Transcript 2002-05-20-MDE-3hr-TechCoordTeleconference

Information Security
Mark Lachniet
[email protected]
Analysts International
Introductions
• Mark Lachniet ([email protected])
• Senior Security Engineer at Analysts
International – Sequoia Services Group
• Technical lead for the Security Group
• MCNE, MCSE, CCSE, LPIC-1
• Worked for 6 years as a technician and later
the IS Director at Holt Public Schools
• Former board member and conference
organizer for MAEDS (http://maeds.org)
• Frequent presenter at MAEDS, MACUL,
MIEM and for private engagements
Purpose of Today’s Presentation
• Provide a macroscopic overview of security
issues, technologies, and concerns for schools
–
–
–
–
–
General Overview
Operations Security
Physical Security
For administrators and technicians
Will be presented first. Non-technical people may not need
to hear about server hardening, but technical people
definitely need to hear everything
• Provide technical information about specific
technologies of concern
– Network Security
– Host Security
Purpose of Today’s Presentation
• Provide links, works cited and
references for continued research and
investigation
• Provide time for discussion (via e-mail)
about specific issues of concern
• Most importantly – to raise awareness.
Things are bad in computer security,
and we don’t want Michigan schools to
be a casualty!
Agenda
•
•
•
•
Security Background
Operations Security
Physical Security
Network Security
– Wireless
• Host Security
–
–
–
–
Macintosh (OS/X)
Novell Netware
Linux / UNIX
Microsoft
• Short breaks about every 45 minutes for
questions and more coffee
General Overview
Computer Crime on the Rise
• We know that computer security is a real
problem. We are here, aren’t we?
• September 11th has further raised the bar on
computer security awareness and funding
• Computer security is about economic impact –
our reliance on the Internet and computers mean
that our livelihood can be threatened by digital
attackers from around the world
• Consider how skittish the stock market is, and
how it affects the overall economy
• More and more people are getting connected
• Tools and attacks are increasingly easy to find
and use, lowering the intellectual bar
The CSI Computer Crime and
Security Survey
• The CSI survey, released 4/7/2002 has some
very interesting pieces of information:
• 90% of respondents detected a security
breach within the last 12 months. Have you?
If not, it is probably happening without your
knowledge!
• 44% of respondents were able to quantify
their losses due to a security breach. The
result was $455,848,000 over 223 respondents,
for an average loss of $2,044,161 each
The CSI Computer Crime and
Security Survey
• 74% of attacks cited were against the Internet
border and devices (web servers, firewalls)
• 33% of attacks cited were against internal
systems (internal file/print, workstations)
• 40% detected penetrations from the outside
• 40% detected Denial of Service (DoS) attacks
• 78% detected employees abusing privileges
(pornography, pirated software, etc.)
The CIA Triangle
Confidentiality
Integrity
Availability
The CIA Triangle
• Confidentiality
– The unintended or unauthorized disclosure of
computer data or information
• Integrity
– The unintended or unauthorized modification of
computer data or information
• Availability
– The loss of service of critical applications, systems,
data, networks or computer services
• K-12 Schools need to worry about all
three!
Reasons for Security in
K-12 Education
•
•
•
•
•
•
Funding requirements (USF)
Integrity of critical data
Public opinion / negative publicity
Student safety & disciplinary issues
Avoid costly litigation
Lost productivity, both for technical and nontechnical personnel
• Lost educational potential, inability to teach
on broken computers, lost files, etc.
• To be a good Internet citizen
Important K-12 Data to Protect
• Grades / Attendance: changing (for better or
worse) student grades or attendance: School
Accreditation, state funding (count day) etc.
• Information considered private: SS#, special
education status, free lunch programs, notes from
councilors, discipline, medication (Ritalin), etc.
• Integrity of financial data – online PO’s,
budgetary information (balances, accounts,
responsibility reports)
• Payroll and Human Resources – criminal history,
disciplinary actions, disability, etc.
• Educational and administrative documents –
tests, lessons, etc. These are essentially
“congealed money”
Protecting Students and Staff
• We must protect children and staff who are
threatened by electronic means
• Pedophiles, stalkers, and bad people
• Student to student threats, assault
• Recorded information about drugs, sexual
activity, abuse, gang activity, violence, or
other crime
• Questionable Internet content – bombmaking instructions, how to hack, etc.
• The problem of IM and chat rooms
• Student info – last names & pictures
• South Carolina’s law
The Public
• As a public school employee, anyone can question
or criticize your methods and actions at a school
board meeting, PTO or school function, or in the
media
• Bad security may expose the district to significant
lawsuits, especially for failing to protect
children’s information such as special ed. Status
• Bad security can (and eventually probably will)
equal bad publicity, as more than one local
district knows
• Be aware of FOIA laws – what can they legally
obtain??? All e-mail? What is protected?
• And… of course… Internet filtering.
Downtime and Discipline
• Broken systems – deleted files, missing
software, physical vandalism
• Prevents students from learning
• Requires extensive time and $$ to fix
• Frequently leads to disciplinary action. The
computer tech as computer-narc (Think S.C.)
• Take good notes of what you do
• Learn to use windows find! Alt-PrtScn it,
print it out, and start a file
• Parents….. “my son would never do that!”
