If a server screams in a forest DMZ! How machine hardening ... Kennefick - Machine Hardening -...
23
If a server screams in a forest DMZ! How machine hardening can made the difference.
Transcript of If a server screams in a forest DMZ! How machine hardening ... Kennefick - Machine Hardening -...
IfaserverscreamsinaforestDMZ!
Howmachinehardeningcanmadethedifference.
Contents
• WhoamI?• WhatdoIdo?
• Whatismachinehardening?Canithelp?
• VulnerabiliBesonthehostlayer• CanIbackthisupwithstats?• Tools,resources
WhoamI–DavidKennefickPresentConsultantwithedgescan™www.edgescan.com
PastCurrent–full-stackpentesBng,GRC&integraBonforclientsBank–workedinabankdoingAMLstuffStudent–DesignedtoolsfordyslexicstudentsSomethingsomethingagile….
OWASPMember
Fullstacksecurity&ApplicaBondeveloper:4.5Years
Reasonsforhardening
• Increasingsecurity• Increaseperformance• Decreasethelikelihoodofmachinebeingexploited.
• Passsecurityaudits
• Byhardeningwearesimplyreducingthescopefora\ackbydecreasingthepotenBala\ackpoints.
Vulnerabili4esonthehostlayer
• Likelihoodofavulnerabilityonthehostlayeranditscause.
*Statsfromtheedgescan2015Vulnerabilitystatsreport–November2015
Whatarewehardening?Isitimportant
• OS• Network• ApplicaBons• Whatelse?– Wordpress– drupal
OSHardening
• Aim– Systemisconfiguredtolimitthepossibilityofeitherinternalorexternala\ack.
• How– WhilethemethodsforhardeningvaryfromoneoperaBngsystemtoanothertheconceptsinvolvedarelargelysimilarregardlessofwhetherWindows,UNIX,Linux,MacOSXoranyothersystemisbeingbaselined.
• DisableNon-essen4alservices– ShouldprodhaveSSHenabled?– Shouldamailserverhavethedefault80+443open?
• UpdatevendorsuppliedPatchesandFixes(SecurityUpdates)
• PasswordManagement– Expiringpasswordsonnon-machineaccounts.
– Enforcingtheregularchangingofpasswords– Disablingofuseraccountsaherrepeatedfailedlogina\empts,audit
policiesenabled
• Removeunnecessaryaccounts– Guest,unusedandunnecessaryuseraccounts– WhenemployeesleaveanorganizaBon
• FileandDirectoryProtec4on–ThroughtheuseofAccessControlLists(ACLs)andfilepermissions.
• Usergroupsandassocia4ons– Ausershouldn’thavepermissionstheydon’tneed.– Backupusers,performancelogusers,admin,authenBcatedusers
• FileandFileSystemEncryp4on–– AlldiskparBBonsareforma\edwithafilesystemtypewithencrypBonfeatures(NTFSinthecaseofWindows)
• EnableLogging-OperaBngsystemisconfiguredtologallacBvity,errorsandwarnings.
• FileSharing-Disableanyunnecessaryfilesharing,limitSMBsharing.Disableplaintextandanonymouslogin.
NetworkHardening
• Upda4ngSoNwareandHardware– Thisneverstops.– Allnetworkingsohwaretogetherwiththefirmwareinroutersareupdated
withthelatestvendorsuppliedpatchesandfixes.Thisshouldbedonefromthefirstuse.
• PasswordProtec4on– Routersandwirelessshouldbeprotectedwithstrongpasswordsusingat
leastWPA2-PSK(AES).Mostwirelessshouldbedisabledorremovedifpossible.
• DisableandremoveunnecessaryProtocolsandServices–– Forexample,onmostserversusingSSLv2issBllpossible.Allversionsof
SSL/TLSshouldbedisabledexceptforTLSv1.2– ThiswillbeaPCIrequirementfromJune2016.
• Ports– Unnecessaryportsblockedbyafirewallandassociatedservices
disabledonanyhostswithinthenetwork,Someportsworthopening,3389and5405,5421.
– Forexample,anetworkinwhichnoneofthehostsactsasawebserverdoesnotneedtoallowtrafficforport80or443topassthroughthefirewall
• RestrictedNetworkAccess– Thereshouldbeafirewallbetweenthenetworkandtheinternet.In
thecaseoflargeorganisationstheremaybeLAN,DMZandinnerDMZ,sotheremaybemanylayersoffirewalls.
– OtheropBonsincludetheuseofNetworkAddressTranslaBon(NAT)andaccesscontrollists(ACLs).
– AuthorizedremoteaccessshouldbeenabledthroughtheuseofsecuretunnelsandvirtualprivatenetworkswithaformofMFAinuse.
