CSCD 303 Essential Computer Security Winter 2014
description
Transcript of CSCD 303 Essential Computer Security Winter 2014
CSCD 303Essential Computer Security Winter 2014
Lecture 9 - Desktop Security Recovery, Prevention and Hardening Reading: Links are in Lecture
Overview• Host Defense Mechanisms
• Defense in Depth • Recovery
• Antivirus/Antitrojan• Restore System
Restore – Windows• Boot disks
Prevention• Patching – All systems• Harden OS – Features• Backup System• Train users
Defense in Depth orLayered Security• Defense in depth is an information assurance
(IA) concept• Multiple layers of security controls (defense)
are placed throughout a system• Its intent is to provide redundancy in the
event a security control fails• Defense in depth is originally a military
strategy that seeks to delay, rather than prevent, advance of an attacker by yielding space in order to buy time
Purpose of Defense In Depth
• Defense in depth,
• Philosophy that no real possibility of achieving total, complete security against threats by implementing collection of security solutions
• Rather, layered security strategy will be stumbling blocks that hinder progress of a threat,
• Slowing and frustrating it until either it ceases to threaten or some additional resources not strictly technological in nature can be brought to bear
Defense in Depth Examples
• Using more than one of the following layers constitutes defense in depth.
Anti-virus software
Authentication and password security
Biometrics
Firewalls (hardware or software)
Intrusion detection systems (IDS)
Physical security (e.g. deadbolt locks)
Internet Security Awareness Training
Virtual private network (VPN)
Hardening Systems
The Attack Surface• Security people talk about “Reducing
the Attack Surface”–What does that mean?– Get Secure
• Reduce the Attack Surface• Patch• Harden
– Stay Secure• Maintain secure infrastructure
– Patches– Updates– Upgrades– Read, Research, Results
The Attack Surface
• What is an Attack Surface?
Weak Passwords
Open Ports
Unused Services Left On
Un-patched Web Server
Open File Shares
Excessive privileges
Systemstoo complex
No Policies
No Auditing
Unknowns
People
The Attack Surface
• Now for The Attacks ...
VirusesPort
Scanners
Network Spoofing
Denial of Service
Password Cracking
Packet Sniffing
Trojan Horses
Worms Poisons (Packets, DNS, etc.)
Unknowns
People
Recovery
Anti-virus
• Anti-virus – Will identify infections, viruses, trojans,
worms– Not always able to exactly identify what
got you– First step,
• Detect something is wrong• Try to identify it - Key
– Next step• Try to remove it and restore the
files if possible
Updated signatures
• Anti-virus companies must release new signatures each time a new virus is discovered– A virus’s spread is unimpeded for a while…– According to Andreas Marx of AV-Test.org,
• Took Symantec 25hours to release an updated signature file in response to W32/Sober.C worm attack
The arms race
• Viruses can Morph– Make it hard for virus scanners to
detect their viruses, virus writers can add morphing behavior to their creations:
– A polymorphic virus ‘morphs’ itself in order to evade detection. …
– Metamorphic viruses attempt to evade heuristic detection techniques by using more complex obfuscations
Morphing
• A virus may morph itself by– Encrypting part of itself using a different key for
each infection– Changing variable names (in a script virus)– Binary obfuscation techniques
• Polymorphic virus examples– Chameleon -- first polymorphic virus, 90’s– A partial list of the viruses that can be called 100
percent polymorphic (late 1993)– Bootache, CivilWar (four versions), Crusher, Dudley,
Fly, Freddy, Ginger, Grog, Haifa, Moctezuma (two versions), MVF, Necros, Nukehard, PcFly (three versions), Predator, Satanbug, Sandra, Shoker, Todor, Tremor, Trigger, Uruguay (eight versions)
Anti-virus
• Two main ways – Treating Infection• Quarantine• Disinfect
Anti Virus Software• Quarantine
– Only temporary until user decides how to handle it, user asked to make a decision
Anti Virus Software
• Why do Anti-Virus Programs Quarantine?– Virus detection was generic, can’t
determine how to clean it off of system– Wants user, you, to make a decision– Quarantine Actions
• Copy infected file to quarantine directory• Remove original infected file• Disable file permissions so user can’t
accidentally transfer it out of directory
Anti Virus Software
• Disinfect Files• a. Disinfection by Specific Virus
– Multiple ways to disinfect files– Depends on the type of virus– From virus DB, get file executable start
address• Run generic clean-up routine with start address
• Can derive this information by running virus in test lab, recording information from infected file
• Store this information for specific virus
Anti Virus Software
• b. Disinfect by Virus Behavior– Disinfect based on assumptions from virus