• Hopefully, it takes less time to proactively
secure things than to fix them
Justifying the Cost of Security
• Security work can be expensive! It takes
tools, training and time (or money to hire out)
• Compared to “firefighting”, yearly
replacement, keeping servers running, and
imaging workstations, it is usually not seen as
a priority (until there is an incident, anyway)
• Or worse, it is a priority but nobody ever gets
the time to do it
• Talk to the school board, H.R. and Finance
directors, and superintendents about the risk
(and get help from someone)
• Security is a proactive cost savings, not
reactive
Scare Them… With Reality
• Discuss the frequency of computer breaches
in the media and at peer organizations
• The national cost of computer incidents –
Code Red alone = $1.2 BILLION
• Compute the cost in lost productivity if the
HR, payroll, or student system dies (lots!)
• Discuss the cost of a lawsuit. Even a lawsuit
without merit will cost thousands of dollars
• Discuss the need for student safety – could a
child be exposed to harm due to a failure in
the existing system? Can you put a price on
that?
Scare Them… With Reality
• Discuss the educational ramifications – what
if all student and staff directories were wiped
out and no backups existed?
• Discuss privacy issues – some choice e-mail
from the superintendent’s or spec. ed
director’s account being sent to the local
paper for example
• Loss of USF funding, loss of accreditation?
• Loss of community confidence and support
• Loss of valuable computer technician time
that could otherwise be spent keeping
everything working properly
• Loss of YOUR JOB!
Hacking
The Goal of Network Security
• Simply put: “To be more annoying to
break into than your neighbor”
• The house and neighborhood metaphor
• Increase the “work factor” of attacking
you by erecting as many barriers as
possible (defense in depth)
• Ultimately, network security is all about
preserving the functionality of the
organization. Technology is just the
tool.
Why People Hack (Crack)
• Crackers are generally regarded as being
motivated by one of four primary reasons:
– Economic gain (espionage, embezzlement)
– Egocentric (to prove they can do it, play
god, get recognition from other crackers)
– Ideological (to prove a political point –
attacking the World Trade Organization or
NATO web sites for example)
– Psychotic (they are just sick in the head
and probably destructive)
Types of Hack Attacks
• Reconnaissance – Scan networks and online
resources (whois, DNS), dumpster diving, etc. to
gain interesting information about the target.
Typically non-invasive, usually untraceable
• Exploits – Attack servers in an attempt to exploit
a system vulnerability of some kind (e.g. NIMDA,
Code Red, etc.) Very invasive, can be detected by
IDS systems or careful log analysis
• Denial of Service (DoS) – Attack servers to take
them down and render them unusable. You will
probably know when this is happening from the
complaint phone calls
Types of Hack Attacks
• Attacks can be both personal and manual, or
automated and generic
• Many attacks are the result of systems that have
already been attacked, and are now attempting to
hack other machines. NIMDA was a good example of
this. Usually the system owners have no idea what is
happening
• If you monitor any Internet connection long enough
(say, 15 minutes) you are bound to see attacks coming
through. It is just part of doing business nowadays
• It is the manual attacks that you need to be worried
about – deliberate, careful, and focused
• Most hackers aren’t that smart – they just use
programs given to them – and are thus known as
“script kiddies”
Common Security Practices
• Security is a nascent field in many respects
• Terminology, procedures and skill levels vary
drastically between people and organizations
• Some disagreement over what best practices
actually are (i.e. the best placement of an IDS)
• Few objective benchmarks to allow “apples to
apples” comparisons for HW, SW, Services
• There is a big technical curve for security –
you must first be an expert in the technology,
and then learn security on top of it
• Whether you do it internally or get external
help, it needs to be done
What We Have to Work With
Common Security Services
• A firewall and Internet border security is
simply not enough! This gives rise to the
“candy” network – hard on the outside, soft
on the inside (and tasty for attackers, too)
• Embrace the concept of “defense in depth.”
In other words, have security at multiple
layers and in many places to make attacks as
difficult as possible.
• There is value in getting help from an
external perspective – there is less ego on the
line and a fresh viewpoint
Vulnerability Assessments
• Sometimes called “penetration testing”
• Uses scripts and vulnerability assessment
tools such as “Nessus” and the “ISS Internet
Scanner” to scan all hosts for all known
vulnerabilities
• Also uses “human logic” to find problems –
manually connecting to services, analyzing
portscans, researching various software
packages, making connections, etc.
• Human logic is the most important step!
Anyone can run a scanner program, but
interpreting results and applying knowledge
of the technologies involved is essential.
Vulnerability Assessments
• People and companies that specialize in
security are important for a good
vulnerability assessment project
• The deliverable of a vulnerability assessment
should include a list of all IP addresses, open
ports, explanation and ranking of
vulnerabilities, and hopefully some dialog on
how to start fixing them
• Vulnerability assessments should be done
regularly – new vulnerabilities come out all
the time – so you must stay up to date
• Be warned – other people are assessing your
network. Are you?
