Configuration Strategies with Specialized … Strategies with Specialized Components. Table of...

Configuration Strategies with Specialized Components

Table of Contents

Operational and Consumer Network-enabled Devices -1 .............................................................. 2

Operational and Consumer Network-enabled Devices -2 .............................................................. 4

Endpoint Security Software -1 ........................................................................................................ 6

Endpoint Security Software -2 ........................................................................................................ 8

Application Whitelisting and Blacklisting...................................................................................... 10

Configuring Dedicated Interfaces ................................................................................................. 11

Peripheral Restrictions .................................................................................................................. 13

Full Disk Encryption (FDE) ............................................................................................................. 15

Virtualizing Servers ....................................................................................................................... 17

Cloud Augmented Security Services ............................................................................................. 18

Boot Loader Protections ............................................................................................................... 20

Vulnerabilities with Co-Mingling of Hosts .................................................................................... 21

Terminal Services and Application Delivery Services ................................................................... 23

Virtual TPM (VTPM) ...................................................................................................................... 24

Notices .......................................................................................................................................... 25

of 25

Operational and Consumer Network-enabled Devices -1

2

Operational and Consumer Network-enabledDevices -1Building Automation Systems

• Networking of facility systems has enhanced the ability to automate the management of systems, including: lighting, HVAC, water systems, and security alarms.

IP Video• Used for surveillance of a facility and for facilitating

collaborationHVAC Controllers

• Networked management of HVAC systems using the Building Automation and Control Network (BACnet); an application, network, and media access layer communications service

**002 Instructor: Security engineers today have to start worrying about specialized components that are beyond the traditional networking component systems that they normally deal with with network switches, routers, and firewalls. They're having to start looking at systems that are being integrated into their networks, such as building automation systems, IP video, and HVAC controllers. Building automations systems, they are very good at helping prioritize and make people more efficient and monitoring of the HVAC systems. They are there to pay for themselves

of 25

in time and efficiency and taking out that human error and human interaction in monitoring those building systems that are typically done by facilities engineers. IP video, those are used for surveillance of a facility or for facilitating collaboration. And in today's environment, you have a lot of remote workers. So, being able to use IP video for conference calls and stuff saves organizations time and money and travel expenses and facilitates ease of use and collaboration on remote projects for people that are stationed around the world for that. HVAC controllers typically are monitored by a network system. They take out that human interaction for each of those types of controls. So, if an HVAC system stops working, it's-- the automated systems alert the individuals if there's a problem instead of having someone go down and monitor data centers for temperature and humidity. They get alerts when the temperature and humidity are without a specialized range of temperature settings or humidity settings.

of 25

Operational and Consumer Network-enabled Devices -2

3

Operational and Consumer Network-enabledDevices -2Sensors

• Gather information and make it available to larger systems, such as HVAC controllers

Physical Access Control Systems• Any systems used to allow or deny physical access to the

facility, such as mantraps, proximity readers, and IP-based access control and video systems

A/V Systems• Provide video conferencing capabilities and HD video

transmissionScientific and Industrial Equipment

• It is essential to safely connect biomedical, guest, and IT devices to IP networks. It is necessary to isolate and protect sensitive devices from other hosts on the network.

**003 Sensors is another one. They gather information and make it available to larger systems such as HVAC controllers, temperature sensors, humidity sensors, if those sensors are feeding into a bigger system to let people know if there's an issue. Physical access control systems, those are systems that are used to allow or deny physical access to a facility such as mantraps, proximity readers, IP-based access control and video systems. The main one that you see with physical access controls systems such as mantrap. A mantrap is a series of two doors. You access into one door. That door closes. And you enter into a small

of 25

room where a second authentication process takes place in order to gain access to the room. So, if you pass one security, and you don't pass the second security, alarms will sound. And that person is trapped inside the room, hence the name mantrap. Audio and video systems, those provide video conferencing capabilities and HD video transmission. Scientific and industrial equipment, you see this in medical fields with the-- all the medical monitoring devices, the heart rate monitors, breathing monitors, oxygen sensors, blood pressure monitoring. All those devices in hospitals are connected now so nurses and doctors can monitor remote patients from the nurses' station. It gives real time feedback to the doctors on what's going on during certain procedures. It is essential for the safety that those connected by medical devices and IT devices are isolated and protect those devices from other hosts on the network.

