640 likes | 660 Views
CSCD 303 Essential Computer Security Fall 2018. Lecture 15 - Desktop Security Recovery, Prevention and Hardening Reading: CompTIA Text – Chapter 5, Links are in Lecture. Overview. Host Defense Mechanisms Defense in Depth Recovery Restore System Restore – Windows Boot disks
E N D
CSCD 303Essential Computer SecurityFall 2018 Lecture 15 - Desktop Security Recovery, Prevention and Hardening Reading: CompTIA Text – Chapter 5, Links are in Lecture
Overview • Host Defense Mechanisms • Defense in Depth • Recovery • Restore System Restore – Windows • Boot disks • Prevention • Patching – All systems • Harden OS – Features
Defense in Depth orLayered Security • As we have said ...defense in depth is an information assurance (IA) concept • Multiple layers of security controls (defense) are placed throughout a system • Its intent is to provide redundancy in the event a security control fails • Defense in depth is originally a military strategy that seeks to delay, rather than prevent, advance of an attacker
Defense in Depth Examples • Using more than one of the following layers constitutes defense in depth. Anti-virus software Authentication and password security Biometrics Firewalls (hardware or software) Intrusion detection systems (IDS) Physical security (e.g. deadbolt locks) Internet Security Awareness Training Virtual private network (VPN) Hardening Systems
The Attack Surface • Security people talk about “Reducing the Attack Surface” • What does that mean? • Get Secure • Reduce the Attack Surface • Patch • Harden • Stay Secure • Maintain secure infrastructure • Patches • Updates • Upgrades • Ongoing Reading, Research Results
The Attack Surface • What is an Attack Surface? Weak Passwords Open Ports Open File Shares Systems too complex Unknowns People Un-patched Web Server Unused Services Left On Excessive privileges No Auditing No Policies
The Attack Surface • Now for The Attacks ... Port Scanners Viruses Password Cracking Trojan Horses Unknowns People Denial of Service Network Spoofing Packet Sniffing Poisons (Packets, DNS, etc.) Worms
Other Defenses Restore, Boot Options and More
System Restore Windows • Purpose of System Restore • Create snapshot of system's configuration • Want to return a system back to a known good configuration • System Restore is designed to automatically create a restore point • Each time system recognizes a significant change in the file or application https://www.tenforums.com/tutorials/4588-system-restore-windows-10-a.html
System Restore Go to Start>> All Programs>> Accessories>> System Tools>> System Restore
Windows 10 and System Restore • System Restore Turned off by Default • Search for system restore in the Windows 10 Search box and select Create a restore point from the list of results • Click the System Protection tab Then click the Configure button. http://home.bt.com/tech-gadgets/computing/windows-10/how-to-fix-windows-10-problems-with-system-restore-11364008291943
Windows 10 and System Restore • Click to enable Turn on system protection • Use Max Usage slider to determine how much of your hard drive to use to store Restore Points • 5% to 10% is good • Click OK
System Restore and MalwareMay Not Work • Malware authors intentionally write viruses with same extensions as Windows files that are backed up by System Restore • Virus scans will remove it • But, once System Restore recovers computer to an earlier date, very possible to introduce that same virus back to system • When malware is found on a system, • System Restore should be completely disabled, all Restore Points should be deleted ... • So, whats the point? System restore not for malware!! • After scanning computer, restore can be turned back on
Making a Boot Disk New Blue Screen of Death • If your computer is un-bootable, what do you do? • Try to use a recovery disk. • How many know where your recovery disk is? • Do you know how to make one?
Windows Bootable Recovery Partition • Recovery Partition Recovery partition is a small partition on your hard drive that can help you restore your system Will allow you to restore your computer to original settings from hardware manufacture • Windows 10 creates one automatically https://www.partitionwizard.com/partitionmagic/ windows-10-recovery-partition.html https://www.disk-partition.com/windows-10/recovery-partition-after-upgrading-to-windows-10-4348.html
Making a Boot Disk Vista/Windows 10 • Yes, you can make an installation disk if your computer didn't come with one • Complete burnable images for Windows 10 • And ... a DVD or CD writer http://gadgets.ndtv.com/laptops/features/how-to-make-a-bootable-usb-disk-for-windows-10-722670 Next article addresses how to make and use a recovery disk for: • Versions of 32 and 64 bit of Windows 8/10 https://www.howtogeek.com/131907/how-to-create-and-use-a-recovery-drive-or-system-repair-disc-in-windows-8/
Boot Disk for Ubuntu • Ubuntu or Debian • Can make Ubuntu/Debian into a live image CD • Really easy, Use it to boot and possibly fix Ubuntu Instructions are here for Ubuntu https://help.ubuntu.com/community/LiveCD Instructions are here for Debian http://www.debian.org/CD/live/
Live CD RestoreWindows • Live CD for non-Windows may be used to repair Windows - Fix Windows problems on a machine that doesn't have a dual-boot installation - Fix anti-virus problems on a Windows system - Data recovery such as corrupted or deleted files
Live Disk Kali • Kali Live USB Disk • Lots of attack software but can be used for defense https://docs.kali.org/downloading/kali-linux-live-usb-install • Recover Windows passwords with Kali Linux https://www.top-password.com/knowledge/reset-windows-10-password-with-kali-linux.html • 10 Cleverest Ways to Use Linux to Fix Windows https://www.howtogeek.com/howto/31804/the-10-cleverest-ways-to-use-linux-to-fix-your-windows-pc/
Patching • What is patching? • Allows it to limp along until the next major version • Software producers give you patches to fix “holes” in between major software versions • Security updates – majority of patches • New devices supported or old devices not supported, • Performance issues, • Can patching cause problems? Yes or No.
