IfaserverscreamsinaforestDMZ!

Howmachinehardeningcanmadethedifference.

Contents

•  WhoamI?•  WhatdoIdo?

•  Whatismachinehardening?Canithelp?

•  VulnerabiliBesonthehostlayer•  CanIbackthisupwithstats?•  Tools,resources

WhoamI–DavidKennefickPresentConsultantwithedgescan™www.edgescan.com

PastCurrent–full-stackpentesBng,GRC&integraBonforclientsBank–workedinabankdoingAMLstuffStudent–DesignedtoolsfordyslexicstudentsSomethingsomethingagile….

OWASPMember

Fullstacksecurity&ApplicaBondeveloper:4.5Years

Reasonsforhardening

•  Increasingsecurity•  Increaseperformance•  Decreasethelikelihoodofmachinebeingexploited.

•  Passsecurityaudits

•  Byhardeningwearesimplyreducingthescopefora\ackbydecreasingthepotenBala\ackpoints.

Vulnerabili4esonthehostlayer

•  Likelihoodofavulnerabilityonthehostlayeranditscause.

*Statsfromtheedgescan2015Vulnerabilitystatsreport–November2015

Whatarewehardening?Isitimportant

•  OS•  Network•  ApplicaBons•  Whatelse?– Wordpress– drupal

OSHardening

•  Aim– Systemisconfiguredtolimitthepossibilityofeitherinternalorexternala\ack.

•  How– WhilethemethodsforhardeningvaryfromoneoperaBngsystemtoanothertheconceptsinvolvedarelargelysimilarregardlessofwhetherWindows,UNIX,Linux,MacOSXoranyothersystemisbeingbaselined.

•  DisableNon-essen4alservices–  ShouldprodhaveSSHenabled?–  Shouldamailserverhavethedefault80+443open?

•  UpdatevendorsuppliedPatchesandFixes(SecurityUpdates)

•  PasswordManagement–  Expiringpasswordsonnon-machineaccounts.

–  Enforcingtheregularchangingofpasswords–  Disablingofuseraccountsaherrepeatedfailedlogina\empts,audit

policiesenabled

•  Removeunnecessaryaccounts–  Guest,unusedandunnecessaryuseraccounts–  WhenemployeesleaveanorganizaBon

•  FileandDirectoryProtec4on–ThroughtheuseofAccessControlLists(ACLs)andfilepermissions.

•  Usergroupsandassocia4ons– Ausershouldn’thavepermissionstheydon’tneed.–  Backupusers,performancelogusers,admin,authenBcatedusers

•  FileandFileSystemEncryp4on–– AlldiskparBBonsareforma\edwithafilesystemtypewithencrypBonfeatures(NTFSinthecaseofWindows)

•  EnableLogging-OperaBngsystemisconfiguredtologallacBvity,errorsandwarnings.

•  FileSharing-Disableanyunnecessaryfilesharing,limitSMBsharing.Disableplaintextandanonymouslogin.

NetworkHardening

•  Upda4ngSoNwareandHardware–  Thisneverstops.–  Allnetworkingsohwaretogetherwiththefirmwareinroutersareupdated

withthelatestvendorsuppliedpatchesandfixes.Thisshouldbedonefromthefirstuse.

•  PasswordProtec4on–  Routersandwirelessshouldbeprotectedwithstrongpasswordsusingat

leastWPA2-PSK(AES).Mostwirelessshouldbedisabledorremovedifpossible.

•  DisableandremoveunnecessaryProtocolsandServices––  Forexample,onmostserversusingSSLv2issBllpossible.Allversionsof

SSL/TLSshouldbedisabledexceptforTLSv1.2–  ThiswillbeaPCIrequirementfromJune2016.

•  Ports–  Unnecessaryportsblockedbyafirewallandassociatedservices

disabledonanyhostswithinthenetwork,Someportsworthopening,3389and5405,5421.

–  Forexample,anetworkinwhichnoneofthehostsactsasawebserverdoesnotneedtoallowtrafficforport80or443topassthroughthefirewall

•  RestrictedNetworkAccess–  Thereshouldbeafirewallbetweenthenetworkandtheinternet.In

thecaseoflargeorganisationstheremaybeLAN,DMZandinnerDMZ,sotheremaybemanylayersoffirewalls.

–  OtheropBonsincludetheuseofNetworkAddressTranslaBon(NAT)andaccesscontrollists(ACLs).

–  AuthorizedremoteaccessshouldbeenabledthroughtheuseofsecuretunnelsandvirtualprivatenetworkswithaformofMFAinuse.

Applica4onHardening

•  AllapplicaBonsandservicesinstalledonnetworkbasedhostsystemsmustbeincludedinthesecurityhardeningprocesstoensurethattheydonotprovideaweaklinkinthesecuritydefenses.– Wealwayshearofbackdoors,ifyoudon’ttrustit,removeit.