behavior• Prepend or Appended viruses• Restore original program header• Move original byte contents back to original location
– Can store in advance for each executable file on an uninfected system, system file
• Program header, file length, checksum of executable file contents, which is a computed check of the file contents• Compute various checksums until you get the exact checksum of the file, can be tricky need to figure out which part of the file is original, look for checksum match
Best Recommended Free Antivirus Programs 2013• A number of recommended programs are free
to help keep your computer malware free
– Avast Free– Panda Cloud– Emisoft Emergency Kit– Zone Alarm Free– Malwarebytes Antivirus– Avira Free Antivirus
http://www.techradar.com/us/news/software/applications/best-free-antivirus-9-reviewed-and-rated-1057786
Test Your Virus Scanner
• Good to test your anti-virus software to see how well it does• There is test file you can use to test your anti-virus software–The Anti-Virus or Anti-Malware test file• From European Expert Group for IT
Security, www.eicar.org• Run this file against your virus scanner
to determine its effectiveness
http://www.eicar.org/anti_virus_test_file.htm
Other Defenses
Restore, Boot Options and More
System Restore Windows
• Purpose of System Restore– Create snapshot of system's configuration– Want to return a system back to a known
good configuration
• System Restore is designed to automatically create a restore point– Each time system recognizes a significant
change in the file or application
http://www.bleepingcomputer.com/tutorials/system-restore-from-windows-vista-recovery-environment/
System Restore Go to Start>> All Programs>> Accessories>>
System Tools>> System Restore
System Restore and MalwareMay Not Work
• Malware authors intentionally write viruses with same extensions as Windows files that are backed up by System Restore … How dare they !!!!
• Common people with virus, run virus scans to remove it– But, once System Restore recovers computer to an
earlier date, very possible to introduce that same virus back to system
• When malware is found on a system,
• System Restore should be completely disabled, all Restore Points should be deleted ... – So, whats the point? System restore not for
malware!!
• After scanning computer, restore can be turned back on
Making a Boot Disk Vista and Other OS's
• If your computer is un-bootable, what do you do?– Try to use a recovery disk.– How many know where your recovery disk
is?– Do you know how to make one?
Blue Screen of Death
Vista Recovery Disk
• Recovery Disk or a Recovery Partition• Will allow you to restore your computer to
original settings from hardware manufacturer,– Will not be able to use it to repair your
Windows Vista installation– For that, you will need an actual– Windows Vista DVD that contains the
Windows Recovery Environment
Making a Boot Disk Vista/Windows 7/8• Yes, you can make an installation disk
if your computer didn't come with one– Complete burnable images for
Vista/Windows 7– And ... a DVD or CD writer http://www.howtogeek.com/howto/windows-vista/
how-to-make-a-windows-vista-repair-disk-if-you-dont-have-one/
Versions of 32 and 64 bit and Windows 7/8
http://neosmart.net/blog/2008/download-windows-vista-x64-recovery-disc/
Boot Disk for Ubuntu
• Ubuntu or Debian– Can make Ubuntu/Debian into a live
image CD – Really easy, Use it to boot and possibly
fix UbuntuInstructions are here for Ubuntuhttps://help.ubuntu.com/community/LiveCDInstructions are here for Debianhttp://www.debian.org/CD/live/
Live CD RestoreWindows Live CD for non-Windows may be used to
repair Windows - Fix Windows problems on a machine that
doesn't have
a dual-boot
- Fix anti-virus problems on a Windows system
- Data recovery such as corrupted or deleted files
Live CD Backtrack
• Backtrack Live CD– Used for mostly attacking other systems but
can be used for defense http://www.backtrack-linux.org/downloads/
• Recover Windows passwords with Backtrack
http://webistricky.blogspot.com/2013/01/ how-to-reset-windows-password-using.html
Recover Windows 8 passwords in Easy Steps
http://shishirceh.blogspot.com/2013/06/reset-windows-8-password-using.html#!/2013/06/reset-windows-8-password-using.html
Live CD Backtrack
• Backtrack Live CD Fix Windows Registry with Backtrack
– Often times, we mess up with the registry leaving the system in hanged state
– In such situations BackTrack plays major role to put you back on track.
http://securityxploded.com/backtrackregistry.php
• With a little experimentation, for example, you can learn how to access almost any file on the failed PC
– This offers a way to recover and back up data files before you erase the hard drive and completely reinstall Windows
http://www.jagtutorials.com/VideoPages/V_CorruptedSystem.html
Prevention
Patching
• What is patching?– Allows it to limp along until the next major
version• Windows XP before Vista • Vista then quickly Windows 7 etc.
