cis 3500 1rowdysites.msudenver.edu/~fustos/cis3500/pdf/chapter12.pdf · 9 implementing secure...

.

CIS 3500 1

Secure Systems Design and Deployment

Chapter #12:

Architecture and Design

Chapter Objectives

n Learn to implement secure systems design for a given

scenario

n Understand the importance of secure staging development

concepts

Implementing Secure Protocols2

System Design

n System design has a great effect on the security

n Errors in system design are very difficult to correct later,

and almost impossible once a system is in production

n Design phase of a project will go a long way in establishing

a system that can be secured using security controls


Hardware

n Hardware – servers, workstations, and mobile devices can

represent a weakness or vulnerability in security

n You can easily replace hardware if it is lost or stolen, you

can’t retrieve the information from the lost or stolen hardware

n Safeguard against complete loss of data through backups, but

this does little in the way of protecting it from disclosure

n You can implement encryption but these measures also have

drawbacks in scalability and key distribution


.

CIS 3500 2

Firmware Security

n Firmware is a source of program code for the system

n Most systems will trust the firmware of a trusted system

n Monitoring and managing firmware security is a time-

intensive task because there are only a few tools to do that

n This makes physical security of the system and its

peripheral hardware important


FDE/SED

n Full disk encryption (FDE) and self-encrypting disks (SEDs)

implement cryptographic protection on hard disk drives

n Portable machines, such as laptops, have a physical

security weakness in that they are relatively easy to steal

n Use of modern cryptography, coupled with hardware

protection, makes this vector of attack much more difficult

n Encrypting the entire hard disk drive can provide good

protection


TPM

n The Trusted Platform Module (TPM) is a hardware solution

that assists with key generation

n When the encryption keys are stored in the TPM, they are

not accessible via normal software channels and are

separated from the hard drive or other data locations

n This makes the TPM a more secure solution than storing the

keys on the machine’s normal storage


HSM

n A hardware security module (HSM) is a device used to

manage or store encryption keys

n It can also assist with encryption, hashing, or the

application of digital signatures

n They are peripheral devices, connected via USB or a

network connection

n HSMs have tamper protection mechanisms to prevent

physical access to the secrets they protect


.

CIS 3500 3

BIOS

n Basic Input/Output System (BIOS) is the firmware that a

computer uses between the actual hardware and the OS

n BIOS is typically stored on nonvolatile flash memory

n The purpose is to initialize and test the interfaces to any actual

hardware in a system

n Once the system is running, the BIOS functions to translate

low-level access to the CPU, memory, and hardware

n This facilitates multiple hardware manufacturers and differing

configurations against a single OS installImplementing Secure Protocols9

UEFI

n Unified Extensible Firmware Interface (UEFI) is the current

replacement for BIOS

n UEFI has more security designed into it, including

provisions for secure booting

n From a system design aspect, UEFI offers advantages in

newer hardware support, and from a security point of view,

secure boot has some specific advantages

n All new systems are UEFI based


Secure Boot and Attestation

n An OS has myriad drivers and other add-ons that hook into it and

provide specific added functionality

n These additional programs need to be vetted before installation; this

pathway can provide a means for attacks

n Attacks can occur at boot time, at a level below antivirus software, so

they can be very difficult to detect and defeat

n Secure Boot is a mode that only allows signed drivers and OS loaders

to be invoked –needs to be enabled

n Secure Boot enables the attestation that the drivers and OS loaders

have not changed since they were approvedImplementing Secure Protocols11

Supply Chain

n Hardware and firmware security is ultimately dependent

upon the manufacturer - safe and identified supply chain

n Can be very tricky, because even when purchasing

equipment from a highly trusted vendor, you don’t know

where they got the components

n You may have very strict rules concerning country of origin


.