•  AnumberofcommonoperaBngsystembasedservicesareinstalledbydefaultandneedtobereviewed.–  SMBsharing–  FTP–  Junipernetworks/ForBnet

WebServers

•  Fornon-publicsitesauthenBcaBonmethodsshouldbeputinplaceandforsitesthatareonlytobeaccessiblebyinternalusers.

•  Intranet/LAN/DNZapproachshouldbeusedsothatexternalaccessispreventedbyafirewall

•  EncrypBonshouldbeuBlised•  WebserverlogsshouldbereviewedrouBnelyforsuspiciousacBvity.Anya\emptstoaccessunusualURLsonthewebservertypicallyindicateana\empttoexploitproblemsinoutdatedorUnpatchedwebservers.

•  Latestvendorsuppliedpatches;WordPress,PHPetc.

MailServers

•  UnneededconfiguraBonopBonsofthemailserversohwarearedisabled

•  Allthelatestvendorsuppliedupdatesareapplied

•  RelayprevenBonopBonsshouldbeacBvated•  AuthenBcaBonmustbeusedtoensurethatonlyauthorisedusersareabletosendandreceiveemailmessages

•  Openrelaysaredangerous.

FTPServers

•  ThepurposeoftheFileTransferProtocol(FTP)istoallowfilestobedownloadedfromanduploadedtoremoteservers.

•  AnonymousFTP–  WewouldrecommendallanonymousacBvityberemovedor

restricted.

•  AuthenBcatedFTP–  InthecaseofauthenBcatedFTPitisessenBalthatSFTP(Secure)be

usedsothatloginandpasswordcredenBalsareencrypted,ratherthantransmi\edinplaintext.

Vulnerable

•  HaveyouperformedthepropersecurityhardeningacrosstheenBreapplicaBonstack?

–  Doyouhaveaprocessforkeepingallyoursohwareuptodate?ThisincludestheOS,Web/AppServer,DBMS,applicaBons,andallcodelibraries.

–  Iseverythingunnecessarydisabled,removed,ornotinstalled(e.g.ports,services,pages,accounts,privileges)?

–  Aredefaultaccountpasswordschangedordisabled?–  Isyourerrorhandlingsetuptopreventstacktracesandotheroverly

informaBveerrormessagesfromleaking?–  Arethesecuritysetngsinyourdevelopmentframeworks(e.g.,Struts,

Spring,ASP.NET)andlibrariesunderstoodandconfiguredproperly?

Hardeningtools/guides

•  MBSA2.3–  h\ps://www.microsoh.com/en-IE/download/details.aspx?id=7558

•  Spacewalk–  h\p://spacewalk.redhat.com/

•  CIS(mapping)–  h\ps://www.cisecurity.org/

•  NIST–  h\p://www.nist.gov/

•  SecurityMonkey–  h\ps://github.com/Newlix/security_monkey

MBSA2.3

•  Microsohbaselinesecurityanalyser.– Securitypatches– SecuritymisconfiguraBons– Supportsanythingnewerthan2000

•  ExportsniceXMLdocumentwhichallowsforintegraBonintoGRCtools

•  Freetechnologythatcanberunoffline

Spacewalk

•  Managedupdatestokeepmachinesintopshape.

•  AllowingyoutocacheupdatesfordistribuBontodifferentlocaBonsbasedonwhateverparametersorganisaBonshave.

•  TechnologyRedHatssatelliteisbuilton.•  Communitydrivenandtested,whichmayormaynotbeimportanttoyou.

CIS&NIST

•  CenterforInternetSecurity.– PrioriBsedsetofcyberpracBces.– ConfiguraBondetailsforeachdevice.

•  NaBonalInsBtuteforStandardsandTechnology.– Cybersecurityframework.– Notaregulatoryagency,moreofaguidelineagency

– Massiveamountoffreeresources.

Securitymonkey

•  NewlixtechnologytomonitorpolicychangesonAWSinfrastructure.

•  AlertsuserswhenanAWSaccounthasanunexplainedprivilegeoroneitmaynotneedviaajusBficaBonsystem.

•  Changetrackingforallinfrastructure.•  Veryeasytosetup,possibletoauditwholeAWSinfrastructureofanSMEinoneahernoon.

Conclusion

•  Full-StackPatching!– Updatesandpatching

•  Hardening,getapro•  Findflawsbeforetheyareexploited•  Treatnetworkslikeyouhavetheenemyinsidealready.

•  Treatappsliketherearepeopleouttoexploitthem.MakesuretesBngishappeningindev,pre-prodandprod.

www.edgescan.com

© BCC Risk Advisory Ltd 2016.

Thanks

david.k@edgescan.com@davidkennefick

edgescan™2015VulnerabilityStatsReport:

h\ps://www.edgescan.com/assets/docs/reports/2015-edgescan-Stats-Report-(2015)-v5.pdf