Study on Unpatched Computers http://www.computerworld.com/s/article/9109938/Unpatched_Windows_PCs_fall_to_hackers_in_under_5_minutes_says_ISC?taxonomyId=82&intsrc=kc_top&taxonomyName=cybercrime_and_hacking 2008 • Computerworld - “It takes less than five minutes for hackers to find and compromise an unpatched Windows PC after it's connected to the Internet” • The SANS Institute's Internet Storm Center (ISC) currently estimates "survival" time of an Internet-connected computer running Windows at around four minutes if it's not equipped with the latest Microsoft Corp. security patches
Updated Stats on Unpatched Computers • Currently, Feb. 2018 • Average time for an unpatched computer placed on the Internet to be compromised by malware is only 20 minutes, according to the Internet Storm Center • Advice is critical patches should be applied within one week of their release • Statistics show that the vast majority organizations that suffer exploits are those that don't patch in the first year or ever patch at all https://www.csoonline.com/article/3075830/data-protection/zero-days-arent-the-problem-patches-are.html
More Patching Stories http://www.circleid.com/posts/20090915_major_organizations_overlooking_high_priority_security_risks/ • Security report by SANS Institute, TippingPoint and Qualys, Sept. 2009 • Number of vulnerabilities found in applications is far greater than number of vulnerabilities discovered in operating systems • "On average, major organizations take at least twice as long to patch software vulnerabilities as they take to patch operating system vulnerabilities”
Patching • Types of Patches • Patch – Simple small fix, one or two problems • Update – Add or fix problem or earlier patch • Cumulative – Includes all previously released patches for one application • Service Pack – Generally, large files, typically include lots of patches to many problems • Vista is up to service pack 2 • Windows 7 - Service pack 1 • Windows 8 – Windows 8.1 (different version) • Windows 10 – Gone to “Windows Builds”
What Should you Patch? • Microsoft has released Windows security updates on second Tuesday of every month • Recommended that you turn on automatic updates, all versions of Windows • Configure this in control panel Changes in Patching As of October 2016, they will do monthly “rollups” that address security issues and bug fixes, still second Tuesday Questions on Windows 10 updates answered https://www.zdnet.com/article/faq-how-to-manage-windows-10-updates/
Updates for Microsoft Vista/7/10 • What gets updated? • Updates OS & Internet Explorer, also other Microsoft Windows software, such as Microsoft Office, Windows Live applications, and Microsoft Expression • But, older versions of Windows updated only OS components, • Windows Updates vs. Microsoft update • Users had to go to Microsoft update to update their Office suite and SQL Server ... etc. http://arstechnica.com/microsoft/news/2010/04/isvs-to-blame-for-vista7-infections-office-updates-ignored.ars
Updates for Microsoft Vista/7/10 • Does it update other software on your computer? Like Adobe Flash Player ... • Microsoft does not, update other software running on your computer
Updates for Ubuntu, Mac OS X • Ubuntu updates • All the software on its distribution automatically • Built into the system as a service • Need to turn it on, update manager • Mac OS X • Updates all software on Mac
Patching • Third party Software • Vendors often provide free patches on their web sites • Should know how vendor supplies patches • Automatically contact their web sites and install them or • Automatic updates tell you when patches are available, you download them, and install them
Patching • Boring but ... • Make a list of the software on your computer • Games, office, document readers, Adobe, media players • Adobe, Database, Multi-media, • Voip – Skype • Security software • Device Drivers • What is their patching strategy? • Websites? Auto-update?
OS Hardening DefinedWhat does it mean to Harden an Operating System? Reconfiguring an OS to be more secure, stable and resistant to attacks. • Examples: • Removing unnecessary processes. • Setting file permissions. • Patching or updating software. • Setting network access controls.
