cis 3500 1rowdysites.msudenver.edu/~fustos/cis3500/pdf/chapter12.pdf · 9 implementing secure...
TRANSCRIPT
.
CIS 3500 1
Secure Systems Design and Deployment
Chapter #12:
Architecture and Design
Chapter Objectives
n Learn to implement secure systems design for a given
scenario
n Understand the importance of secure staging development
concepts
Implementing Secure Protocols2
System Design
n System design has a great effect on the security
n Errors in system design are very difficult to correct later,
and almost impossible once a system is in production
n Design phase of a project will go a long way in establishing
a system that can be secured using security controls
Implementing Secure Protocols3
Hardware
n Hardware – servers, workstations, and mobile devices can
represent a weakness or vulnerability in security
n You can easily replace hardware if it is lost or stolen, you
can’t retrieve the information from the lost or stolen hardware
n Safeguard against complete loss of data through backups, but
this does little in the way of protecting it from disclosure
n You can implement encryption but these measures also have
drawbacks in scalability and key distribution
Implementing Secure Protocols4
.
CIS 3500 2
Firmware Security
n Firmware is a source of program code for the system
n Most systems will trust the firmware of a trusted system
n Monitoring and managing firmware security is a time-
intensive task because there are only a few tools to do that
n This makes physical security of the system and its
peripheral hardware important
Implementing Secure Protocols5
FDE/SED
n Full disk encryption (FDE) and self-encrypting disks (SEDs)
implement cryptographic protection on hard disk drives
n Portable machines, such as laptops, have a physical
security weakness in that they are relatively easy to steal
n Use of modern cryptography, coupled with hardware
protection, makes this vector of attack much more difficult
n Encrypting the entire hard disk drive can provide good
protection
Implementing Secure Protocols6
TPM
n The Trusted Platform Module (TPM) is a hardware solution
that assists with key generation
n When the encryption keys are stored in the TPM, they are
not accessible via normal software channels and are
separated from the hard drive or other data locations
n This makes the TPM a more secure solution than storing the
keys on the machine’s normal storage
Implementing Secure Protocols7
HSM
n A hardware security module (HSM) is a device used to
manage or store encryption keys
n It can also assist with encryption, hashing, or the
application of digital signatures
n They are peripheral devices, connected via USB or a
network connection
n HSMs have tamper protection mechanisms to prevent
physical access to the secrets they protect
Implementing Secure Protocols8
.
CIS 3500 3
BIOS
n Basic Input/Output System (BIOS) is the firmware that a
computer uses between the actual hardware and the OS
n BIOS is typically stored on nonvolatile flash memory
n The purpose is to initialize and test the interfaces to any actual
hardware in a system
n Once the system is running, the BIOS functions to translate
low-level access to the CPU, memory, and hardware
n This facilitates multiple hardware manufacturers and differing
configurations against a single OS installImplementing Secure Protocols9
UEFI
n Unified Extensible Firmware Interface (UEFI) is the current
replacement for BIOS
n UEFI has more security designed into it, including
provisions for secure booting
n From a system design aspect, UEFI offers advantages in
newer hardware support, and from a security point of view,
secure boot has some specific advantages
n All new systems are UEFI based
Implementing Secure Protocols10
Secure Boot and Attestation
n An OS has myriad drivers and other add-ons that hook into it and
provide specific added functionality
n These additional programs need to be vetted before installation; this
pathway can provide a means for attacks
n Attacks can occur at boot time, at a level below antivirus software, so
they can be very difficult to detect and defeat
n Secure Boot is a mode that only allows signed drivers and OS loaders
to be invoked –needs to be enabled
n Secure Boot enables the attestation that the drivers and OS loaders
have not changed since they were approvedImplementing Secure Protocols11
Supply Chain
n Hardware and firmware security is ultimately dependent
upon the manufacturer - safe and identified supply chain
n Can be very tricky, because even when purchasing
equipment from a highly trusted vendor, you don’t know
where they got the components
n You may have very strict rules concerning country of origin
Implementing Secure Protocols12
.