Security Assessment Services
• Sometimes called an audit
• Sometimes performed in a very limited capacity
by financial auditors (mainly backup systems)
• Can be used to audit an actual environment
against a set criteria, for example to determine
compliance
• Should be performed by one or more individuals
with backgrounds in both network systems and
organizational administration
• Takes a macroscopic view of the organization
• Analyze technology as well as policies and
procedures, configurations, and other items that
a tool cannot assess
Security Assessment Services
• Uses interviews, inspection of documentation,
and manual analysis (depending upon the
focus)
• Should make recommendations on a wide
variety of things to improve security
• Should provide a description of the current
situation, what best practices are, and what
the recommended changes are
• Should provide for estimation of pricing and
priority, so that it could be used as a planning
document for department priorities and
budgets
Example Recommendations
Physical Security
Project #1: War Dial Telephone Exchanges
Project #2: Improve Physical Security
Network Security
Project #3: Audit Firewall Configuration
Project #4: Implement RFC 1918 addressing
Machine Security
Project #5: Secure Externally-Maintained Machines
Project #6: Deploy warning banners
Policies and Procedures
Project #7: Security Awareness and Responsibilities
Project #8: Improve User Password Security
Disaster Recovery Planning
• Concerned with minimizing the effect of a problem
with a technological system
• Focuses on things like tape backup, off-site storage,
network and machine redundancy, and recovery
procedures
• Must identify critical assets, and all of the resources
that support them (power, network, etc.)
• Put into place preventative measures and recovery
procedures
• DRP is highly interactive and labor-intensive,
primarily conducted through lots of interviews
• In the private sector, failure to have a Disaster
Recovery Plan in place constitutes a failure of due
diligence, and CEOs can be held legally liable for
damages
Business Continuity Planning
• BCP is similar to DRP, but it looks at the health of the
entire organization, and not just technological
systems
• Why? Approx 65% of businesses that are down for
more than a week never recover! School must
continue regardless, but it will cost a fortune, and
that may mean cutting back on services and
employees to compensate (you won’t be popular)
• BCP looks at things like alternate locations, backup
telephone systems, contacting employees, interfacing
with public service agencies and the media, forming
relationships with support vendors, etc.
• BCP typically is larger than, and contains, DRP
measures
• Takes even longer than DRP
VPN / Remote Access Services
• Providing remote access to school resources from
outside of the network is risky
• Access should only be given to those with a
legitimate need (not just complainers)
• Frequently, programs like PC/Anywhere, VNC,
and dial-up modem pools are used. Bad!
• A better option is to use VPN devices
• Can use the existing Internet connection, and
reduce the reliance on dial-up lines to save $
• Can enforce proper authentication, provide
logging, and protect traffic through the use of
encryption
• Can be used for client-site or site-site
Intrusion Detection Systems
• Are designed to detect (and sometimes
respond to) significant security events
• Configuration is critical to success!
• IDS works in two ways:
– Signature matching, like antivirus software
– Pattern matching, finding strange
behaviors or fluctuations from the norm
(ie, a DoS attack)
Intrusion Detection Systems
• IDS comes in a few different forms:
– Network based, “sniffs” the network
– Host based, monitor local traffic and API calls
– Intrusion Prevention Systems, a combination of other
types but with the ability to intercept and *stop*
attacks (e.g. Entercept)
– Filesystem integrity based, monitor changes in the
filesystem, registry, routers, etc. for changes (e.g.
TripWire)
• Popular IDS Systems:
– Snort (free, open source, harder to manage)
– ISS RealSecure (nice, but expensive)
– Cisco Secure IDS (great for internal switches,
especially)
Intrusion Detection Systems
• Can be configured to take different actions upon
noting an event such as logging to a database, sending
an e-mail or page to a network admin, or working
with a firewall or router to block the attack
• Be warned of active response IDS systems! What
happens if I spoof an attack from your DNS server?
• IMO, IDS systems are somewhat overrated because
of the sheer volume of attacks that occur on a daily
basis
• Without very careful configuration, especially sensor
placement and signature tuning, you could be so
overwhelmed by alerts that you can’t filter the noise
from the important stuff
• Are probably best suited for the internal network, or
on a DMZ network with a heavily tuned signature
database
Server Hardening
• Probably the single most important aspect of security
• A firewall cannot protect an insecure host
• Hardening includes a number of steps including
keeping up to date with patches, and other proactive
steps
• Simply keeping up with patches is not true hardening
• True hardening takes steps to make a compromise
more difficult – even for exploits that have not yet
been discovered
• Server hardening is time consuming, especially on NT
and UNIX systems, and requires a lot of upkeep
• We will discuss server hardening in the technical
portion of this presentation
Operations Security
Operations Security
• Concerned with ways to mitigate security
risks through administration – policies,
procedures and practices
• The weakest link in the security chain are
individual humans (or as Dilbert calls them,
“in-duh-viduals”)
• Part of “defense in depth”
• Administration support is critical to any
security initiative
• Helps to minimize risk, respond to incidents,
and establish standards for how things should
be done
Personnel Controls
• Pre-hiring background checks for important
positions. Do they have a criminal history with
computers? Did they lie on their resume? Do they
have heavy debt?
• Coordinate user ID practices with human resources:
– Hirings (create new IDs)
– Firings (delete all IDs)
– Position Changes (change ID rights)
• Requires that the IS department maintain a list of all
places where IDs are stored! Do you have this?
• Create an “ID Maintenance” form as part of the H.R.
standard procedures? Require sign-off on AUP
• Create checks and balances in power such that no
single individual can take a process from start to
finish by themselves. Especially in regards to money
(payroll, POs, etc.)