CIS 3500 4

Hardware Root of Trust

n A hardware root of trust is a concept that if one has a trusted source

of specific security functions, this layer can be used to promote

security to higher layers of a system

n Roots of trust are inherently trusted, they must be secure by design

n Many roots of trust are implemented in hardware that is isolated from

the OS and the rest of the system

n TPM chips in computers and Apple’s Secure Enclave coprocessor in its

iPhones and iPads

n Apple also uses a signed Boot ROM mechanism for all software

loadingImplementing Secure Protocols13

EMI/EMP

n Electromagnetic interference (EMI) is an electrical disturbance

that affects an electrical circuit

n An electromagnetic pulse (EMP) is a burst in an electronic

device as a result of a current pulse from electromagnetic

radiation

n It can produce damaging current and voltage surges in today’s

sensitive electronics

n Source can be equipment on the same circuit, solar flares, and

nuclear bursts high in the atmosphereImplementing Secure Protocols14

Operating Systems

n Operating systems are complex programs

n Mechanism to connect to other programs and hardware

resources

n Determining the correct settings and implementing them

correctly is an important step in securing a host system


Types

n Many different systems have an operating system

n Network devices, servers and workstations, kiosks and

appliances


.

CIS 3500 5

Network Devices

n Network operating system to provide configuration and

computation portion of networking

n Cisco has the largest footprint with its IOS

n Other vendors such as Juniper have Junos, which is built off

of a stripped Linux core

n Software-defined networking (SDN) will become more

important and mainstream because it will become a major

part of day-to-day operations


Server OS

n Server operating systems bridge the gap between the

server hardware and the applications

n Microsoft Windows Server, many flavors of Linux, and an

ever-increasing number of virtual machine/hypervisor

environments

n Windows Server with its Active Directory technology and

built-in Hyper-V capability has assumed a commanding lead

in market share


Workstations

n The workstation OS exists to provide a functional working

space, typically a graphical interface

n Windows, Mac OS X, Linux versions


Appliance

n Appliances are stand-alone devices, wired into the network

and designed to perform a specific function on

n For reasons of economics, portability, and functionality, the

vast majority of appliances OSs are built using a Linux-

based OS

n These are customized distributions - patching becomes a

vendor problem

n Enterprise class intrusion detection, loss prevention, backup


.

CIS 3500 6

Kiosk

n Kiosks are stand-alone machines, typically operating a

browser instance on top of a Windows OS

n Locked to a website that allows all of the functionality

desired

n Interactive information sites, menus, and so on

n The OS on a kiosk needs to be locked down to minimal

functionality so that users can’t make any configuration

changes


Mobile OS

n Mobile Oss: Apple’s iOS and Google’s Android OS

n Optimized device capability and desired set of functionality

n Internet and functionality spread to mobile devices

n Smartphones to tablets, today’s mobile system is a

computer


Patch Management

n Every OS requires software updates

n Through downloads from web sites or built-in utilities

n Hotfix - small software update designed to address a

specific problem

n Patch - more formal, larger software update that can

address several or many software problems, enhancements

n Service pack - large collection of patches and hotfixes rolled

into a single, rather large package


Disabling Unnecessary Ports and Services

n Identify the specific needs of a system for its proper

operation and only enable items that are necessary

n Disabling unnecessary ports and services prevents their use

by unauthorized users

n Improves system throughput and increases securit

n Systems have ports and connections that need to be

disabled if not in use

n 65,536 ports


.

CIS 3500 7

Least Functionality

n Least functionality similar to the principle of least privilege

on systems

n A system should do what it is supposed to do and not more

n Any additional functionality is an added attack surface


Secure Configurations

n OS developers and manufacturers cannot possibly anticipate

the many different configurations and variations that users will

require from their products

n They provide a “default” installation which contains the base

OS and some more commonly desirable options

n End users are responsible for securing their own systems

n Hardening is the process of securing an OS and it is intended

to make the system more resistant to attacks

n The process is not trivialImplementing Secure Protocols26

Secure Configurations

n The base installation shall come from a trusted source, and

is verified as correct by using hash values

n Machines are connected only to a trusted network during

the installation, hardening, and update processes

n The base installation includes all current patches and

updates for both the OS and applications

n Backup images are taken after hardening and updates to

facilitate system restoration to a known state


Trusted Operating System

n A tru s te d o p e ra t in g sy s te m is o n e th a t is d e s ig n e d to a llo w m u lt ile v e l se cu r ity in its

o p e ra t io n

n T ru s te d O S s a re e x p e n s iv e to c re a te a n d m a in ta in b e ca u se a n y ch a n g e m u s t u n d e rg o

a re ce rt if ic a t io n p ro ce ss

n C o m m o n C r ite r ia fo r In fo rm a tio n T e ch n o lo g y S e cu r ity E v a lu a t io n (a b b re v ia te d a s

