Security for Broadcast IT Systems

William Dixon, V6 Security, Inc.PBS ACE Security Lead

April 14, 2005

Agenda

>Changes in Broadcast IT environment>Security Risk Assessment>Threat Modeling>Sources of Security Guidance>Recommendations for Broadcast IT vendors>Recommendations for PBS Stations

>Note: Content Microsoft focused, but generally applicable

Changes in New Broadcast IT Environment> Newer technology offers more functionality for

same or less cost> Digital media, electronic files> Using general purpose computers> Client-server models for computing> Software-based integration of systems> TCP/IP network component communication> Internet connected> Lights-out remote management & operation

> Still use physical security for facility and equipment

> Still trust your people

Microsoft Recommended Practice for Security Risk Assessment

>Microsoft Security Risk Management Process – 15oct04> http://www.microsoft.com/technet/security/topi

cs/policiesandprocedures/secrisk/default.mspx

>New MS Press Book: Threat Modelinghttp://www.microsoft.com/mspress/books/

6892.asp

>Threat Modeling for Developershttp://msdn.microsoft.com/library/default.asp?

url=/library/en-us/secmod/html/secmod76.asp

Microsoft Recommended Practice: Threat Modeling

>Analyze and document architecture> Objects: Assets, Applications, Data,

People> Document Security Profile> Trust boundaries> Data Flow & communications> Entry points> Privileged operations

Document Security Profile> Input Validation> Authentication> Authorization> Configuration Management> Sensitive Data> Session Management> Cryptography> Parameter manipulation> Exception management> Auditing and Logging

Microsoft Recommended Practice: Threat Modeling

>Identify & rank threats with S.T.R.I.D.E.(S) analysis> Spoofing> Tampering> Repudiation> Information Disclosure> Denial of Service> Elevation of Privilege> (S)ocial Engineering

> Example: Denial of Service possible due to blank admin passwords

Microsoft Recommended Practice: Threat Modeling

>Use attack trees to identify how top level attack goal is composed of more detailed goals

>Use attack patterns to help identify techniques for detailed goals

Attack Tree Example5.3. Gain privileged access to ACME Web serverAND 1. Identify ACME domain name

2. Identify ACME firewall IP addressOR 1. Interrogate domain name server

2. Scan for firewall identification3. Trace route through firewall to Web server

3. Determine ACME firewall access control (* see attack pattern)

OR 1. Search for specific default listening ports2. Scan ports broadly for any listening port

4. Identify ACME Web server operating system and typeOR 1. Scan OS services’ banners for OS identification

2. Probe TCP/IP stack for OS characteristic information

5. Exploit ACME Web server vulnerabilitiesOR 1. Access sensitive shared intranet resources

directly2. Access sensitive data from privileged account

> Source: Moore et al. http://www.cert.org/archive/pdf/01tn001.pdf

Attack Pattern Example

Goal: Identify firewall access controlsPrecondition: Attacker knows firewall IP addressAttack Techniques:OR 1. Search for specific default listening ports

2. Scan ports broadly for any listening ports3. Scan ports stealthily for listening ports

OR 1. Randomize target of scan2. Randomize source of scan3. Scan without touching target host

Postcondition: Attacker knows firewall access controls

Source: Moore et al. http://www.cert.org/archive/pdf/01tn001.pdf

Attack Pattern ExampleAttack goals: Command or code executionRequired conditions:

Weak input validationCode from the attacker has sufficient privileges on the server

Attack techniques:1. Identify program on target system with an input validation

vulnerability2. Create code to inject and run using the security context of the

target application.3. Construct input value to insert code into the address space of

the target application and force a stack corruption that causes application execution to jump to the injected code.

Attack results: Code from the attacker runs and performs malicious action

Source: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod76.asp

Microsoft Recommended Practice: Threat Modeling

>Evaluate Risk with D.R.E.A.D.> Damage Potential ($$ cost estimate)> Reproducibility (% probability as 1-10)> Exploitability (% probability as 1-10)> Affected Users (% users as 1-10)> Discoverability (% probability 1-10)

> Rank Risks = Probability * Damage Potential

> Risk Rating scheme: High, Medium, Low

Document Threats> Threat Description

> Attacker obtains authentication credentials by monitoring the network

> Threat target> Web application user authentication process

> Risk rating> High (based on DREAD ranking)

> Attack techniques> Use of commonly available network monitoring software

> Countermeasures> Use SSL, IPsec end-to-end, or VPN to provide stronger

authentication, or encrypted channel through which weaker authentication methods are used (e.g. HTTP Basic, Digest)

Conduct Decision Support

>Define Functional Requirements>Identify Control Solutions>Review Solution Against Requirements>Estimate Risk Reduction>Estimate Solution Cost>Select Risk Mitigation Strategy

Free Microsoft Security Training> https://www.microsoftelearning.com/security/> Free Security Courses - Updates for XP SP2 and Win2k3 SP1

soon.> Login w/.NET Passport ID, provide email address> Click on link provided in email> 180-day subscription activated