Acceptable Use Policies
• Should be well-plowed ground for most school
districts, so we’ll just touch on it
• Provides guidance and expectation settings on what
behavior is acceptable an unacceptable
• Should apply to both students and staff
• Should use “implicit deny” language
• Should state that all equipment is the property of the
district and may be monitored at any time
• Should require sign-off on the part of users to
document that they have read it and agree with the
requirements
• Should address password security
• Should address information privacy standards such
as the treatment of confidential data (special ed
records, etc.)
Warning Banners
• Use warning banners when possible
• Functions somewhat like an AUP, and can
contain the AUP itself (or items of it)
• Can provide additional legal ammunition in
the event that something needed to go to court
• Should be placed on public servers (web
server, e-mail servers, etc.) and on local
workstations
• Should contain three distinct statements:
– Definition of the appropriate use of the resource
– Warning that the system is monitored
– That there is no expectation of privacy
• http://www.ciac.org/ciac/bulletins/j-043.shtml
Formal I.S. Staff Security
Responsibilities
• Security it takes time! If nobody is given sufficient
time to keep up with security, it will never happen
• The buck must stop somewhere. Who is responsible
for it?
• Define explicit security responsibilities for one or
more staff members such as firewall maintenance, log
review, server patching, etc. (good on a resume)
• Document these responsibilities and how they are
done – this will help in the case of a vacation or staff
change (hit by a bus or wins the lotto, you choose)
• Provide tools and training opportunities (such as
SANS, or Microsoft for K-12 security training)
• Put it in the budget!
Formal Employee Security
Responsibilities
• Every computer user has responsibilities they
must live up to (or not use the computers)
• For example - don’t share passwords, don’t
write passwords on a sticky notes, don’t use
your last name as your password, etc.
• Information privacy – don’t store confidential
information in an inappropriate place
• Don’t let student aides log into the student
information system to enter grades
• Don’t let students use a teacher ID
• This and more needs to be in the AUP and
also reinforced!
Incident Response Plans
• Have a plan in place on how to respond to
security incidents before it happens
• May be different for student discipline vs.
external hacks
• It is better to plan ahead than to figure it out
when you are under stress
• What is the criteria for alerting superiors?
• What is the criteria for alerting law
enforcement?
• Who will be responsible for responding?
• How will the response be escalated?
• What type of documentation will you keep?
Change Control
• Change control is the process of requesting
changes to systems, implementing and testing
them, and documenting results
• Security can be improved through change
control because it reduces error and improves
availability
• Keep detailed records of before and after
configurations
• Require approval of changes by another party
to ensure that the change is appropriate,
needed, and does not create problems
• Test changes on a non-production system
prior to full implementation
Security Awareness
• Staying abreast of the latest issues and
solutions in security is critical
• Administrators must budget for and offer
training opportunities to technical staff
• Administrators should require that technical
staff be signed up for security listserves such
as:
– BugTraq / NT BugTraq (www.securityfocus.com)
– Microsoft Bulletins (security.microsoft.com)
• Consider conducting regular internal
trainings on security topics
• Consider ways to keep staff up to speed
Physical Security
Why Physical Security?
• Without physical security, all other measures
can be circumvented
• For example, if I can boot a computer, I can
probably enter some kind of single user mode
(bootable CD’s, single user mode, etc.)
• There are many types of physical attacks as
well (such as key loggers)
• Access to critical areas such as wiring closets
can provide unrestricted access to the
network or damage of equipment (“oooh, look
at the blinky lights”)
• Physical security is needed to prevent the loss
of equipment
The $59 KEYkatcher
• The hardware key logger – no
need to install any software
whatsoever
• Could be placed on a server, log
a few passwords, and then
removed
• Could be placed on a “broken”
student workstation, then scarf
the password when you turn off
your desktop protection and log
in as admin to fix the problem
• If this doesn’t scare you, you
aren’t really paying attention 
• Only $59 each from
TigerDirect.com
KeyKatcher
Physically Securing Servers
• As you can see from the last example,
restricting physical access to the console is
important
• There are other steps to take such as:
– Set the BIOS to boot to C: only
– Use a BIOS admin password (though it can be beaten)
– Disconnect floppy and CD-ROM drives (since they can be
booted or be used to bring in malicious code)
– Lock the cases to stop modifications or “walkaway RAM”
– Beware of other system ports such as USB!
– Set swap file to be deleted on shut-down
– Don’t allow booting to DOS or another OS
– Use Encryption on the filesystem
The $40 USB Hard Drive
• Now there are USB storage devices that work
like hard drives
• These are harder to restrict
• Can be used to bring in hacking software, and
circumvent security
• If USB is not needed, perhaps turn it off or
disable the loading of new drivers
• Windows XP will automagically load drivers
for these when detected!
Physical Availability
• Also keep in mind availability as a security
requirement
• Use redundant power supplies and other
types of hardware
• Use RAID-5 striping or RAID-1 disk
mirroring on critical applications
• Be aware of power conditioning needs and
UPS systems
• Consider the use of Storage Area Networks
(SANs) for highly-available and centrally
managed storage
Environmental Control
• Temperature is an obvious problem – if its too
hot, things can overheat and fail. If they are
too cold, media and LCDs can be damaged
• Too much humidity = corrosion
• Too little humidity = static shock
• Be aware of fire control systems – where are
the sensors located? What type of fire
extinguisher systems are in use? Where are
the output heads located?