– Software producers give you patches to fix “holes” in between major software versions• Security updates, new devices supported or old
devices not supported, performance issues,
– Can patching cause problems? Yes or No.
Study on Unpatched Computers http://www.computerworld.com/s/article/9109938/Unpatched_Windows_PCs_fall_to_hackers_in_under_5_minutes_says_ISC?taxonomyId=82&intsrc=kc_top&taxonomyName=cybercrime_and_hacking
• 2008• Computerworld - “It takes less than five minutes
for hackers to find and compromise an unpatched Windows PC after it's connected to the Internet”
• The SANS Institute's Internet Storm Center (ISC) currently estimates "survival" time of an Internet-connected computer running Windows at around four minutes if it's not equipped with the latest Microsoft Corp. security patches
More Patching Stories
http://www.circleid.com/posts/20090915_major_organizations_overlooking_high_priority_security_risks/
• Security report by SANS Institute, TippingPoint and Qualys, Sept. 2009– Number of vulnerabilities found in
applications is far greater than number of vulnerabilities discovered in operating systems
– "On average, major organizations take at least twice as long to patch software vulnerabilities as they take to patch operating system vulnerabilities”
Patching
• Types of Patches– Patch – Simple small fix, one or two problems– Update – Add or fix problem or earlier patch– Cumulative – Includes all previously released
patch for one application– Service Pack – Generally, large files, typically
include lots of patches to many problems• Vista is up to service pack 2• Windows 7 - Service pack 1• Windows 8 – None yet, but we have 8.1
out
What Should you Patch?• Microsoft releases Windows security
updates on second Tuesday of every month– Recommended you turn on automatic
updates, all versions of Windows– Configure this in control panel
Updates for Microsoft Vista/7• What gets updated?
– Updates OS & Internet Explorer,also other Microsoft Windows software, such as Microsoft Office, Windows Live applications, and Microsoft Expression
– But, older versions of Windows updated only OS components,
• Windows Updates vs. Microsoft update• Users had to go to Microsoft update to update
their Office suite and SQL Server ... etc.
http://arstechnica.com/microsoft/news/2010/04/isvs-to-blame-for-vista7-infections-office-updates-ignored.ars
Updates for Microsoft Vista/7
• Does it update other software on your computer? Like Adobe Flash Player ...
• Microsoft does not, update other software running on your computer
Updates for Ubuntu, Mac OS X
• Ubuntu updates– All the software on its distribution
automatically– Built into the system as a service – Need to turn it on, update manager
• Mac OS X– Updates all software on Mac
Patching
• Third party Software – Vendors often provide free patches on
their web sites• Should know how vendor supplies patches• Automatically contact their web sites and
install them or• Automatic updates tell you when patches are
available, you download them, and install them
Patching
• Boring but ...– Make a list of the software on your
computer• Games, office, document readers, Adobe, media
players– Adobe, Database, Multi-media,– Voip – Skype– Security software– Device Drivers
• What is their patching strategy?• Websites? Auto-update?
Patch Management
• Patches are issued for good reasons– Should test before deploying
• Can get an Automation Tool– Monitoring/Alerting– Data Collection/Archiving
• HfNetChk – weird name, great tool!– Windows machines queries it for up-to-
date patcheshttp://majorgeeks.com/HFNetChk-FE_d1103.html
Harden OS
OS Hardening Defined
• What does it mean to Harden an Operating System?
Reconfiguring an OS to be more secure, stable and resistant to attacks.
• Examples:– Removing unnecessary processes.– Setting file permissions.– Patching or updating software.– Setting network access controls.
Linux Hardening
• Examine Linux System Features– In Design
• Linux is more modular than Windows• Multi-user design from beginning
– Main Challenge in cracking Linux• Gain Root access !!!!