> Clinic 2801: Microsoft® Security Guidance Training I> Clinic 2802: Microsoft® Security Guidance Training II> Clinic 2806: Microsoft® Security Guidance Training for Dev

elopers> Hands-On Lab 2811: Applying Microsoft® Security Guidanc

e Training> Choose Content tab. Watch each section, or download

offline player and course for offline viewing

Microsoft Security Guidance>Microsoft.com/security - guidance for

Home, Small Business, IT Pro, Developer>Technet Security Centers for many

productshttp://www.microsoft.com/technet/Security/prodtech/

default.mspx

>Microsoft Security Guides for Win2k, XP and Server 2003> Expect problems if applying “high security”

templates> Enterprise client template should not cause too

many problems> Threats and Countermeasures Guide

> Details on threats and each security setting

Microsoft Security Guidance>KB 885409 “Security configuration

guidance support” - 9nov04> Discusses problems with particular settings

that break applications or Windows services> If you use 3rd party templates, contact them for

support>KB 891597 “How to apply more restrictive

security settings on a Windows Server 2003-based cluster server” – 18feb05> Provides discussion & new security template

tested for clusters

FCC Security Guidance

> FCC Media Security And Reliability Council> http://www.mediasecurity.org/msrcmeetings/index.html> Note: Communications Infrastructure Security, Access

and Restoration Committee> Best Practice Recommendations

> FCC Network Reliability and Interop Council> http://www.nric.org/fg/index.html> Note: Homeland Security Cybersecurity focus group

> Best Practice Recommendations

IT Best Practices: NIST

>US Government Natl Institute of Standards & Technology (NIST)> Cybersecurity R&D Act directed NIST to

develop checklists and Security Technical Implementation Guides (STIG)

> Operates Computer Security Resource Center (CSRC)http://csrc.nist.gov/itsec/

>NOTE: Windows XP Security Guide 800-68 published Jun04

> Important because it is a collaboration of NIST, Microsoft, CIS, DISA and NSA

Recent NIST CSRC Guides: DISA> Application Security Checklist DISA 2/17/05> Desktop Application STIG DISA 2/14/05> Desktop Application Security Checklist v1r1.7 DISA 2/17/05> Macintosh OS-X STIG v1r1 DISA 11/24/04> UNIX Security Checklist DISA 2/17/05> Web Server Security Checklist Version 4, Release 1.4 DISA 2/17/05> Windows 2000 Security Checklist DISA 2/17/05> Windows NT Security Checklist DISA 2/17/05> Windows XP Security Checklist DISA 2/17/05> Windows 2003 Addendum Version 4, Release 0.0 DISA

2/17/05

IT Best Practices: NSA> OS Security guides for Windows 2000, Windows XP> None for Windows Server 2003 – Use Microsoft’s

“The "High" security settings in Microsoft's "Windows Server 2003 Security Guide" track closely with the security level historically represented in the NSA guidelines. It is our belief that this guide establishes the latest best practices for securing the product and recommend that traditional customers of our security recommendations use the Microsoft guide when securing Windows Server 2003”

> Microsoft .NET Framework Security Guide (Oct 04)> Microsoft Office XP/2003 Executable Content Security Risks

and Countermeasures Guide (Oct 04)> Apple Mac OS Security Configuration Guide> Linux Security Configuration Guide> Solaris Security Configuration Guide

> Online at:http://www.nsa.gov/snac/index.cfm?MenuID=scg10.3.1

Call to Action for Broadcast IT Vendors

> Use current, commercially supported platforms> Red Hat Enterprise Linux 3.0> Windows XP Pro or Embedded version> Windows Server 2003 or Embedded version

> Plan on testing patch updates within 7 days of patch availability

> Plan to test on beta or release candidates of service packs

> Write applications as a background process/service, not a user application

Call to Action for Broadcast IT Vendors

> Review & improve security of products> Analyze security – attack surface, threat model for your product> Document security profile for customers> Practice secure design & implementation

> Writing Secure Code 2nd Edition, Michael Howard, David LeBlanc> Require authentication for all network access

> Strong protection for passwords in network traffic> Evaluate/adopt a baseline security for standard product release

> Apply OS hardening, minimize services> Use system security vulnerability assessment tools (e.g. MBSA)

> Use secure remote administration connections> Admin level access protected to higher degree> Every packet signed & encrypted> 2-factor auth capable protocols where possible> Use SSL/TLS, SSH, PPTP/L2TP/IPsec VPN, Windows Terminal Services

> Change embedded passwords during installation/setup, at least per site

Call to Action for PBS Member Stations

> Understand that internal systems might be infected via TCP/IP network connections> Must secure internal, external clients and servers> Secure external communications

> IPsec or VPN tunnel for all access into secure area> Use strong passwords !> Protect passwords from theft !> Prevent laptops from directly connecting inside secure

area> Very careful & trained configuration and change control of

core security devices (e.g. firewall, VPN server)> Request security information from vendors> Try Microsoft Security Risk Management Process> Designate someone to learn security administration> Train users & operators for security awareness

Backup & Details

Windows Client Security Summary> Member of an Active Directory domain - for better management through

Group Policy> User not administrator if possible, uses strong password> Automatic updates enabled - either through Windows Update, Update