• Ever think of the water sprinkler above your
servers? What would happen if it
went off?
Network Infrastructure
The Importance of a Good Net
• Firewalls and routers aren’t enough to
protect you, but you still need them
• There are two critical factors:
– Control – Restrict communication between parties
(the Internet to the DMZ, the Internet to the
inside, inside to inside, etc.)
– Accountability – There must be audit trails and
logging sufficient to recreate a sequence of events.
Without accountability, you will never know how
your network is being used
The Unprotected Network
•
•
•
•
•
•
This is really, really bad! There is no protection at all
All hosts are directly connected to the Internet
All hosts can theoretically be attacked
Typically found in very small schools or universities
For goodness sake, get a firewall!
Juicy targets for hacking and setting up servers for
pirated software, etc.
The Firewalled Network
• Network access to inside is controlled at the firewall
• “Sacrificial” hosts are unprotected outside the fw
• Ideally, RFC1918 addressing and Network Address Translation
(NAT) are used on the inside network
• Strict access control lists are used to stop all incoming traffic to
the inside network
• Rely on hardening of Internet servers for protection
The Pseudo-DMZ Network
• Internal hosts are made available to the outside –
usually for web and mail servers (often Exchange)
• This is better than nothing, but still a very bad idea!
• Internal systems are exposed to the Internet, if one of
them can be hacked, it can be used to hack the rest of
the Internal network (the leapfrog!)
The True DMZ Network
• Internet servers are on a DMZ network and protected by
the firewall with access control and logging
• The DMZ cannot talk to the inside (no leapfrog)
• DMZ servers may use RFC1918 addressing & NAT
• Easier to maintain and monitor critical servers
• The inside is protected
Use Network Address
Translation (NAT)
• Best practices dictate that you use RFC1918
addresses such as:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/24
• Use one-to-one NAT for externally accessible hosts or
special clients (such as a DMZ)
• Use many-to-one (PAT, IP Masquerading, overloaded
nat) for internal client access to the Internet
• NAT can break a lot of software, so be aware of
address translation issues –anything that requires a
host-to-host communication channel
• Use ACLs (access control lists) to deny all traffic
except for that which is needed
Client VPN Services
• As before, but with a VPN concentrator as a means of
ingress to the network
• Clients use VPN client software over the Internet
• Beware split tunneling! (leapfrog)
Site to Site VPN
• Using firewalls or VPN devices, traffic between
district#1 and district#2 is encrypted across the net
• Assumes compatible addressing! Have a plan!
• Useful for sharing resources, hooking schools up to a
WAN when all you have is cable modems and DSL
• Client access still possible
IDS Sensor Placement
•
•
•
•
Where you “listen” is critical – inside, outside, DMZ
Outside = see all the attacks, be overwhelmed
DMZ = see a lot of attacks, manageable with tuning?
Inside = see internal attacks, or those that somehow
got in, but no monitoring of Internet servers
• DMZ and Inside best?
The “Partner Problem”
•
•
•
•
•
Partners connected behind the firewall!
Common for vendor maintenance, services
No control over the partner’s security!
These connections should be controlled by a firewall
Never trust a vendor or partner!
E-mail Virus Filtering
•
•
•
•
Work as an inline proxy, reverse arrows for outgoing
ACL allows SMTP InternetDMZ, DMZInside
Example product – Trend Micro Virus Wall
Can protect ANY SMTP server, but only if inline. Use special
agent software for mail server databases (Guinivere, NAV, etc.)
• Doesn’t protect e-mail between internal users
• Filter e-mail CONTENT?
Content Virus Filtering
• Works much like a content filter – can intercept transparently
via the firewall, or by browser proxy settings
• Must integrate with content filtering and proxy caching!
• Good for stopping web attacks over HTTP, FTP, etc.
• May or may not be able to look inside of HTTPS
• Must make this network path mandatory (filter port 80 except
from the virus content filter)
Web Access Servers
• Model used for Groupwise / Outlook Web Access
• Put the web server component on the DMZ, allow
Web Access server to talk ONLY to internal mail
• Groupwise web access on DMZ is relatively secure
• Outlook web access is a problem – must open full
NetBIOS access between the OWA server and the
inside. An accident waiting to happen!
• Relay SMTP if needed
Wireless Security
• Wireless security has typically been very bad
• Uses WEP encryption up to 128bits, but only if
properly configured on the AP and on the client
• WEP can be broken within a few hours given the
proper hardware and software (freely available)
• Signals leak further than you may think, giving access
to your network from areas outside of your physical
control (like the street)
• “Wardriving” is becoming very popular – drive
around in a car w/ an omnidirectional antenna and a
GPS to locate insecure access points
• Geographical databases are being compiled that give
the coordinates of insecure networks
• Newer products have true security (radius)
Wireless Security
• Net Stumbler is one popular utility
• Above are all the access points between work
(Lansing) and home (Haslett), many of which were
found at 45mph on Mount Hope Highway
• Be afraid. Be very afraid.