– Main Goal in Defense of Linux• Make unauthorized root access impossible
Linux Hardening
• Setuid and Setgid– Everything in Linux is a file
• Files have read, write and execute permissions• One more permission is setuid (similar with
setgid)• Executable programs run with same privileges
of file owner• If owner is root ... gain root privileges• Goal is to use buffer overrun or some other
means of gaining a root shell session, attacker can do anything after that
Linux Programs Running Setuid
Examples of some SetUID programs-rwsr-xr-x 1 root root 27256 2010-01-29 00:02
/bin/fusermount
-rwsr-xr-x 1 root root 78096 2009-10-23 09:58 /bin/mount
-rwsr-xr-x 1 root root 35600 2009-05-12 03:13 /bin/ping
-rwsr-xr-x 1 root root 31368 2009-05-12 03:13 /bin/ping6
-rwsr-xr-x 1 root root 36864 2009-07-31 19:29 /bin/su
-rwsr-xr-x 1 root root 56616 2009-10-23 09:58 /bin/umount
-rwsr-xr-x 1 root root 42856 2009-07-31 19:29 /usr/bin/passwd
-rwsr-xr-x 1 root root 14880 2009-10-16 17:13 /usr/bin/pkexec
-rwsr-xr-x 1 root root 852296 2009-05-23 06:01 /usr/bin/schroot
-rwsr-xr-x 1 root root 143656 2009-06-22 21:45 /usr/bin/sudo
Linux Hardening
• Example chmod 4755 removemyfiles.sh
-rwsr-xr-- 1 ctaylor fac removemyfiles.sh
Assume remove my files is a script#! /bin/bash rm -rf /home/ctaylor/*.*
The -rws in above permissions on file, says to run this program with the privileges of ctaylor
Linux Servers – Web, File, DB
• Limited use machines, user services not needed
• Don't install some software– X - windows– RPC Services – R-Services, rlogin, rpc - ssh instead– Inetd daemon – SMTP daemons - enabled by default– Telnet, ftp, pop3 and Imap– Might want to disable LKM - Loadable Kernel
Modules
Linux Security Checklist
http://www.sans.org/score/checklists/linuxchecklist.pdf
Can follow a security checklist from Security Firm like Sans
Boot and Rescue Disk
System Patches
Disabling Unnecessary Services
Check for Security on Key Files
Default Password Policy
Other things … too
Hardening Utilities
http://bastille-linux.sourceforge.net/
• Bastille Linux– Automated security
program, Security wizard• SUID restrictions• SecureInetd• DoS attack detection and
prevention• Automated firewall
scripting• User privileges• Education
– You can try it against your computer ....
Windows Hardening
Overview
• Services• Policies for different Account Types • Software Restrictions• Windows Firewall• Data lock down
– Bit Locker– EFS
Windows Vista and 7 Security Features
• Windows Service Hardening– Most Windows exploits, install malware,
result of flaws in Windows services– Windows services changed as follows:
• Each service is given an SID number, Security ID• Services run with a lower privilege level by default• Unnecessary privileges for services have been
removed• Services are isolated and cannot interact with
users
Windows Vista and 7Security Features
• Windows Service Hardening– There are still services that may come
enabled by default and should be turned off• Telnet• IMAP• NetBios• SNMP• TFTP• SMTP
All these services run across the network, open ports and potentially allow access
Microsoft Services
One complete list for Windows 7 http://www.blackviper.com/service-
configurations/black-vipers-windows-7-service-configurations/
User Accounts
Disable or remove non-user accounts
1)Start > search bar> lusrmgr.msc
2) Go to: Users
3) Disable or remove all Accounts that you do not use
Make sure to look up accounts you are unsure about
Verify the default administrator and guest accounts are disabled ..they should be by default with windows 7.
Now establish another admin account and set your main account to limited standard user The limited account should be used on a daily basis and the
admin account only when you need to perform admin tasks
59
Account Policies http://www.thewindowsclub.com/customizing-the-
password-policy-in-windows-7
• Can set Local Policies for your system• Password policy
– Controls passwordcharacteristics for localuser accounts– Available settings
• Enforce password history• Maximum, Minimum password age• Minimum, Maximum password length• Complexity requirements
60
Account Policies
• Account lockout policy– Prevents unauthorized access to
Windows Vista and 7– Can configure an account to be
temporarily disabled after a number of incorrect log-on attempts
More Account Policies
61
62
Software Restriction PoliciesAppLocker for Enterprise Windows
http://technet.microsoft.com/en-us/library/ee424367%28v=ws.10%29.aspx
• AppLocker new feature of Windows 7/8– Defines which programs are allowed or
disallowed in system– Can control executables, scripts and
DLL's
• Used in corporate environments • Set default security level for
applications– Disallowed– Basic User– Unrestricted
63
Software Restriction Policies cont.