of 25

Endpoint Security Software -1

4


Patch Management• To ensure all devices have the latest patches installed, a

formal system should be deployed to ensure all systems receive the latest updates after thorough testing in a non-productive environment

Intrusion Prevention System (IPS)• Reacts and takes an action in response to a threat

Intrusion Detection System (IDS)• Responsible for detecting unauthorized access or attacks

against systems and networksData Loss Prevention

• Software that attempts to prevent data leakage

**004 Endpoint security software, when we talk about endpoint security software, we're going beyond the traditional antivirus software. Endpoint security software is there to make sure that all your devices and configuration settings are up to date and free from errors. So, the first part of that is patch management. When we look at patch management, patch management is a necessity from the security engineer's point because all patches that are released from vendors are released for a reason. Most of the time, those patches are released to fix security flaws in their system, so they release patches to make sure that they're

of 25

patching all the holes that were previously found on zero-day exploits through that. Intrusion prevention systems, those are systems that react and take an action in response to a threat. Intrusion detection systems, those are responsible for detecting unauthorized access or attacks against systems and networks. The main difference between an IPS and an IDS is an IPS reacts and takes an action, where an intrusion detection system is just responsible for detecting the unauthorized access and alerting somebody, where a prevention system actually takes a defined action to a threat. Data loss prevention is software that attempts to prevent data leakage. We have to worry about data leakage in your environments, information getting out. So, data loss prevention software is there to help monitor documents and prevent leaks within your organization. Examples of that could be being able to print from a network printer that is in your corporate facility, not being able to print documents at home for personal use. You're just being able to print a company document at a company- owned facility.

of 25


5


Host-based Firewalls• Reside on a single host and designed to protect that host only

Log Monitoring• Network events, system events, application events, and user

events should be monitored.- Develop an audit log management plan.- Ensure that the ability to delete an audit log is a two-person

control.- Monitor all high-privilege accounts.

**005 Host-based firewalls, that is another endpoint security software. Most OSs out there today come with a host-based firewall. Windows has its Defender firewall. Those are commonly in each operating system that is there today. So, nothing goes further with having to add more software packages to your OSs. These come standard on most OS systems that are out there. Log monitoring, who wants to handle log monitoring? In the past, it's all been done manually. But now log monitoring is being used in a lot of security monitoring software that correlates a central repository of all

of 25

your network logs, all your computer logs, and puts them into a centralized location that's being able to be monitored. Those log monitoring record network events, system events, application events, and user events that should be monitored. They should be planned, a log monitoring plan set forth within your organization, and monitor all those high privileged accounts. A lot of compliance and regulatory systems out there that you have to deal with, from PCI DSS compliance to HIPAA, require you to log and monitor all high privileged accounts. So, if you're accessing a system with privileged accounts like SUDU or SU, it's going to log everything that you're doing on those systems.

of 25

Application Whitelisting and Blacklisting

6

Application Whitelisting and Blacklisting

Control types of applications that users can install on their computers

• Windows Group Policy can be used to restrict the installation of software on computers in the network.

Recommended that each organization select a technology used to control application installation and usage in the network

**006 Application whitelisting and blacklisting, so application whitelisting is what I commonly refer to as deny all software on your system and only allow approved software from your security department. Blacklisting is exactly the opposite where you're allowing stuff on your system, and then you're specifically prohibiting certain software from running on your system. Application whitelisting is the preferred method of controlling your configuration settings and your environment because you're only allowing approved software to run on your system, where blacklisting lets users run anything, except for stuff

of 25

that's specifically prohibited. So, it's recommended that each organization select a technology used to control application installation and usage within the network. So, you want to be able to have configuration control, what users can install on their systems, and what is available to each user.