CIS 3500 4
Hardware Root of Trust
n A hardware root of trust is a concept that if one has a trusted source
of specific security functions, this layer can be used to promote
security to higher layers of a system
n Roots of trust are inherently trusted, they must be secure by design
n Many roots of trust are implemented in hardware that is isolated from
the OS and the rest of the system
n TPM chips in computers and Apple’s Secure Enclave coprocessor in its
iPhones and iPads
n Apple also uses a signed Boot ROM mechanism for all software
loadingImplementing Secure Protocols13
EMI/EMP
n Electromagnetic interference (EMI) is an electrical disturbance
that affects an electrical circuit
n An electromagnetic pulse (EMP) is a burst in an electronic
device as a result of a current pulse from electromagnetic
radiation
n It can produce damaging current and voltage surges in today’s
sensitive electronics
n Source can be equipment on the same circuit, solar flares, and
nuclear bursts high in the atmosphereImplementing Secure Protocols14
Operating Systems
n Operating systems are complex programs
n Mechanism to connect to other programs and hardware
resources
n Determining the correct settings and implementing them
correctly is an important step in securing a host system
Implementing Secure Protocols15
Types
n Many different systems have an operating system
n Network devices, servers and workstations, kiosks and
appliances
Implementing Secure Protocols16
.
CIS 3500 5
Network Devices
n Network operating system to provide configuration and
computation portion of networking
n Cisco has the largest footprint with its IOS
n Other vendors such as Juniper have Junos, which is built off
of a stripped Linux core
n Software-defined networking (SDN) will become more
important and mainstream because it will become a major
part of day-to-day operations
Implementing Secure Protocols17
Server OS
n Server operating systems bridge the gap between the
server hardware and the applications
n Microsoft Windows Server, many flavors of Linux, and an
ever-increasing number of virtual machine/hypervisor
environments
n Windows Server with its Active Directory technology and
built-in Hyper-V capability has assumed a commanding lead
in market share
Implementing Secure Protocols18
Workstations
n The workstation OS exists to provide a functional working
space, typically a graphical interface
n Windows, Mac OS X, Linux versions
Implementing Secure Protocols19
Appliance
n Appliances are stand-alone devices, wired into the network
and designed to perform a specific function on
n For reasons of economics, portability, and functionality, the
vast majority of appliances OSs are built using a Linux-
based OS
n These are customized distributions - patching becomes a
vendor problem
n Enterprise class intrusion detection, loss prevention, backup
Implementing Secure Protocols20
.
CIS 3500 6
Kiosk
n Kiosks are stand-alone machines, typically operating a
browser instance on top of a Windows OS
n Locked to a website that allows all of the functionality
desired
n Interactive information sites, menus, and so on
n The OS on a kiosk needs to be locked down to minimal
functionality so that users can’t make any configuration
changes
Implementing Secure Protocols21
Mobile OS
n Mobile Oss: Apple’s iOS and Google’s Android OS
n Optimized device capability and desired set of functionality
n Internet and functionality spread to mobile devices
n Smartphones to tablets, today’s mobile system is a
computer
Implementing Secure Protocols22
Patch Management
n Every OS requires software updates
n Through downloads from web sites or built-in utilities
n Hotfix - small software update designed to address a
specific problem
n Patch - more formal, larger software update that can
address several or many software problems, enhancements
n Service pack - large collection of patches and hotfixes rolled
into a single, rather large package
Implementing Secure Protocols23
Disabling Unnecessary Ports and Services
n Identify the specific needs of a system for its proper
operation and only enable items that are necessary
n Disabling unnecessary ports and services prevents their use
by unauthorized users
n Improves system throughput and increases securit
n Systems have ports and connections that need to be
disabled if not in use
n 65,536 ports
Implementing Secure Protocols24
.
CIS 3500 7
Least Functionality
n Least functionality similar to the principle of least privilege
on systems
n A system should do what it is supposed to do and not more
n Any additional functionality is an added attack surface
Implementing Secure Protocols25
Secure Configurations
n OS developers and manufacturers cannot possibly anticipate
the many different configurations and variations that users will
require from their products
n They provide a “default” installation which contains the base
OS and some more commonly desirable options
n End users are responsible for securing their own systems
n Hardening is the process of securing an OS and it is intended
to make the system more resistant to attacks
n The process is not trivialImplementing Secure Protocols26
Secure Configurations
n The base installation shall come from a trusted source, and
is verified as correct by using hash values
n Machines are connected only to a trusted network during
the installation, hardening, and update processes
n The base installation includes all current patches and
updates for both the OS and applications
n Backup images are taken after hardening and updates to
facilitate system restoration to a known state
Implementing Secure Protocols27
Trusted Operating System
n A tru s te d o p e ra t in g sy s te m is o n e th a t is d e s ig n e d to a llo w m u lt ile v e l se cu r ity in its
o p e ra t io n
n T ru s te d O S s a re e x p e n s iv e to c re a te a n d m a in ta in b e ca u se a n y ch a n g e m u s t u n d e rg o
a re ce rt if ic a t io n p ro ce ss
n C o m m o n C r ite r ia fo r In fo rm a tio n T e ch n o lo g y S e cu r ity E v a lu a t io n (a b b re v ia te d a s
C o m m o n C r ite r ia , o r C C ) , a h a rm o n ize d se cu r ity c r ite r ia re co g n iz e d b y m a n y n a t io n s ,
in c lu d in g th e U n ite d S ta te s , C a n a d a , G re a t B r ita in , a n d m o s t o f th e E U co u n tr ie s
n V e rs io n s o f W in d o w s , L in u x , m a in fra m e O S s , a n d sp e c ia lty O S s h a v e b e e n q u a lif ie d
to v a r io u s C o m m o n C r ite r ia le v e ls .