My Wireless Solution
• Only trust wireless users as much as Internet users
• Put the WAP on a DMZ, require VPN access to the
internal network
• Disallow all other access (e.g. wireless to the Internet)
• This will allow strong authentication and logging for use of
internal servers
• Should stop abuse (freeloading)
Logging and Reporting
• In order to know how your network is being
used, you need to log all traffic
• Use reporting tools to summarize and make
sense of it!
• Its too hard and time consuming to scan
through logs to find suspicious information
• Instead, use a log reporting tool such as “Web
Trends Firewall Suite” to make sense of it
• These tools should summarize information
such as host and protocol activity, usage
trends, most popular hosts, etc.
• The “Cheap Man’s IDS”
Web Trends Firewall Suite
Host Security
General Host Security
• Not nearly enough time to talk about
everything we need to!
• We must refer to OS hardening guides instead
– there are many good ones out there
• We will touch on a few highlights, things that
are perhaps not so obvious
• Make sure to properly configure auditing and
logging capabilities
• Make sure that machines are properly
patched
• Make sure that password security is
adequate
Hardening Guides
• http://nsa1.www.conxion.com/
Windows NT/2000, Cisco routers, e-mail
• http://www.sans.org
Windows, Solaris, Linux (not free)
• http://www.microsoft.com/security
Microsoft (of course)
• Analysts International Hardening Checklist
(Normally used internally)
Macintosh Security
Macintosh OS/X Security
• Warning: I am not a Macintosh expert. I am a UNIX
geek. I can only speak about the underlying packages
that are common to other platforms
• We’ll focus on OS/X because it is actually a UNIXlike operating system underneath the hood
• Because of this, security must now be a bigger
concern than before
• OS/X is relatively secure by default – it is not
intended to be a multi-user system. Root is disabled
• Check out http://www.securemac.com for articles
• http://www.apple.com/support/security/security_upda
tes.html For security updates so far
• Brush up on UNIX security, especially how privileges
work (su, sudo, root account, low level ports)
Macintosh OS/X Security
• One of the most dangerous security problems
on the Mac is actually from Microsoft
• IE 5.1 may allow a remote user to take over
your Mac (two problems so far, more to come)
• Microsoft office scripting / Macro viruses /
Exchange are always a problem
• Various issues with UNIX apps underneath
• Apache mod_SSL remote root compromise
• PHP, Tomcat, sudo, openssh, etc. root
compromises
• Beware of password security!
• Appletalk brute force attacks & tools
• Other brute force attacks (FTP, HTTP)
Macintosh OS/X Steps to Take
• Learn UNIX security (sorry!)
• Keep up to date with patches. Use the auto
updater if you are trusting or short on time
• Use workstation firewalling to block incoming
access to everything!
• Never run unnecessary services – Especially
the remote command line option and FTP
• Never run plaintext protocols like Telnet or
FTP, use SSH instead
• Don’t enable root access
• Use good Antivirus software (make sure it
works in both environments)
Novell Security
Novell Security
• Novell is not hacked casually, because its not
that much fun
• There are some issues, though, that you
should know about
• http://www.nmrc.org/faqs/netware/index.html
is where to start reading
• There are several problems in older versions.
We will assume version 4.x or later
• Also assume that patches are up to date
(including GroupWise and Border Manager)
• Do not run the web server
Novell Security
• Check all accounts for inappropriate access
• Check user_template! Sometimes you can log
in as the template user with rights
• Check service accounts such as Arcserve,
backup, and GroupWise agents
• Physically protect the server – there is a
debug key combination that can disable the
console screen saver and dump you to the
console
• It is also possible to modify the disk directly
using Norton to disable the security settings
Novell Security
•
•
•
•
•
•
•
•
Beware Pandora by NMRC.ORG
A great tool for admins and hackers alike
Great for auditing password security
Can brute-force attack passwords from directory
services: BACKUP.DS, BACKUP.NDS,
DSREPAIR.DIB – are these files laying around?
Can also spoof and hijack connections and file copies
(use network switches and turn on packet signatures
to stop some of this)
Put SET PACKET SIGNATURE LEVEL=3 as the
first line of STARTUP.NCF
Numerous DoS attacks (the “yang” attack)
Bad NDS permissions are common
Novell Security
• Never use RCONSOLE if possible (definitely
don’t put an rconsole password in the .NCF
file)
• Beware of Compaq Insight Manager
• Beware of the Web Server:
–
–
–
–
–
–
Remove all sample code and unneeded stuff
SEWSE.NLM allows read access to any file
Multiple DoS attacks – Netware Remote Manager
NDSOBJ.NLM Allows browsing of NDS
Old GW Web Access applet allows read access
GWWEB.EXE allows read access
• Enable intruder detection
• Enable auditing of critical files
Linux / UNIX Security
Linux / UNIX Security
• Linux/UNIX is in some ways more secure than
other alternatives
• Open Source means that people can look for
security problems on their own, a mixed blessing
• Linux is the sum of a number of software pieces
by various people – the kernel, GNU libraries,
application software, etc.