Configuring Dedicated Interfaces

7

Configuring Dedicated Interfaces

Out-of-band NICs• Place in a separate subnet from the data network.• Create a separate VLAN on the switches.• When crossing WAN connections, use a separate Internet connection

from production.• Use Q0S to ensure management traffic does not affect production.• Consider using the same management network for backups.• Use Wake-on-LAN if supported.

ACLs• Ordered sets of rules that control the traffic that is permitted or denied

the use of the path through the interface.Management Interface

• Keep interfaces used for remotely managing devices separate from the regular network traffic the device may encounter.

Data Interface• Used to pass regular data traffic; not used for local or remote

management.

**007 Configuring dedicated interfaces, interfaces out there today could be everything that you see listed there on the slide, everything from out of bound NICs, access control lists, management interfaces, and data interfaces. When you talk

of 25

about interfaces, management interfaces, stuff that uses managerial control over the network, so privileged accounts. User and data interfaces, those are the stuff that's the regular data traffic from your end users, not used for local or remote management, but just typical every day usage of your network where the management interfaces is those priorities, the privileged access to those accounts. Access control lists, that's the criteria for the control of the traffic that is permitted or denied on your system. So, you have your access control lists. You have your firewall rules. It's stuff of what users can do on your system, what's going to be allowed, what's going to be monitored on those systems.

of 25

Peripheral Restrictions

8

Peripheral Restrictions

USB• Use of any type of USB device should be strictly controlled and

in some cases prohibited altogether.Bluetooth

• Use of Bluetooth can be controlled and its control should be strongly considered in high-security environments.

FireWire• A risk exists if an untrustworthy device is attached to the bus

and initiates a Direct Memory Access attack.

**008 One of the big software concerns in today's environment is peripheral restrictions. The main three controls that you have to worry about on peripheral restrictions are listed here on this slide. For an example, USB, people are curious by nature. You find a USB stick in your parking lot. How many people do you think that is actually going to take that USB stick in and plug it in to their system to see who that stick belongs to? You'd be surprised at how many of that happens out there. So, you need to be able to restrict any type of USB device that should be able to be plugged into your

of 25

system, a good access control policy, a good network control policy. Rules of behavior, what can be allowed on your system, you can lock those USB devices, Bluetooth devices, and firewire devices out from the BIOS settings where people cannot go in and reenable those. But you need to have something controlled either by group policy or in the BIOS to prevent these type of devices from being able to be plugged into your system. You can have all the security in the world. But when it comes down to it, human interaction and human error is always on the mind of most security engineers. Plugging in a USB stick is probably their most feared item on there. So, you need to be able to restrict and prohibit those devices from being plugged into your network.

of 25

Full Disk Encryption (FDE)

9

Full Disk Encryption (FDE)

Best implementation of FDE requires and uses a Trusted Platform Module (TPM) chip.

• The TPM chip is a security chip installed on a computer’s motherboard that is responsible for protecting symmetric and asymmetric keys, hashes, and digital certificates.

• Popular uses of TPM- Binding: “binds” the hard drive through encryption to a particular

computer o Contents are only available when the drive is connected to the

original computer.- Sealing: “seals” the system state to a particular hardware and

software configurationo Prevents attacks from making changes to the system.

**009 Full Disk Encryption, when you look at Full Disk Encryption, you know that is another form of security that's able to there. There is a laptop stolen in the United States on a regular basis, people traveling, airports, so all these mobile devices such as laptops, mobile phones, PDAs, tablets, e-readers. They're all out there. They could have company data on them. That's where you need to implement some Full Disk Encryption on those type of devices. Full Disk Encryption uses what they call a TPM module, a trusted platform module chip. And that chip is a security chip installed on a

of 25

computer's motherboard that is responsible for protecting symmetric and asymmetric keys hashed in digital certificates. So, you can do that. It doesn't affect any type of high value targets as far as that it doesn't prohibit productivity because it's all done before the boot up of the system. So, popular uses of TPM is what they call binding. And that's where it binds to hard drive through encryption to a particular computer. So, if I take this hard drive out of this laptop and try to plug it in to my own personal laptop, that that hard drive is no longer being able to be used because that TPM chip from the original motherboard hasn't encrypted that hard drive to specifically that computer where it came from. Sealing seals the system state to a particular hardware and software configuration. That prevents attacks from making changes to the system. So, when we seal it, during the boot process, it comes up. They cannot make changes to that system offline without it going through its normal processes of decryption.

