Welcome back to Cyber Aires. Kam ta Advanced Security Practitioner Class, also known as Cast. I'm Kelly Hander Hand. I'm your subject matter expert and the topic we're gonna pick up with now is host and applications security Exactly what it sounds like, how we're going to secure individual systems.
And then we're gonna look at applications and the threats that they proposed to our environment and how we can lock down some of those threats.
All right, so let's go ahead and get started by talking about host security. And we want to talk about the the idea of host hardening and their lots of words you'll hear associated with hardening. You might hear reducing the attack surface or reducing the attack footprint hardening. Securing
what we mean is we're locking down this system as much as possible.
Now, um, one of the things you'll find is usually with products. There are two schools of thought to get a product ready for market. We're either going to design a product that's focus is on ease of use, which means we're gonna have everything you might ever want installed up and ready to go.
Ah, In that way, anything that you need
works right out of the box. That idea of plug and play is based on this idea, and obviously that's what Microsoft has traditionally been known for. Let's make things easy for user's, and they've done that very well for a long time. Microsoft's main goal has been to bring computing to the masses,
and they've done it for years and years and years. That's why you see Microsoft on all the desk cops at work.
Ah, and that's why they've been very popular for a long time. The problem with that is, if our focus is ease of use, that we neglect security because security says essentially remove everything,
make the user the administrator. Add on Lee, those service is that they need to do their job, that principle of least privilege.
So there really two different schools of thoughts and thought, and what you're gonna find is ah, lot of commercial off the shelf software is designed to appeal to ease of use seekers, so to speak, and essentially, you know, if you think about access points,
wireless access points for years have come out of the box with no security,
no weapon, no W P a nope w p a To they broadcast their S s I d. And even if you disabled broadcast the s s i d for lynxes system is Lexus or for netgear system that gear.
So what we want to do is we want to take these systems and we lock him down. We want to make him a secure as possible. So off the bat when we have Ah, regardless of what the system is. One of the first things that we look at that we talk about is we talk about the operating system and we want a trusted operating system. Now again,
the idea of cost benefit analysis,
you know, many comes will put a window system on a machine because we're not in a highly secure environment. But we're If we're in a government agency, we might have to have a much higher level of security for our operating system.
And when we talk about this idea of a trusted operating system, um, really one of the things or a definition I'd like to give you I'd like to give you the idea of what's called the T C B
trusted computer base. If you're familiar with the Orange Book, which was very widely used in the nineties in the eighties. Prior to that, the Orange Book was a book that was established to help us in government agencies determine what systems would be qualified
would provide the degree of security necessary in a secured environment.
And what the Orange Book defined was certain elements that were part of what was called the trusted computer base. And the's elements had to be the most trusted within a system, and they would consist of hardware and firmware and software.
But the whole premise is the trusted computing base or computer base had to be trusted and had to be designed to enforce the security policy of a system and would not be able to violate.
Ultimately, what it comes down to is if these elements of your system are not trusted, nothing else matters.
And one of the elements of the T. C. B is the operating system kernel, and your operating system has to have the degree of trust necessary, because if your OS isn't trusted, nothing else matters. Okay, so trusted operating system
trusted system bios. I think I mentioned hardware, software and firmware
it doesn't matter how secure your operating system doesn't matter how Secure your hardware. If I can compromise your systems bios and have you looked a loden operating system from a different location again, none of your other security mechanisms will matter.
So other elements. For instance, hardware, your processor, your memory, those have to be beyond reproach. So when we talk about hardening a system, we want to make sure that we can trust again based on cost benefit analysis. At the very least, our processor, our memory, our system buyers,
our operating system. Colonel.
All right, we want to make sure that we're implementing this system into an environment that safe sometimes the system. And as a matter of fact, if you ever have worked with certification indoor accreditation within government agencies, what certification is all about is it's
verifying that a system meets its technical requirements
in a particular environment. And that's necessary because the environment, which is system operates, can affect the security of the device and of the mechanism. So ultimately, we want to make sure that we're implementing it in the secure operating environment.
Ah, that's appropriate to the security controls on the system,
physical security, physical security, physical security.
Uh, you know, you can't say enough about the essential nature of physical security. And don't forget also that environmental security goes along with that. And by that I mean, when we talk about security, confidentiality, integrity, availability,
environmental controls like keeping an eye on humidity.