• Thus, a bug in one of the applications can affect
the whole OS, especially if the process runs as
root
• Despite this fact, security is generally pretty good
by default, but it is still important to harden and
maintain the servers properly
• Use the NSA hardening guide
Linux Hardening
• Read the (free) Linux Administrator’s Security
Guide http://seifried.org/lasg/
• Do a minimal installation and add packages later
• Double-check for updates before putting on net
• Create your disk partitions wisely – it affects how
symbolic and hard links work:
– /tmp (temp files)
– /var (log files, working files)
– /home (user files)
• Use a BIOS / LILO / GRUB password
• Booting to single user mode ‘linux single’
• Use the ‘immutable’ property: chmod +i lilo.conf
UNIX Security
• Filesystem “gotchas” setuid and setgid
writable files
‘find / -perm +4000’ and ‘find / -perm +2000’
• Remove setuid privs for unnecessary utils
such as ‘rlogin’ on single user systems
‘chmod –s /bin/rlogin’
• Find all files that are world writable (and
make sure they are not important!)
‘find / -perm -g+w’ and ‘find / -perm –o+w’
• World-writable scripts are a no-no (such as
those that are run by users or especially root)
‘chmod og-w bigscript.sh’
UNIX Security
• Turn off all unnecessary services
• Use ipchains firewalling to block incoming
connections – default policy of deny all, allow
specific source addresses and ports only.
• From /etc/sysconfig/ipchains:
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 110 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 443 -p tcp -y -j ACCEPT
-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT
-A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT
• Test these rules from somewhere else with
NMAP and Nessus! Never trust a local
portscan
UNIX Security
• Use TCP WRAPPERS or xinetd security features to
restrict incoming connections by source and service
• Use Secure Shell (SSH) as a replacement for Telnet
• Use SSH / SCP to transfer files with encryption (nice,
and very scriptable)
• Use TripWire (tripwire.com) to monitor filesystem
changes
• Use SNORT (snort.org) as a free IDS
• Use Psionic Portscan Detection and log watch from
http://www.psionic.com to find attacks and suspicious
activity in the logs
• Log to an alternate syslog server
• Use ‘netstat –a –n | grep LISTEN’ or ‘lsof | grep
LISTEN’ to find programs listening on network
ports
Microsoft Security
General Microsoft Security
• Obviously, Microsoft has had a few problems
• It requires good hardening and constant
patching, but it can be made (pretty) secure
• Microsoft is making a genuine attempt to
improve their security (developer camp)
• Requires updating all kinds of components:
–
–
–
–
–
Core operating system
Internet Information Server
Microsoft Exchange / Outlook
Microsoft SQL Server
Internet Explorer
• Build this expectation into your time estimates
and total cost of ownership when evaluating
operating systems
During Installation
• Do not connect to the Internet while
installing (can be hacked during install)
• Install the minimal number of packages
• Make Internet servers standalone – not
part of any domain or active directory
• Format all volumes as NTFS
• Install IIS on a separate volume or hard
drive. (note that this requires an
unattended installation and script)
• Use strong administrator passwords
Install all service packs
•
•
•
•
Operating system
Internet Information Server
Internet Explorer
SQL server, others as needed
• hfnetchk.exe should come up clean*
before the server is deployed
Filesystem Security
• The ‘everyone’ group has full access to all
drives by default! This is dangerous and
unnecessary
• Carefully remove ‘everyone’ and add
administrators, users, etc. to disks using
descriptive groups
• Create a ‘web user’ group that has READ
access to IIS directories
• Create a ‘web admin’ group that has WRITE
access to IIS directories
• Add IUSR~BOX and IWAM~BOX to ‘web
users’ maybe ‘web admin’
Filesystem Security
• Delete or remove access to dangerous
programs to make hacking harder:
ARP.EXE
ATSVC.EXE
CACLS.EXE
CMD.EXE
CSCRIPT.EXE
DIALER.EXE
EDLIN.EXE
FTP.EXE
HTIMAGE.EXE
IPCONFIG.EXE
MSIEXEC.EXE
NET.EXE
NETSH.EXE
PING.EXE
POSIX.EXE
QFECHECK.EXE
RDISK.EXE
REGEDIT32.EXE
ROUTE.EXE
RUNAS.EXE
SECFIXUP.EXE
SYSKEY.EXE
TFTP.EXE
TSKILL.EXE
WSCRIPT.EXE
NETSTAT.EXE
AT.EXE
ATTRIB.EXE
CLIPSRV.EXE
COMMAND.COM
DEBUG.EXE
EDIT.EXE
FINGER.EXE
HYPERTRM.EXE
IMAGEMAP.EXE
ISSYNC.EXE
NBTSTAT .EXE
NET1.EXE
NSLOOKUP.EXE
POLEDIT.EXE
QBASIC.EXE
RCP.EXE
REGEDIT.EXE
REXEC.EXE
RSH.EXE
RUNONCE.EXE
SYSEDIT.EXE
TELNET.EXE
TRACERT.EXE
UNINST.EXE
XCOPY.EXE
Filesystem Security
• Remove all resource kits and SDKs
• Disable indexing of disks recursively
• Never allow the emergency console to
boot from the hard drive
• Delete backup copies of the registry
from X:\%System Root%\repair\
• Configure the recycle bin to
immediately delete files
• Configure the system swap file to be
deleted at shutdown
High-accountability logging
• Enable auditing of filesystem accesses
• Configure auditing to log all failed file
accesses by the ‘everyone’ group
• Increase the size of the event log to
512mb if possible
• Set event viewer to delete events that
are N days old, where N matches your
backup schedule
• Audit the use of privileges
Monitor suspicious log events
• Filter event logs for interesting events
–
–
–
–
–
–
–
–
–
–
529: Unknown Username or Bad Password
537: Unsuccessful Logon
530: Account Logon Time Restriction Violation
531: Account Currently Disabled
532: Account Has Expired
533: User Not Allowed to Log on
534: Logon Type Restricted
535: Password Expired
516: Some Audit Event Records Discarded
517: Audit Log Cleared
More Suspicious Events
–
–
–
–
–
–
–
–
–
–
–
–
624: User Account Created
630: User Account Deleted
627: Change Password Attempt
636: Local Group Member Added
632: Global Group Member Added
642: User Account Changed
643: Domain Policy Changed
608: User Right Assigned
609: User Right Removed
612: Audit Policy Change
610: New Trusted Domain
611: Removing Trusted Domain
Network Adapter Settings
• Disable all bindings except TCP/IP
• Use IP filters to limit incoming traffic to only
required ports (80, 443, 25, etc.)