of 25

Virtualizing Servers

10

Virtualizing Servers

Type I• Runs directly on the host’s hardware to control the hardware

and to manage guest operating systems • Example: VMware vSphere

Type II• Runs within a conventional operating system environment • Hypervisor layer

- A distinct second software level with the guest operating systems running at the third level above the hardware

• Example: VirtualBoxContainer-based

• Technique where the kernel allows for multiple operating systems that run independent of each other on one set of system resources.

**010 Virtualizing servers is becoming popular in today's environment. When you virtualize servers and stuff, it saves on the data center's costs and operating expenditures instead of when you start virtualizing services servers, all of those footprints that you had before, and having a day of having a hundred servers in a data room can be expensive. Where you can have two or three servers now and virtualize eighty to a hundred servers on those servers themselves. So, it saves footprints. And your data center saves money by providing cost reduction to power in the data center. Type I virtualized server, those run

of 25

directly on the host hardware to control the hardware and to manage guest operating systems, examples of that, VMware, vSphere. Then you have your Type II virtualizing server. And that runs with the conventional operating system environment, the hypervisor layer. Examples of that is what you'll see is Virtual Box. Then you have your container-based virtualized servers. And that's a technique where the actual kernel allows multiple operating systems that run independent of each other on one set of system resources.

Cloud Augmented Security Services

11

Cloud Augmented Security Services

Hash Matching – method used to steal data from a cloud infrastructure• Antivirus – cloud antivirus runs in the cloud, not on a local machine,

creating a smaller footprint on the client and utilizing processing power in the cloud

• Anti-Spam –cloud antispam service provider scans emails and stores anything identified as problematic on their servers where it can be later reviewed

• Vulnerability Scanning – vulnerability management platform is stored in the cloud and scanning is a service performed from the vendor’s cloud

Sandboxing – segregation of virtual environments for security purposes• Cloud-based sandboxing is scalable and elastic, allows for malware

tracking, is easily updated, and is not geographically constrained.Content Filtering

• Cloud-based filtering of web content occurs through the providers, allowing for savings on equipment and support of the process while maintaining control.

**011 Cloud augmented security

of 25

services, everything's moving to the cloud. When you start talking about cloud services and stuff, there's a lot of questions that come in to mind with cloud services. How is your data protected? Who owns your data? Where does that data reside? So, you need to have security involved with that. And that could come into the form of hash matching, methods used to steal data from a cloud infrastructure, antivirus/anti-spam vulnerability scanning. Vulnerability management is huge, being able to go in and scan that server for vulnerabilities against the current threats. Same thing with antivirus and anti-spam, so you want to monitor those on a continual basis and scan those on a normal basis to prevent software and data leaks from those cloud services. Sandboxing is the segregation of virtual environments to security purposes. Cloud-based sandboxing is scalable and elastic. It allows for malware and other devices that might be malicious to be operated and executed in a sandbox environment that doesn't propagate to your other network. Content filtering, cloud-based filtering on web content, occurs through the providers allowing savings on equipment and supporting processes while maintaining those controls. So, content filtering on those cloud services, what they can go to, what they cannot go to, what they can access, what they cannot access.

of 25

Boot Loader Protections

12

Boot Loader ProtectionsSecure BootMeasured Launch

• A launch in which the software and platform components have been identified, or “measured,” using cryptographic techniques

Integrity Measurement Architecture (IMA)• Creates a list of components and

anchors the list to the TPM chip- The list is then used to attest to the system’s runtime integrity.