C o m m o n C r ite r ia , o r C C ) , a h a rm o n ize d se cu r ity c r ite r ia re co g n iz e d b y m a n y n a t io n s ,

in c lu d in g th e U n ite d S ta te s , C a n a d a , G re a t B r ita in , a n d m o s t o f th e E U co u n tr ie s

n V e rs io n s o f W in d o w s , L in u x , m a in fra m e O S s , a n d sp e c ia lty O S s h a v e b e e n q u a lif ie d

to v a r io u s C o m m o n C r ite r ia le v e ls .

n T ru s te d O S s a re m o s t co m m o n ly u se d b y g o v e rn m e n t a g e n c ie s a n d co n tra c to rs th a t

re q u ire th is le v e l o f p ro te c t io n


.

CIS 3500 8

Application Whitelisting/Blacklisting

n Application blacklisting - which applications should not be allowed

to run on the machine

n Application whitelisting – it is a list of allowed applications

n Advantages and disadvantages:

n b la c k l i s t in g i s d i f f i c u l t t o u s e a g a in s t d y n a m ic t h r e a t s

n w h it e l i s t in g i s e a s ie r t o e m p lo y — h a s h v a lu e s c a n b e u s e d t o e n s u r e

t h e e x e c u t a b le s a r e n o t c o r r u p t e d

n t h e c h a l le n g e in w h i t e l i s t in g i s t h e n u m b e r o f p o t e n t ia l a p p l i c a t io n s

t h a t a r e r u n o n a m a c h in e - m u l t ip u r p o s e m a c h in e s , i t c a n b e m o r e

c o m p l ic a t e d


Disable Default Accounts/Passwords

n Default accounts with default passwords

n Defaults represent a significant security vulnerabilities

n Disable default accounts/passwords

n This is a simple task that you must do for any new system

n If you cannot disable the default account then change the

password to a very long password that offers strong

resistance to brute force attacks

n Guest, Admin, root, default shares


Peripherals

n Many of these devices have embedded computers in them

n This has led to hacking of peripherals

n From wireless keyboards and mice, to printers, to displays

and storage devices, they have all become sources of risk


Wireless Keyboards

n Wireless keyboards operate via a short-range wireless signal

n They connect through USB Bluetooth connector creating a

small personal area network (PAN), or a 2.4-GHz dongle

n Wireless keyboards can be paired with wireless mice

n Signals to and from the peripherals are subject to interception

n Keystrokes can be recorded – keylogging; can be very difficult

to detect


.

CIS 3500 9

Wireless Mice

n Wireless mice are similar to wireless keyboards

n Mousejacking attack – man-in-the-middle attack on the

wireless interface and control the mouse and or intercept

the traffic

n Some of the major manufacturers, like Logitech, took this

effort for their mainstream product line, but a lot of mice

that are older were never patched

n The vulnerability still exists


Displays

n Computer displays are primarily connected to machines

n But for conferences and other group settings, there are a

wide array of devices today that can enable a display via a

wireless network

n The risk of using these is simple: who else within range of

the wireless signal can watch what you are beaming to the

display in the conference room

n Transmitting sensitive data to the screen


Wi-Fi-Enabled MicroSD Cards

n Wi-Fi-enabled MicroSD cards eliminate the need to move the

card from device to move the data

n Primarily designed for digital cameras

n They work by having a tiny computer embedded in the card

running a stripped-down version of Linux

n One of the major vendors in this space uses a stripped-down

version of BusyBox and has no security at all

n In an enterprise network they introduce a wide variety of

unpatched vulnerabilitiesImplementing Secure Protocols35

Printers/MFDs

n Printers have CPUs and a lot of memory

n Modern printers now come standard with a bidirectional channel, so

that you can send a print job to the printer and it can send back

information as to job status, printer status, and other items

n Multifunction devices (MFDs) are like printers on steroids.

n They combine printing, scanning, and faxing all into a single device

n Multiple people connect and share a fairly expensive high-speed

device

n Hackers have demonstrated malware passed by a printer to another

computer that shares the printer - passed the proof-of-concept phaseImplementing Secure Protocols36

.