n T ru s te d O S s a re m o s t co m m o n ly u se d b y g o v e rn m e n t a g e n c ie s a n d co n tra c to rs th a t
re q u ire th is le v e l o f p ro te c t io n
Implementing Secure Protocols28
.
CIS 3500 8
Application Whitelisting/Blacklisting
n Application blacklisting - which applications should not be allowed
to run on the machine
n Application whitelisting – it is a list of allowed applications
n Advantages and disadvantages:
n b la c k l i s t in g i s d i f f i c u l t t o u s e a g a in s t d y n a m ic t h r e a t s
n w h it e l i s t in g i s e a s ie r t o e m p lo y — h a s h v a lu e s c a n b e u s e d t o e n s u r e
t h e e x e c u t a b le s a r e n o t c o r r u p t e d
n t h e c h a l le n g e in w h i t e l i s t in g i s t h e n u m b e r o f p o t e n t ia l a p p l i c a t io n s
t h a t a r e r u n o n a m a c h in e - m u l t ip u r p o s e m a c h in e s , i t c a n b e m o r e
c o m p l ic a t e d
Implementing Secure Protocols29
Disable Default Accounts/Passwords
n Default accounts with default passwords
n Defaults represent a significant security vulnerabilities
n Disable default accounts/passwords
n This is a simple task that you must do for any new system
n If you cannot disable the default account then change the
password to a very long password that offers strong
resistance to brute force attacks
n Guest, Admin, root, default shares
Implementing Secure Protocols30
Peripherals
n Many of these devices have embedded computers in them
n This has led to hacking of peripherals
n From wireless keyboards and mice, to printers, to displays
and storage devices, they have all become sources of risk
Implementing Secure Protocols31
Wireless Keyboards
n Wireless keyboards operate via a short-range wireless signal
n They connect through USB Bluetooth connector creating a
small personal area network (PAN), or a 2.4-GHz dongle
n Wireless keyboards can be paired with wireless mice
n Signals to and from the peripherals are subject to interception
n Keystrokes can be recorded – keylogging; can be very difficult
to detect
Implementing Secure Protocols32
.
CIS 3500 9
Wireless Mice
n Wireless mice are similar to wireless keyboards
n Mousejacking attack – man-in-the-middle attack on the
wireless interface and control the mouse and or intercept
the traffic
n Some of the major manufacturers, like Logitech, took this
effort for their mainstream product line, but a lot of mice
that are older were never patched
n The vulnerability still exists
Implementing Secure Protocols33
Displays
n Computer displays are primarily connected to machines
n But for conferences and other group settings, there are a
wide array of devices today that can enable a display via a
wireless network
n The risk of using these is simple: who else within range of
the wireless signal can watch what you are beaming to the
display in the conference room
n Transmitting sensitive data to the screen
Implementing Secure Protocols34
Wi-Fi-Enabled MicroSD Cards
n Wi-Fi-enabled MicroSD cards eliminate the need to move the
card from device to move the data
n Primarily designed for digital cameras
n They work by having a tiny computer embedded in the card
running a stripped-down version of Linux
n One of the major vendors in this space uses a stripped-down
version of BusyBox and has no security at all
n In an enterprise network they introduce a wide variety of
unpatched vulnerabilitiesImplementing Secure Protocols35
Printers/MFDs
n Printers have CPUs and a lot of memory
n Modern printers now come standard with a bidirectional channel, so
that you can send a print job to the printer and it can send back
information as to job status, printer status, and other items
n Multifunction devices (MFDs) are like printers on steroids.
n They combine printing, scanning, and faxing all into a single device
n Multiple people connect and share a fairly expensive high-speed
device
n Hackers have demonstrated malware passed by a printer to another
computer that shares the printer - passed the proof-of-concept phaseImplementing Secure Protocols36
.
