1

DEFENDINGSERVERS

CYBER SECURITYWEBINAR PART 3

JARNO NIEMELÄ F-SECURE

21st of September 2015

CYBER SECURITY WEBINAR SERIES - PART 3

© F-Secure2

• INTRODUCTION TO CYBERSECURITY • DEFENDING WORKSTATIONS• DEFENDING SERVERS – NOW• DEFENDING NETWORK 15TH OCTOBER 2015• RESPONDING TO AN INCIDENT 9TH NOVEMBER 2015• BUILDING SECURE SYSTEMS 3RD DECEMBER 2015

RECORDINGS: HTTPS://BUSINESS.F-SECURE.COM

3

DEFENDINGSERVERSJARNO NIEMELÄ

SENIOR RESEARCHERF-SECURE

SERVERS AND WORKSTATIONS HAVE THE SAME THREATS

Software vulnerabilities and exploits Anything that is accessible can be attacked However attacker has interactive access

Software misconfigurations If access control can be bypassed, exploit is not needed Badly configured software will leak, crypto can be degraded

Credential cracks and leaks Bad passwords are the most common cause for a breach And even a strong password does not protect you if it is leaked

© F-Secure4

https://www.exploit-db.com/exploits/18121/http://www.w3schools.com/sql/sql_injection.asp

TYPICAL ATTACKS AGAINST SERVERS

Code execution attacks Attacker is able to feed bad data and take over a service

SQL and other query injection Attacker is able to give commands to DB server

For example read all data on the server, or modify it

Cross site scripting Attacker is able to feed the victim a link which changes behavior of your web service

More info https://www.owasp.org/index.php/Top_10_2013-Top_10

© F-Secure5

https://www.exploit-db.com/exploits/38105/

GET THE BASICS RIGHT

Choose the right OS and install the latest feasible version E.g. Windows server 2012 has a lot of improvements over 2008

Close all services that you don’t need And have minimal configurations for what you need

Follow OS and service security baselines and best practices Microsoft security baseline, NSA guides, NIST guides, CIS , Sans CSC, etc

Isolate services with sandboxes or at least account and access controls

Use memory hardening tools

© F-Secure6

MAKE USE OF VIRTUALIZATION

Run services in hardware only if you really have to Each function should have its own well-isolated virtual instance

Don’t get too attached to servers you have virtualized Aim to have stateless systems that you can create and destroy at will If a system alarms on a likely compromise, freeze the instance and launch a new one Cycle VMs once per a couple of hours, make the attacker work for his foothold

However, don’t go naked into the clouds Hosting servers or services in an environment you don’t own adds its own risks Bring Your Own Encryption (BYOE)

© F-Secure7

MAKE SURE YOU HAVE VISIBILITY

Logs are critical for investigation Log to a remote system and store logs long enough, at least 12 months

ELK stack (Elastic search, Logstash and Kibana) for the win

Collect and maintain integrity logs Use an integrity checker to spot any new executables

If you use VMs, make sure you regularly compare against the base image

Have alerts for critical situations Have log monitoring systems that send email or SMS alerts on critical problems

© F-Secure8

MAKE SURE YOUR SERVICES ARE SECURE

The most common cause for a server breach is third party services

Thus make sure you follow the security announcements and update Especially WordPress

Also update any components used by your own code

Make sure that secure coding is practiced in your own code https://www.owasp.org

http://www.cert.org/secure-coding/publications/index.cfm

http://resources.infosecinstitute.com/secure-code-review-practical-approach/

© F-Secure9

MAKE IT DIFFICULT FOR THE ATTACKER

Most attacks rely on exploits, EMET breaks most of the exploits http://microsoft.com/emet

Even as some attacks run in memory, many drop executables So use application control to prevent unknown EXEs

Many attackers circumvent detections by using PowerShell allow only signed PowerShell scripts, or disable it http://blogs.technet.com/b/heyscriptingguy/archive/2010/06/17/hey-scripting-guy-how-can-i-

sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-2-of-2.aspx

© F-Secure10

AUDIT, MAKE SURE THINGS STAY SECURE

Do regular audits, or at least use vulnerability and configuration scanners F-Secure Karhu, Nessus, OpenVAS

Spot the vulnerabilities before attacker

Focus on mitigations that fix aclass of vulnerability

If you lack time, use consulting Audit by a consultant is cheaper than Incident Response services

© F-Secure11

PROTECT YOUR SECRETS

Ashley Madison hack, et al were possible because of bad hygiene

Store only the user info you need, drop the rest Do not store any info in internet facing servers

Have separate DB servers, preferably with HTTP or other API, no SQL, CQL,etc

Where possible crypt the user info with the user’s password

Do not just hash passwords, use PBKDF#2, Scrypt, key derivation functions

Monitor access to data If the web or other server starts to read tons of data that is a cause for alarm

© F-Secure12

UPCONVERT WHEN CHANGING ALGORITHM

Originally AM was using MD5 hash

Later they updated to bcryptwith proper work factor

Unfortunately they failed toconvert old accounts

Thus passwords for 11 millionaccounts could be cracked

http://cynosureprime.blogspot.in/2015/09/csp-our-take-on-cracked-am-passwords.html

© F-Secure13

http://thehackernews.com/2015/09/ashley-madison-password-cracked.html

CONCLUSION

Servers are hard to defend as attackers are interactive

Thus your best defense is to limit the attackers’ options Minimize attack surface

Minimize tooling available in the server

Make the data difficult to access

Make the data useless when taken out from the context

© F-Secure14

© F-Secure15

Q&A

THANK YOU FOR YOUR PARTICIPATION!

16

STAY TUNED FOR THE FUTURE CYBER SECURITY WEBINAR SERIES:

15 October 2015 at 11.00 EET: “Defending network”9 November 2015 at 11.00 EET: “Responding to an incident”

3 December 2015 at 11.00 EET: “Building secure systems”

The Recording will be available at the BUSINESS SECURITY INSIDERhttps://business.f-secure.com