• Software not affected by software restriction policies– Drivers or other kernel mode software– Programs run by SYSTEM account– Macros in Microsoft Office 2000 or
Microsoft Office XP documents– .NET programs that use runtime
64
Software Restriction Policies• Software restriction configuration
options– Policies are evaluated each time an
executable file is accessed– Executable files are identified by file
extension• You can customize list of extensions
– Many Windows applications use DLL files when they are executing
– DLL files are considered a lower risk than executable files and are not evaluated by default
65
Data Security
• NTFS permissions– Most basic level of data security in Windows
Vista/7– Stop logged-on users from accessing files
and folders that they are not assigned read or write permission to
• Problem: Relatively easy to work around NTFS permissions!!!!– When you have physical access to the
computer• To really secure data on desktop computers
and laptops, encryption is requiredVista includes
– Encrypting File System (EFS) and– BitLocker Drive Encryption
66
Encryption Algorithms
• Symmetric Encryption– What is Symmetric Encryption?– Same key used to encrypt data and
decrypt data– Symmetric encryption is strong and fast
• Good for encrypting large volumes of data such as files
– Used by both EFS and BitLocker Drive Encryption
– Biggest problem is securing the key– Or Losing the Key !!!
One Key
MCTS Guide to Microsoft Windows Vista 67
Encrypting File System
• Encrypting File System (EFS)– First included with Windows 2000
Professional– Encrypts individual files and folders on a
partition– Suitable for protecting data files and
folders on workstations and laptops– Can also be used to encrypt files and
folders on network servers• File or folder must be located on an NTFS-
formatted partition
68
BitLocker Drive Encryption
• BitLocker Drive Encryption– Data encryption feature included with
Windows Vista, only Windows 7 Ultimate or Enterprise
• An entire volume is encrypted when you use BitLocker Drive Encryption– Also protects the operating system
• Designed for Trusted Platform Module (TPM)– Part of your motherboard and used to store
encryption keys and certificates– Can also use a USB drive to store the keys
MCTS Guide to Microsoft Windows Vista 69
BitLocker Drive Encryption
Windows Firewall Enable Windows Firewall
Make sure all inbound connections are automatically dropped
Firewall is enabled by default If you do not need to share anything with other people
and computers, you can safely choose to drop all inbound connections
No one can access anything on your computer from the network.
Possible to filter on outgoing traffic in Windows firewall as well
It can be a good idea to filter outgoing traffic and application access as well.
Why do you want to do this?
Microsoft BaselineSecurity Analyzer Microsoft Baseline Security
Analyzer (MBSA) an easy-to-use tool that helps determine security state of your computer based on Microsoft security recommendations
After tool completes scan on your computer, you receive specific remediation suggestions
Finds weak passwords, unpatched software and other vulnerabilities
http://www.microsoft.com/en-us/download/details.aspx?id=7558
ReferencesLinux security checklist
http://one.utsa.edu/sites/oit/OITConnect/security/Documents/linuxchecklist.pdf
Windows Security Primer – Nice Serieshttp://www.windowsecurity.com/articles-tutorials/
misc_network_security/Windows-7-Security-Primer-Part1.html
Securing Windows for College and Standalone Usehttp://www.ucs.cam.ac.uk/docs/leaflets/m511/m511#heading3
BitLocker Explainedhttp://crashctrl.com/2013/02/bitlockersecure-your-data/
Nice site for all versions Windows settingshttp://www.blackviper.com/sitemap/
Summary
• Recovery, Prevention and Hardening– Learn about restoring your computer and
preventing problem before bad things happen– Learn how to use some tools now, while your
computer is still running– Learn how to restore your system, learn how
to patch and to keep updated on patches– What else to do to Harden your system
beyond the usual default configuration– Backups not mentioned … should be backing
up your computer
The End
• Moving on to Internet Security