Linux Hardening • Examine Linux System Features • In Design • Linux is more modular than Windows • Multi-user design from beginning • Main Challenge in cracking Linux • Gain Root access !!!! • Main Goal in Defense of Linux • Make unauthorized root access impossible
Linux Hardening • Setuid and Setgid • Everything in Linux is a file • Files have read, write and execute permissions • One more permission is setuid (similar with setgid) • Executable programs run with same privileges of file owner • If owner is root ... gain root privileges • Goal is to use buffer overrun or some other means of gaining a root shell session, attacker can do anything after that
Linux Programs Running Setuid Examples of some SetUID programs -rwsr-xr-x 1 root root 27256 2010-01-29 00:02 /bin/fusermount -rwsr-xr-x 1 root root 78096 2009-10-23 09:58 /bin/mount -rwsr-xr-x 1 root root 35600 2009-05-12 03:13 /bin/ping -rwsr-xr-x 1 root root 31368 2009-05-12 03:13 /bin/ping6 -rwsr-xr-x 1 root root 36864 2009-07-31 19:29 /bin/su -rwsr-xr-x 1 root root 56616 2009-10-23 09:58 /bin/umount -rwsr-xr-x 1 root root 42856 2009-07-31 19:29 /usr/bin/passwd -rwsr-xr-x 1 root root 14880 2009-10-16 17:13 /usr/bin/pkexec -rwsr-xr-x 1 root root 852296 2009-05-23 06:01 /usr/bin/schroot -rwsr-xr-x 1 root root 143656 2009-06-22 21:45 /usr/bin/sudo
Linux Servers – Web, File, DB • Limited use machines, user services not needed • Don't install some software • X - windows • RPC Services • R-Services, rlogin, rpc - ssh instead • Inetd daemon • SMTP daemons - enabled by default • Telnet, ftp, pop3 and Imap • Might want to disable LKM - Loadable Kernel Modules
Linux Security Checklist http://www.sans.org/score/checklists/linuxchecklist.pdf • Can follow a security checklist from Security Firm like Sans Boot and Rescue Disk System Patches Disabling Unnecessary Services Check for Security on Key Files Default Password Policy Other things … too
Hardening Utilities http://bastille-linux.sourceforge.net/ • Bastille Linux - Older • Automated security program, Security wizard that systematically hardens Linux • SUID restrictions • SecureInetd • DoS attack detection and prevention • Automated firewall scripting • User privileges • Education • You can try it on your your linux system
Hardening Utilities https://cisofy.com/lynis/ • Lynis is a newer security tool for audit and hardening Linux / Unix systems. • This tool scans systems, does tests and gathers information about it • Lynis provides report with suggestions and security related warning to increase the security of the system • Tests are technical by nature, so Lynis intended for system administrators, auditor or security professional • Project is open source software with the GPL license and available since 2007
Overview • Services • Policies for different Account Types • Software Restrictions • Data lock down • Bit Locker • EFS
Windows Vista and 7/10 Security Features • Windows Service Hardening • Most Windows exploits, install malware, result of flaws in Windows services • Windows services changed as follows: • Each service is given an SID number, Security ID • Services run with a lower privilege level by default • Unnecessary privileges for services have been removed • Services are isolated and cannot interact with users
Windows Vista and 7/10Security Features • Windows Service Hardening • There are still services that may come enabled by default and should be turned off • Telnet • IMAP • NetBios • SNMP • TFTP • SMTP All these services run across the network, open ports and potentially allow access
Microsoft Services • One complete list for Windows 7 • Shows safe configurations for services http://www.blackviper.com/service-configurations/black-vipers-windows-7-service-configurations/ • Another list for Windows 10 http://www.blackviper.com/service-configurations/black-vipers-windows-10-service-configurations/
User Accounts Disable or remove non-user accounts 1) Start > search bar> lusrmgr.msc 2) Go to: Users 3) Disable or remove all Accounts that you do not use Make sure to look up accounts you are unsure about Verify the default administrator and guest accounts are disabled ..they should be by default with Windows 7 on up Now establish another admin account and set your main account to limited standard user The limited account should be used on a daily basis and the admin account only when you need to perform admin tasks Has anybody done this?
Account Policies http://www.thewindowsclub.com/customizing-the-password-policy-in-windows-7 • Can set Local Policies for your system • Password policy • Controls password characteristics for local user accounts • Available settings • Enforce password history • Maximum, Minimum password age • Minimum, Maximum password length • Complexity requirements 48
Account Policies • Account lockout policy • Prevents unauthorized access to Windows Vista and 7/10 • Only certain versions of Windows 10 • Can configure an account to be temporarily disabled after a number of incorrect log-on attempts 49