Applica4onHardening
• AllapplicaBonsandservicesinstalledonnetworkbasedhostsystemsmustbeincludedinthesecurityhardeningprocesstoensurethattheydonotprovideaweaklinkinthesecuritydefenses.– Wealwayshearofbackdoors,ifyoudon’ttrustit,removeit.
• AnumberofcommonoperaBngsystembasedservicesareinstalledbydefaultandneedtobereviewed.– SMBsharing– FTP– Junipernetworks/ForBnet
WebServers
• Fornon-publicsitesauthenBcaBonmethodsshouldbeputinplaceandforsitesthatareonlytobeaccessiblebyinternalusers.
• Intranet/LAN/DNZapproachshouldbeusedsothatexternalaccessispreventedbyafirewall
• EncrypBonshouldbeuBlised• WebserverlogsshouldbereviewedrouBnelyforsuspiciousacBvity.Anya\emptstoaccessunusualURLsonthewebservertypicallyindicateana\empttoexploitproblemsinoutdatedorUnpatchedwebservers.
• Latestvendorsuppliedpatches;WordPress,PHPetc.
MailServers
• UnneededconfiguraBonopBonsofthemailserversohwarearedisabled
• Allthelatestvendorsuppliedupdatesareapplied
• RelayprevenBonopBonsshouldbeacBvated• AuthenBcaBonmustbeusedtoensurethatonlyauthorisedusersareabletosendandreceiveemailmessages
• Openrelaysaredangerous.
FTPServers
• ThepurposeoftheFileTransferProtocol(FTP)istoallowfilestobedownloadedfromanduploadedtoremoteservers.
• AnonymousFTP– WewouldrecommendallanonymousacBvityberemovedor
restricted.
• AuthenBcatedFTP– InthecaseofauthenBcatedFTPitisessenBalthatSFTP(Secure)be
usedsothatloginandpasswordcredenBalsareencrypted,ratherthantransmi\edinplaintext.
Vulnerable
• HaveyouperformedthepropersecurityhardeningacrosstheenBreapplicaBonstack?
– Doyouhaveaprocessforkeepingallyoursohwareuptodate?ThisincludestheOS,Web/AppServer,DBMS,applicaBons,andallcodelibraries.
– Iseverythingunnecessarydisabled,removed,ornotinstalled(e.g.ports,services,pages,accounts,privileges)?
– Aredefaultaccountpasswordschangedordisabled?– Isyourerrorhandlingsetuptopreventstacktracesandotheroverly
informaBveerrormessagesfromleaking?– Arethesecuritysetngsinyourdevelopmentframeworks(e.g.,Struts,
Spring,ASP.NET)andlibrariesunderstoodandconfiguredproperly?
Hardeningtools/guides
• MBSA2.3– h\ps://www.microsoh.com/en-IE/download/details.aspx?id=7558
• Spacewalk– h\p://spacewalk.redhat.com/
• CIS(mapping)– h\ps://www.cisecurity.org/
• NIST– h\p://www.nist.gov/
• SecurityMonkey– h\ps://github.com/Newlix/security_monkey
MBSA2.3
• Microsohbaselinesecurityanalyser.– Securitypatches– SecuritymisconfiguraBons– Supportsanythingnewerthan2000
• ExportsniceXMLdocumentwhichallowsforintegraBonintoGRCtools
• Freetechnologythatcanberunoffline
Spacewalk
• Managedupdatestokeepmachinesintopshape.
• AllowingyoutocacheupdatesfordistribuBontodifferentlocaBonsbasedonwhateverparametersorganisaBonshave.
• TechnologyRedHatssatelliteisbuilton.• Communitydrivenandtested,whichmayormaynotbeimportanttoyou.
CIS&NIST
• CenterforInternetSecurity.– PrioriBsedsetofcyberpracBces.– ConfiguraBondetailsforeachdevice.
• NaBonalInsBtuteforStandardsandTechnology.– Cybersecurityframework.– Notaregulatoryagency,moreofaguidelineagency
– Massiveamountoffreeresources.
Securitymonkey
• NewlixtechnologytomonitorpolicychangesonAWSinfrastructure.
• AlertsuserswhenanAWSaccounthasanunexplainedprivilegeoroneitmaynotneedviaajusBficaBonsystem.
• Changetrackingforallinfrastructure.• Veryeasytosetup,possibletoauditwholeAWSinfrastructureofanSMEinoneahernoon.
Conclusion
• Full-StackPatching!– Updatesandpatching
• Hardening,getapro• Findflawsbeforetheyareexploited• Treatnetworkslikeyouhavetheenemyinsidealready.
• Treatappsliketherearepeopleouttoexploitthem.MakesuretesBngishappeningindev,pre-prodandprod.
www.edgescan.com
© BCC Risk Advisory Ltd 2016.
Thanks
[email protected]@davidkennefick
edgescan™2015VulnerabilityStatsReport:
h\ps://www.edgescan.com/assets/docs/reports/2015-edgescan-Stats-Report-(2015)-v5.pdf
