantine Control
Guards, locks, tracking devices
Security documents, user
education
Description of the Policies,
Procedures, and Awareness
Layer
I think I will wedge
Hey, I need to
configure a firewall.
Which ports should I
block?
They have blocked
my favorite Web
site. Lucky I have a
modem.
the computer room
door open. Much
easier.
I think I will use
my first name as
a password.
Policies, Procedures, and
Awareness Layer Compromise
Say, I run a network
too. How do you
configure your
firewalls?
Hey, nice modem.
What's the number
of that line?
Hi, do you know
where the
computer room is?
I can never think
of a good
password. What
do you use?
Policies, Procedures, and
Awareness Layer Protection
Employee security training helps users
support the
security policy
Description of the Physical Security
Layer
All of the assets within an organization’s
IT infrastructure must be physically
secured
Physical Security Layer
Compromise
View, Change, or
Remove Files
Damage Hardware
Remove Hardware
Install Malicious Code
Physical Security Layer Protection
Lock doors and install alarms
Employ security personnel
Enforce access procedures
Monitor access
Limit data input devices
Use remote access tools to enhance security
Description of the Perimeter Layer
Business Partner
LAN
Main Office
LAN
Internet
Internet Services
Internet Services
Network perimeters can
include connections to:
The Internet
Branch offices
Business partners
Remote users
Wireless networks
Internet applications
Branch Office
Remote User
Wireless
Network
LAN
Perimeter Layer Compromise
Business Partner
LAN
Main Office
LAN
Internet
Internet Services
Internet Services
Network perimeter compromise
may result in a successful:
Attack on corporate network
Attack on remote users
Attack from business partners
Attack from a branch office
Attack on Internet services
Attack from the Internet
Branch Office
Remote User
Wireless
Network
LAN
Perimeter Layer Protection
Business Partner
LAN
Main Office
LAN
Internet
Internet Services
Internet Services
Network perimeter protection
includes:
Firewalls
Blocking communication ports
Port and IP address translation
Virtual private networks (VPNs)
Tunneling protocols
VPN quarantine
Branch Office
Remote User
Wireless
Network
LAN
Description of the Internal Network
Layer
Sales
Wireless Network
Marketing
Finance
Human Resources
Internal Network Layer
Compromise
Unauthorized
Access to Systems
Unexpected
Communication Ports
Unauthorized Access to
Wireless Networks
Sniff Packets from
the Network
Access All
Network Traffic
Internal Network Layer Protection
Require mutual authentication
Segment the network
Encrypt network communications
Restrict traffic even when it is segmented
Sign network packets
Implement IPSec port filters to restrict traffic to
servers
Description of the Host Layer
Contains individual computer systems on the
network
Often have specific roles or functions
The term “host” is used to refer to both clients
and servers
Host Layer Compromise
Exploit Unsecured
Operating System
Configuration
Distribute
Viruses
Exploit Operating
System
Weakness
Unmonitored
Access
Host Layer Protection
Harden client and server operating systems
Disable unnecessary services
Monitor and audit access and attempted access
Install and maintain antivirus software
Use firewalls
Keep security patches and service packs up to
date
Windows XP SP2 Advanced
Security Technologies
Network protection
Memory protection
Safer e-mail handling
More secure browsing
Improved computer maintenance
Get more information on Windows XP Service Pack 2
at http://www.microsoft.com/sp2preview
Description of the Application Layer
Layer includes both client and server network
applications
Functionality must be maintained
Client Applications
Examples: Microsoft
Outlook, Microsoft
Office Suite
Server Applications
Examples: Web Servers,
Exchange Server,
SQL Server
Application Layer Compromise
Loss of application functionality
Execution of malicious code
Extreme use of application – DoS attack
Undesirable use of application
Application Layer Protection
Enable only required services and functionality
Secure internally developed applications
Install security updates for all applications
Install and update antivirus software
Run applications with least privilege necessary
Use latest security practices when developing
new applications
Description of the Data Layer
Documents
Directory Files
Application Files
Data Layer Compromise
Interrogate
Directory Files
View, Change, or
Remove Information
Replace or Modify
Application Files
Documents
Directory Files
Application Files
Data Layer Protection
Encrypt files with EFS
Use NTFS for file and folder-level security
Use a combination of access control lists and
encryption
Move files from the default location
Perform regular backups of data
Protect documents and e-mail with Windows
Rights Management Services
Security Incident Response
Business Case
Security Risk Management Discipline
Defense in Depth
Security Incident Response
Best Practices
10 Immutable Laws of Security
Incident-Response Checklist
Recognize that an attack is under way
Identify the attack
Communicate the attack
Contain the attack
Implement preventive measures
Document the attack
Containing the Effects of the Attack
Shut down affected servers
Remove affected computers from the network
Block inbound and outbound network traffic
Take precautionary measures to protect
computers not yet compromised
Preserve the evidence
Best Practices
Business Case
Security Risk Management Discipline
Defense in Depth
Security Incident Response
Best Practices
10 Immutable Laws of Security
Security Best Practices
Follow the defense-in-depth model
Strive for systems that are secure by design
Apply the principle of least privilege
Learn from experience
Use monitoring and auditing
Train users to be aware of security issues
Develop and test incident-response plans and
procedures
Security Checklist
Create security policy and procedure documents
Subscribe to security alert e-mails
Keep up to date with patch management
Maintain regular backup and restore procedures
Think like an attacker
10 Immutable Laws of Security
Business Case
Security Risk Management Discipline
Defense in Depth
Security Incident Response
Best Practices
10 Immutable Laws of Security
The 10 Immutable Laws of
Security, Part 1
1
If an attacker can persuade you to run his program on
your computer, it is not your computer anymore
2
If an attacker can alter the operating system on your
computer, it is not your computer anymore
3
If an attacker has unrestricted physical access to your
computer, it is not your computer anymore
4
If you allow an attacker to upload programs to your
Web site, it is not your Web site any more
5
Weak passwords prevail over strong security
The 10 Immutable Laws of
Security, Part 2
6
A computer is only as secure as the administrator is
trustworthy
7
Encrypted data is only as secure as the decryption
key
8
Out-of-date antivirus software is only marginally better
than no antivirus software at all
9
Absolute anonymity is not practical in real life nor on
the Web
10
Technology is not a panacea
http://www.microsoft.com/technet/columns/security/essays/10imlaws.asp
Session Summary
Business Case
Security Risk Management Discipline
Defense in Depth
Security Incident Response
Best Practices
10 Immutable Laws of Security
Next Steps
Find additional security training events:
http://www.microsoft.com/seminar/events/security.ms
Sign up for security communications:
http://www.microsoft.com/technet/security/signup/
default.mspx
Get additional security tools and content:
http://www.microsoft.com/security/guidance
Event Information
What’s Next?
Technical Roadshow Post Event Website
www.microsoft.com/uk/techroadshow/postevents
Available from Monday 18th April
Please complete your Evaluation Form!
http://www.microsoft.com/TwC
© 2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.