Keeping an eye on temperature in your server room, for instance, that effects the availability of your devices. Make sure your devices are physically secure. Lock your server rooms. Use cable locks for your laptop devices. Um, inventory your stock and review that inventory
policy management. Ah, we use risk assessment, risk analysis and risk mitigation to write our policy. Make sure we review that policy policy becomes outdated just like anything else. So at least once per year, we go back and we evaluate our policy
and we make sure that it's providing the level of security that's appropriate for where we are. Today
may have been very appropriate three years ago, but it has to be appropriate for today, and as a n'est guideline, National Institute of Standards and Technologies. It's recommended that you review your policy at least once per year, or Maur according to risk
For instance, if we have, ah, changed your network infrastructure,
we go through an acquisition. Those would drive us to go through and look at policy again. Of course,
industry and manufacturers. Best practices, you know, we talked about earlier due diligence. Can I lock a system down in such a way? I can guarantee there will be no possibility of compromise. Of course I can't. And as soon as you think you can go ahead and put that out there
and see how long it is before that system gets compromised.
Well, due diligence says, I educate myself, and one of the places to start is to look at what others in the industry are doing. Follow those best practices. Make sure I'm knowledgeable as to any sort of legal regulations that I have to adhere to.
You know, make sure that I've done my research, my due diligence and then I know what those industry best practices are that I know what the regulations are, and then the next step would be to use due care and enforce those things that I've learned in due diligence. Also, I'll mention manufacturer best practices,
usually when you buy a component their list of recommended configuration settings or recommended considerations. At the very least,
read those. Consider those and implement them
protecting against known vote vulnerabilities. Well, of course. And by that patch your systems. Keep your systems up to date with hot fixes and patches, because I'll tell you when you hear about these viruses or these worms or this malicious activity, or that so often
half the systems that were affected by these viruses or worms,
uh, that the infection or the compromise happened sometimes weeks, sometimes even months after a patch to shore up the vulnerability has been released. You know, I remember the Nimda
virus, which is admin, spelled backwards. It was very popular, was really a warm, and one of the obnoxious things that it did is it would reboot your system every 60 seconds or something like that.
Very disruptive. Trying to get some work done, I will certainly tell you. But what was interesting is, by the time that company was infected, there was a patch out a month earlier that would have prevented that compromise. But Patch Management's challenging, you know, if you're familiar with Patch Tuesday with a lot of patches to keep up.
So it's up to our organization to put in a patch management strategy
a means of prioritizing security related patches against just functional patches and making sure that these elements that air pushed out to protect our systems, making sure that they get pushed out.
You know, when we talked about certificates the other day and we talked about the fact that we have trusted certification authorities that signed certificates and we don't be downloading certificates or evaluating certificates from untrusted authorities? Well, just to show you really quickly.
One of the things that happens with Microsoft Systems when you conduct your updates
is in your browser. You have a list of not just trusted certification authorities
but also who's untrusting and as thes fraudulent. See a CZ get detected. Microsoft will couldn't include that in their security updates. So sometimes you know whether or not you should trust the C A gets updated, and it's very valuable
to know who to trust and who not to trust in. This is just one of many, many things that air, of course, added
with your security updates,
all right, other things removing access to command shells and other high risk, unnecessary features. If you're not using it, get rid of it. And again, that's a foundational principle of security. As a matter of fact, all these air good. But for me
and also I think cast is in alignment with that. The exam,
The first step in hardening a host is get rid of unnecessary service is if that service isn't used and isn't needed. Get rid of it. Now please hear me. I'm not saying just go through and start deleting stuff on your system. Turning off service is
there's a process of change control for any decision like that.
But for instance, Windows Vista.
So when there's Vista Windows seven Windows eight, Microsoft has included built in support for I P version six, but not only support for I p Version six, but those operating systems air running a dual stack, meaning they're both actively running I p v six and I p V four
now, yes, hi. P Version six is more secure than I pee before, but if you're not using I p v six, get rid of it, turn it off and again following a change control process, because one of the things you'll find if you've been around for a while is something that doesn't seem to be in use,
might be in use. There may be other necessary service is dependent upon I. P v six. But the point I'm trying to stress is, if you're not using it, get rid of it and going back to the idea of many systems installing everything and letting users disable what they don't need.
Microsoft again, traditionally has done that. The point I want to make is with Windows 2000. Windows 2000 was their first big push to be a real network operating system in T 351 94 0 they were kind of sticking their toes in the water. But Windows 2000 was where they brought in directory service is,
and they were really trying to get Novell out of the marketplace.