BIOS/UEFI• Alternative to using BIOS to interface between the software and the

firmware of a system• Allows booting from large disks, CPU-independent architectures and

drivers, flexible pre-OS environments, and modular design

**012 Boot loader protections, there is a very small window during the boot process where the operating system is very vulnerable to attacks. By doing boot loader protections, like for example, secure boot, you're able to protect that boot process of booting up the system. So, you have a measure launch. And that's where a launch is in which the software and platform components have been identified, are measured using cryptographic techniques. Integrity measurements architecture creates a list of components and anchors the list to the TPM chip. So, is says these components are

of 25

able to boot, those to the TPM chip-- the trusted platform module chip, to make sure that they run against those integrity checks. Then you have the BIOS, which architecture using the BIOS to interface between the software and the firmware of the system.

Vulnerabilities with Co-Mingling of Hosts

13

Vulnerabilities with Co-Mingling of Hosts

Live VM Migration• Ability of the system to migrate a VM from one host to another

- When VMs are on the network between secured perimeters, attackers can exploit a network vulnerability to gain unauthorized access to the VMs. Attackers can then plant malicious code in the VM images that can be used to attack data centers – a type of man-in-the-middle attack.

Data Remnants• Sensitive data inadvertently replicated in VMs as a result of

cloud maintenance functions or remnant data left in terminated VMs- Residual data must be completely removed and/or destroyed to

ensure no unauthorized access occurs.

**013 Vulnerabilities with comingling of hosts, getting back to the cloud environments, when you look at the cloud environments, you have to ask a lot of questions. Is my data on the cloud environment safe? Is that server being shared with multiple companies besides yours because one thing that you have to

of 25

worry about is the vulnerabilities with the comingling of hosts? Hosts can have different security settings. So, your company's settings might be more stringent than ABC Company on the same server that's being virtualized and hosted in a cloud. So, if they gain access to that server, how is your data protected from that host? And that's what they mean by comingling of hosts. So, live virtual machine mitigation, the ability of the system to mitigate a VM from one host to another. Data remnants, those are the remnants. What can be seen when you log into the system? Can you see other people's data on the system? That's what they mean by data remnants. You need to be able to make sure that those remnants are cleared out when a user logs out of the system to make sure the next user that logs into the system cannot see any functions or remnants of data left in those terminated VMs.

of 25

Terminal Services and Application Delivery Services

14

Terminal Services and Application Delivery Services

Applications can be provided to users from a central location using two models of implementation.

• Server-based Application Virtualization (Terminal Services)- Applications run on servers and user receives the application

environment display through a remote client protocol.• Client-based Application Virtualization (Application Streaming)

- Target application is packaged and streamed to the client PC.o In this model, the application computing environment is isolated

form the client OS and other applications.

**014 Terminal services and application delivery services, applications can be provided to users from a certain location using two modules of implementation. The server based application virtualization, the terminal services application runs on servers. And the user receives the application environment display during a remote client protocol. The second one is the client based application. That's the target application is packaged and streamed to the client's PC. In this module, the

of 25

application computing environment is isolated from the client OS and other applications.

Virtual TPM (VTPM)

15

Virtual TPM (VTPM)

A software object that performs the functions of a TPM chipEnables trusted computing for an unlimited number of virtual machines on a single hardware platform Makes secure storage and cryptographic functions available to operating systems and applications running in virtual machines

**015 Virtual TPM, we talked about that trusted platform module, a software object that performs the functions of the TPM chip, enables trust computing for unlimited number of virtual machines on that system. So, you don't have that trusted platform module chip like you have on your laptop. You're putting that software onto that virtual machine resource. And it's being able to be used by all those virtual machines on that single host.

of 25

Notices

16

Notices

Copyright 2016 Carnegie Mellon University

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

[DISTRIBUTION STATEMENT D] Distribution authorized to the Department of Defense and U.S. DoD contractors only (administrative or operational use) (2016-05-01). Other requests shall be referred to DISA/RME.

Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University.

DM-0004104

**016 Thank you for your time.

of 25

Configuration Strategies with Specialized … Strategies with Specialized Components. Table of...

Documents

Transcript of Configuration Strategies with Specialized … Strategies with Specialized Components. Table of...