locking down server and workstation operating systems

Locking down server and workstation

operating systemsBen Rothke, CISSP CISA

BT Global Services

Senior Security Consultant

BT Americas Inc. 2

About me….

• Ben Rothke (too many certifications)

• Senior Security Consultant – British Telecom

• Frequent writer and speaker

• Author - Computer Security: 20 Things Every Employee

Should Know

Traditional thoughts about hardening & patching

• Remove unnecessary protocols and services

• design program around Patch Tuesday

• in the hope of avoiding Exploit Wednesday

• Is this approach working?

BT Professional Services 3

Patching today

• Attackers continue to scan enterprises and look for

easy openings

– deploy critical security patches - especially to laptops and Internet-exposed servers

• some organizations are finding it more difficult to justify

the broad QA testing and disruptive deployment efforts

needed for rapid application and database patching.

• Resources (people and budget) are limited, so

spending and effort must be focused in a way that's

most efficient and effective for current threats.

• Patching faster isn't always the best approach


Why harden and patch?


Gartner on the issue

• Rapid patching isn't an effective response to many

threats, and isn't operationally practical for some IT

infrastructure elements

• Better shielding and monitoring are more effective in

these cases.– Reducing the risk of new threats requires more than fast patching

– Mark Nicolett & John Pescatore


Why rapid patching is not a panacea

• Variety of paths are being used by targeted attacks

– patching doesn't address all of them

• Targeted attacks don't only seek out unpatched OS’s

– they also focus on weaknesses in users and applications to attack databases and other internal systems

• Rapid patching isn't possible or practical for some PC,

network, server and application components

• Additional protection and monitoring strategies are

needed to reduce risk


A better approach

• Threat assessment and penetration testing processes

– to determine which vulnerabilities must be remediated immediately, which can be temporarily shielded and which can be addressed later

• Implement network segmentation and shielding

– for critical servers, databases and applications that can't be patched quickly

• Implement user and resource access monitoring

technologies and processes

– for systems and applications containing data that might be subject to a targeted attack


The best approach to app dev security

• Strong application security

• every CIO agrees about the important of app security

• Forrester notes:

– the need to protect applications and proactively eliminate application-level vulnerabilities is a growing concern for security professionals, but too few firms have taken action.

• disconnect between the perceived importance of

application security & willingness to tackle the problem


Tacking the app dev security problem

• Reactive

– source code and/or or black box scanning

– Citigal, Cenzic, Fortify, Veracode, WhiteHat, Ounce Labs

• Proactive

– proactive application security strategy into the dev life cycle

– end-to-end application security program

– can be modeled after Trustworthy Computing initiative

– ensure all technologies are considered, especially Web 2.0


Two approaches to app dev security

1. Wait until someone exploits vulnerabilities in your

system and then run to patch and fix it

2. Proactively build security early on in the dev process

– mitigating vulnerabilities before attackers find them

• Proactive app sec program extends to every relevant

phase of the application life cycle

– conception => operation

• Success = commitment and support from senior

management


When you can’t patch…..

• In-house web applications

– detect and resolve vulnerabilities before deploying the web application

– implement a web application firewall to shield vulnerabilities that can't be resolved

• 3rd-party applications and databases

– use host-based IPS on difficult-to-patch servers

– segment unpatchable systems behind network IPS

– Implement database and application monitoring or IDS to find breaches



• Windows laptops

– deploy an aggressive policy on endpoint protection platforms, including firewalls and HIPS

– require laptop data encryption for any laptop used by an employee who has access to sensitive data, regardless of patch management capabilities

– enable network access control (NAC) to protect corporate IT resources from compromised mobile devices.

• Networking equipment

– shield network equipment behind network IPS and firewalls.

– use change monitoring or IDS to detect breaches



• Windows/Unix/Linux servers and PoS

– deploy HIPS on difficult-to-patch servers.

– segment unpatchable systems behind network IPSs.

– use database application monitoring or IDS to detect breaches


Tools / standards / guides

• Microsoft security guides

– http://technet.microsoft.com/en-us/library/cc184906.aspx

• DISA Security Technical Implementation Guides

– http://iase.disa.mil/stigs/stig/index.html

• NIST Guide to General Server Security (SP 800-123)– http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf

• CIS Benchmark Assessment Tools

– http://www.cisecurity.org/en-us/?route=downloads.audittools


Recommendations

• Whenever possible, vulnerable software should be

patched ASAP

• When business realities dictate that this isn't possible

– all devices at least should be configured as securely as possible to minimize attack apertures.

• Follow general security principles of enabling only the

required functions

– deny by default, allow by exception, etc.

• If not using the specific functions of a device,

– ensure that these options are disabled

• Ensure a formal app sec security program is in place


Contact info…

• Ben Rothke, CISSP CISA

• Senior Security Consultant

• BT Professional Services

•

• www.linkedin.com/in/benrothke

• www.twitter.com/benrothke

• www.slideshare.net/benrothke


locking down server and workstation operating systems

Technology