Well, the way Microsoft did that is look how easy we are to use. So how did they make themselves easy to use? Well, anything you could ever want was right there installed for you. I I s and I. Yes, it's Microsoft's Web server. Internet Information Service. Is
I. I s came automatically installed with every installation of Windows 2000. That was the default installation.
If you think about a Web server, the purpose of a Web server
to share information well, so I'm gonna install Windows 2000 server on a system. I want to be my domain controller and you're telling me it automatically comes with II s installed. A Web server? Yep, that's exactly what it is. Get rid of. Service is you don't need, And Microsoft got a lot of grief for that. That was not a good decision
from a security standpoint, but they've made their decisions along the way.
If there's something that's not necessary, whether it's a command set, shell and application, a network service because we know network service is listen at ports, we get rid of them
for user's. I can think of very few users in my environments that need access to a command problem.
I can think of very few users in my environment that need access to the control panel or any of those service is specifically so. It's one thing to not give them rights and permissions honestly, for me, I just assume remove it by using group policy, getting rid of those things that they don't need.
Users don't like to be told. No,
you know what's that? You can't use it. Don't touch it. I'd rather they not even see it in the first place. So using group policy to lock down the interface and what it shows two users is a smart thing to do.
warning banners serve a couple of of purposes. When I worked at the Foreign Service Institute, I don't care what piece of electronic equipment you touched. There was some sort of warning attached to it. You'd go wall gun to a system. Unauthorized access of this computer is strictly prohibited,
and by logging onto the system, you acknowledge that you have no expectation of privacy.
We reserve the right to monitor email, blah, blah, blah, blah, blah. Same thing on phones. They had little cutouts that were taped to the phone's on both the headset and the base of the phone. That said, we reserve the right to monitor phone calls. We reserve the right to monitor keystrokes.
You know, it's a sticky issue when you talk about. Do employees expect privacy in the workplace?
I'll tell you? Yeah, employees expect privacy in the workplace. As an employer, I don't have to provide them with privacy. But if I'm gonna infringe upon the privacy, their privacy, I must tell them. Okay? And that's essential. And remember, we're not gonna make arguments about well, legally. What do I have to do?
We're about best practices.
I'm gonna tell them I'm gonna have it in their employee handbook. I'm gonna have him sign a waiver, and I'm gonna create that policy. It's gonna be well documented. And I'm gonna implement the policy. If I tell my people I'm gonna monitor emails that I'm gonna monitor emails and it's gonna be done regularly
in randomly without bias.
You don't ever want to dust off a policy and apply toe. One person. Let's say I've got a policy that says I reserve the right to monitor email
and that policy is 15 years old and all of a sudden I suspect Bob off using email for illicit purposes. So I decide to monitor Bob's email. Bob's gonna have a very legitimate case against me for enforcing policy for just Bob.
The they're picking on me. Defense works very well, and it doesn't just work as a defense. It works as an offense. So when I talk about it the Foreign Service Institute everywhere you learned you looked no expectation of privacy. Well, part of that was to cover them themselves. I'm a big believer in C. Y. A. Cover your assets.
And part of it was for them to cover themselves in the event that they had to terminated employees or to monitor email and perhaps sue an employee, perhaps hold them liable in court.
They had to do that from a legal perspective. But honestly, even more than that, how about deterrents?
Don't do it. We're watching. You're gonna get called. Don't just just stop. Just don't stop. Don't do it. And that's what those little signs and banners do, and they get in the mind of people. And there are activities that people will stop doing just cause you tell him to stop,
especially if telling him to stop says we're gonna catch you were gonna prosecute. You were watching,
you know, think about stores that you go into. You walk into a dressing room and shoplifters will be prosecuted to the full extent of the law. That's a big deterrence. That's what warning banners do. Forces say, Look, we're watching. We're gonna catch you were gonna prosecute you. That's a very important part of network security
As a matter of fact, a friend of mine that teaches security classes as well. He says that I live 100% agree with this, but he said, 90% of security is social engineering. Me getting in your head and saying You're going to get caught, don't do it.
I don't know that it's quite 90% but I absolutely respect what he's saying is we want to appear as a hardened host. Ah, hardened network. Honestly, when someone comes knocking, I want them to say that's too much effort. Let me move on to the next. Remember, they're a huge percentage of crimes
that her crimes of opportunities not targeted attacks.
I want when someone's looking at my network. For them to go now, it's not worth the hassle