CIS 3500 10
External Storage Devices
n Network-attached storage (NAS) devices – external storage
devices
n Simple Linux-based appliances, with multiple hard drives in
a RAID arrangement
n With the rise of ransomware, these devices can spread
infections to any and all devices that connect to the
network – precautions should be taken
n If not necessary, always-on should be avoided
Implementing Secure Protocols37
Digital Cameras
n Digital cameras are sophisticated computing platforms
n Capture images, perform image analysis, connect over
networks, and send files across the globe directly
n The capabilities are vast, and the ability to move significant
data quantities is built in for up to live 4K video streaming
n Data streams are encrypted, as the typical use would
require an encrypted channel
Implementing Secure Protocols38
Sandboxing
n Sandboxing refers to the quarantine or isolation
n Standard practice for programs with an increased risk
limiting the interaction with the CPU and other processes
n Virtualization can be used as a form of sandboxing with
respect to an entire system
Implementing Secure Protocols39
Environment
n Most organizations have multiple, separate computing
environments
n Isolation between development, test, staging, and production
n Prevent security incidents arising from untested code
n The hardware is segregated and access control lists prevent
users from accessing more than one environment at a time
n Moving code between environments requires a special account
minimizing issues of cross-contamination
Implementing Secure Protocols40
.
CIS 3500 11
Development
n The development environment is sized, configured, and set
up for developers
n Hardware does not have to be scalable
n Development platform does need to use the same OS
n After code is successfully developed, it is moved to a test
system
Implementing Secure Protocols41
Test
n The test environment fairly closely mimics the production
environment — same versions of software, patch levels,
permissions, file structures
n The purpose is to test a system fully prior to deployment
n The test environment may not scale like production, but it
will look exactly like production
n System-specific settings need to be tested in an
environment identical to that in which they will be run
Implementing Secure Protocols42
Staging
n The staging environment is optional
n After passing testing, the system moves into staging, from where it
can be deployed to the different production systems
n It serves as a sandbox after testing, so the test system can test the
next set, while the current set is deployed across the enterprise
n One method of deployment is a staged deployment, where software is
deployed to part of the enterprise and then a pause occurs to watch
for unseen problems - if none occur, the deployment continues
n This prevents the total loss of production to a failed update
Implementing Secure Protocols43
Production
n The production environment is where the systems work
with real data, doing the business that the system is
intended to perform
n This is an environment where, by design, very few changes
occur, and those that do must first be approved and tested
via the system’s change management process
Implementing Secure Protocols44
.
CIS 3500 12
Secure Baseline
n Baselining is the process of establishing software’s base security state
n Asecure baseline allows the software to run safely and securely
n Software and hardware can be tied intimately when it comes to
security, so you must consider them together
n After administrators have finished patching, securing, and preparing a
system, they create an initial baseline establishing a known safe
configuration
n Once you have completed the process, you can configure any similar
systems with the same baseline
n Uniform software baselines are critical in large-scale operationsImplementing Secure Protocols45
Integrity Measurement
n I n t e g r i t y m e a s u r e m e n t i s t h e m e a s u r in g a n d id e n t i f i c a t io n o f c h a n g e s t o a
s y s t e m a w a y f r o m a n e x p e c t e d v a lu e
n E . g . c h a n g in g o f d a t a , m e a s u r e m e n t o f t h e s y s t e m b o o t p r o c e s s a n d
a t t e s t a t io n o f t r u s t
n T a k e a k n o w n v a lu e , p e r f o r m a s t o r a g e o f a h a s h o r o t h e r k e y e d v a lu e ,
a n d t h e n , a t t im e o f c o n c e r n , r e c a lc u la t e a n d c o m p a r e
n I n t h e c a s e o f a T P M - m e d ia t e d s y s t e m t h e c h ip w i l l c a lc u la t e h a s h e s a n d
s t o r e t h e m in a P la t f o r m C o n f ig u r a t io n s R e g is t e r ( P R C ) – a n d c a n b e r e a d
la t e r a n d c o m p a r e d t o a k n o w n , o r e x p e c t e d v a lu e
n C e r t a in B I O S s , U E F I s , a n d b o o t lo a d e r s c a n w o r k w i t h t h e T P M c h ip
e s t a b l i s h in g a t r u s t c h a in d u r in g s y s t e m b o o t Implementing Secure Protocols46
Stay Alert!
There is no 100 percent secure system, and
there is nothing that is foolproof!