Services or Systems Management Server (SMS)> Anti-virus - set for autoupdate of definitions daily and periodic full scans> Anti-spyware - set for autoupdate of definitions and periodic full scans> Windows Firewall on - exceptions disabled by default> Enterprise client security template applied for hardening (update with new

XP SP2 settings)> Additional settings & administrative template settings should be developed> Software restriction policies should be configured

> NTFS and Encrypting File System used to protect confidential data after theft

> Centralized monitoring with MACS, MOM, SMS, Systems Center or 3rd party> System backup - Automatic System Restore enabled in XP, full disk remote

backup, remote backups daily for user data> Domain startup script run to check status of these daily or weekly

> http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx

Additional Microsoft Security Help>Technet IT Pro Security Community Page

> http://www.microsoft.com/technet/community/en-us/security/default.mspx

> Lots of news groups

>MS IT Security Papers> http://www.microsoft.com/technet/itsolutions/msit/default.mspx#EDBAA

A

>PSS Support Webcasts> TCP/IP port and process auditing: Tuesday, December 14, 2004> TechNet Support WebCast: How to isolate servers and applications,

March 22 2005 10am Pacific> See http://support.microsoft.com/pwebcasts

Windows Server SP1 Released

> Top reasons to use SP1:> Reduced attack surface – higher default security for RPCs

and DCOM> New Security Configuration Wizard (SCW)- whitepapers

coming soon> More secure new installations by Post-Setup Security

Update to block incoming traffic while and until latest patches are installed

> Windows Firewall replaces Internet Connection Firewall> Group policy for Windows Firewall added in Active

Directory> RRAS VPN Server Quarantine capabilities, see

http://www.microsoft.com/vpn > IIS 6.0 auditing for XML configuration metabase> Additional IE hardening

> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/servicepack/default.mspx

Technet webcast for Security Configuration Wizard available

> “Join this session as we walk you through the Wizard end-to-end, focusing on role-based server configuration, security configuration template design and development, and security configuration deployment. We will demonstrate the technologies as well as go in depth on customization of SCW and how to customize the database to support non-Microsoft applications”

> http://msevents.microsoft.com/cui/WebCastEventDetails.aspx?EventID=1032268013&EventCategory=5&culture=en-US&CountryCode=US

Active Directory Security Links> AD Security Center:

> http://www.microsoft.com/technet/security/prodtech/ActiveDirectory.mspx> Best Practice Guides for Securing Active Directory

> Windows Server 2003 Best Practice Guide for Securing Windows Server Active

Directory Installations http://www.microsoft.com/windowsserver2003/techinfo/overview/adsecurity.mspx (Jan 8 2004)

> Windows 2000 Best Practice Guide for Securing Active Directory Installations and

Day-to-Day Operations http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/bpguide/default.mspx (Feb 28 2004)

> Securing DNS Zone transfers in Windows Server 2003> http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deplo

yguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbd_dns_wzwd.asp

> Active Directory in Segmented Networks> http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-

9767-a9166368434e&DisplayLang=en> Provides detail for how to use Ipsec to secure all traffic between AD servers

> TCP/IP Exploits and Countermeasures> http://www.microsoft.com/technet/security/prodtech/windows2000/secmod150.m

spx

Windows tools for investigating problems with hardening> Full System Backup with ASR Diskette/CD

> Many changes can not be undone by SCE or SCW rollback, such as registry and file ACLs> System Restore – could try checkpoint prior to hardening. Not sure if it can undo

everything…> Backup Windows event logs to baseline behaviors prior to hardening. Make logs

bigger.> Network Sniffers

> Windows Netmon – light version in Win2k or Win2k3 as optional install networking component. Full version in Systems Management Server

> Ethereal – open source http://www.ethereal.com/> Dependency Walker (depends.exe, XP or Win2k3 Resource Kit)> Portqry.exe v2.0 – port scanning tool - see KB 832919> Port Reporter – installs as service to monitor app port usage - see KB 837243> If Windows Firewall or IPsec filters are blocking UDP ports, watch out for false “port

open” messages from remote port scanning tools. Some scan tools expect ICMP destination port unreachable packet in response. Sniff to confirm what tool reports

> Group Policy Resultant Set of Policy (RSoP) MMC snapin – shows where setting is being defined

> Set auditing for failure on registry keys – look for errors in Security Log> Tlist.exe – process viewer (DDK debugging tools)> File Monitor (sysinternals.com)> Registry Monitor (sysinternals.com)> Process Explorer (sysinternals.com)

Developer References> “Creating a simple Win32 service in C++“> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndllpro/ht

ml/msdn_ntservic.asp> MSDN “About Services” development help> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/

base/about_services.asp> “Example of installing an application as a service”> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/exchserv/

html/example_0001.asp> Microsoft Security Risk Management Process – 15oct04> http://www.microsoft.com/technet/security/topics/policiesandprocedures/

secrisk/default.mspx> New MS Press Book: Threat Modeling> http://www.microsoft.com/mspress/books/6892.asp> Threat Modeling for Developers> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/

html/secmod76.asp