• Disable remote access to the registry
• Disable NetBIOS over TCP/IP
• Disable IP routing
• Do not make “dual-homed” hosts that
connect insecure (external) networks to secure
(internal) networks
• Harden TCP/IP stack to DoS attacks
Disable Unnecessary Services
•
•
•
•
•
•
•
•
•
Alerter
Clipbook server
Computer browser
Distributed File System
Distributed Link Tracking Systems Server
Distributed Link Tracking Systems Client
IPSEC policy agent (unless IPSEC is used)
Licensing Logging Service
Logical Disk Manager Administrator Service
(needed for software RAID)
• Messenger
• Net Logon
Disable Unnecessary Services
•
•
•
•
•
•
•
•
•
•
•
•
Network DDE
Network DDE DSDM
Print Spooler
Remote Registry Service
Removable Storage
Server Services (needed for SMTP services)
Task Scheduler
TCP/IP NetBIOS Helper
Telephony (needed for terminal server)
Windows Installer
Windows Time
Workstation Service (needed for some
maintenance tasks)
Accounts and User IDs
• Configure password strength
enforcement for users
• Rename the administrator account
• Create a bogus administrator account
with no rights and log its use
• Rename and disable the guest account
• Remove ‘access this computer from the
network’ rights from administrator and
‘everyone’ group
Accounts and User IDs
• Remove the ‘log on locally’ right from
all users and groups that don’t need it
• Perform periodic password cracking to
find bad passwords (including products
that log in and run as services)
• Disable remote access to the registry
• Disable anonymous access to NetBIOS
services (used for anonymously iterating
user IDs and other NetBIOS
information across the network)
Use Group Policy
• A key advantage of Windows 2000 is the
ability to really control machines with
group policy
• The NSA hardening guides have great
documentation about group policy –
read their guides as a starting place:
http://nsa2.www.conxion.com/win2k/guides/w2k-3.pdf
IIS Security
•
•
•
•
Don’t use Front Page extensions
Disable the HTML administration site
Store web content on a separate drive
Bind the web server process to specific
IP addresses (not all available)
• Disable the WebDAV service
• Remove all unneeded ISAPI mappings,
especially IDA/IDC (indexing service)
and .printer (Internet Printing)
IIS Security
• Remove support for Internet printing
– Remove the /printers virtual directory
– Delete files from %SystemRoot%\web\printers
– Disable local or group policy options for “Web-Based
Printing”
• Delete default and sample IIS files
–
–
–
–
–
–
\Inetpub\iissamples
\Inetpub\AdminScripts
\Program Files\Common Files\System\msadc\Samples
%SystemRoot%\help\iishelp
%SystemRoot\System32\Inetsrv\iisadmpwd
%SystemRoot%\web\printers
IIS Security
• Use restrictive IIS permissions
– On "Home Directory" tab, disable Read, Write,
Directory browsing
– Add specific rights as necessary
– The Script Source Access IIS permission is not
assigned to any folder
– Use authentication on all folders with Write /
Write-Execute access
– If HTTP basic authentication is required, use SSL
– If using NTLM authentication, require NTLM v2
IIS Security
• Protect global.asa files
– NTFS permissions set for System, Administrators and Operators
= full control
– NTFS permissions set for Authors = modify
– NTFS permissions set to explicitly deny IUSR_server and
IWAM_server accts.
– All failed accesses to global.asa are logged
• Protect the metabase.bin file
– MetaBase.bin has full control for System and Administrators
– MetaBase.bin has Modify for Operators
– Audit all failed and successful NTFS access to MetaBase.bin
• Enable the maximum level of logging
• Set the UseHostName metabase value to hide
the true IP address of the server
Good Web Sites
• http://www.securityfocus.com (sign up for
bugtraq and read the articles)
• http://www.packetstormsecurity.org (seems to
change a lot, but lots of dirt)
• http://www.microsoft.com/security
• http://www.sans.org (check out the student
papers)
• http://www.cert.org
• http://www.gocsi.com
• http://www.securityportal.com
• http://www.isc2.org
Discussion
Thank You!
Mark Lachniet, MCNE, MCSE, CCSE, LPIC-1
Sr. Security Engineer
Analysts International - Sequoia Services Group
3101 Technology Blvd, Suite A
Lansing, MI 48910
(517) 336-1004 - voice
(517) 336-1100 - fax
mailto:[email protected]