CIS 3500 10

External Storage Devices

n Network-attached storage (NAS) devices – external storage

devices

n Simple Linux-based appliances, with multiple hard drives in

a RAID arrangement

n With the rise of ransomware, these devices can spread

infections to any and all devices that connect to the

network – precautions should be taken

n If not necessary, always-on should be avoided


Digital Cameras

n Digital cameras are sophisticated computing platforms

n Capture images, perform image analysis, connect over

networks, and send files across the globe directly

n The capabilities are vast, and the ability to move significant

data quantities is built in for up to live 4K video streaming

n Data streams are encrypted, as the typical use would

require an encrypted channel


Sandboxing

n Sandboxing refers to the quarantine or isolation

n Standard practice for programs with an increased risk

limiting the interaction with the CPU and other processes

n Virtualization can be used as a form of sandboxing with

respect to an entire system


Environment

n Most organizations have multiple, separate computing

environments

n Isolation between development, test, staging, and production

n Prevent security incidents arising from untested code

n The hardware is segregated and access control lists prevent

users from accessing more than one environment at a time

n Moving code between environments requires a special account

minimizing issues of cross-contamination


.

CIS 3500 11

Development

n The development environment is sized, configured, and set

up for developers

n Hardware does not have to be scalable

n Development platform does need to use the same OS

n After code is successfully developed, it is moved to a test

system


Test

n The test environment fairly closely mimics the production

environment — same versions of software, patch levels,

permissions, file structures

n The purpose is to test a system fully prior to deployment

n The test environment may not scale like production, but it

will look exactly like production

n System-specific settings need to be tested in an

environment identical to that in which they will be run


Staging

n The staging environment is optional

n After passing testing, the system moves into staging, from where it

can be deployed to the different production systems

n It serves as a sandbox after testing, so the test system can test the

next set, while the current set is deployed across the enterprise

n One method of deployment is a staged deployment, where software is

deployed to part of the enterprise and then a pause occurs to watch

for unseen problems - if none occur, the deployment continues

n This prevents the total loss of production to a failed update


Production

n The production environment is where the systems work

with real data, doing the business that the system is

intended to perform

n This is an environment where, by design, very few changes

occur, and those that do must first be approved and tested

via the system’s change management process


.

CIS 3500 12

Secure Baseline

n Baselining is the process of establishing software’s base security state

n Asecure baseline allows the software to run safely and securely

n Software and hardware can be tied intimately when it comes to

security, so you must consider them together

n After administrators have finished patching, securing, and preparing a

system, they create an initial baseline establishing a known safe

configuration

n Once you have completed the process, you can configure any similar

systems with the same baseline

n Uniform software baselines are critical in large-scale operationsImplementing Secure Protocols45

Integrity Measurement

n I n t e g r i t y m e a s u r e m e n t i s t h e m e a s u r in g a n d id e n t i f i c a t io n o f c h a n g e s t o a

s y s t e m a w a y f r o m a n e x p e c t e d v a lu e

n E . g . c h a n g in g o f d a t a , m e a s u r e m e n t o f t h e s y s t e m b o o t p r o c e s s a n d

a t t e s t a t io n o f t r u s t

n T a k e a k n o w n v a lu e , p e r f o r m a s t o r a g e o f a h a s h o r o t h e r k e y e d v a lu e ,

a n d t h e n , a t t im e o f c o n c e r n , r e c a lc u la t e a n d c o m p a r e

n I n t h e c a s e o f a T P M - m e d ia t e d s y s t e m t h e c h ip w i l l c a lc u la t e h a s h e s a n d

s t o r e t h e m in a P la t f o r m C o n f ig u r a t io n s R e g is t e r ( P R C ) – a n d c a n b e r e a d

la t e r a n d c o m p a r e d t o a k n o w n , o r e x p e c t e d v a lu e

n C e r t a in B I O S s , U E F I s , a n d b o o t lo a d e r s c a n w o r k w i t h t h e T P M c h ip

e s t a b l i s h in g a t r u s t c h a in d u r in g s y s t e m b o o t Implementing Secure Protocols46

Stay Alert!

There is no 100 percent secure system, and

there is nothing that is foolproof!

cis 3500 1rowdysites.msudenver.edu/~fustos/cis3500/pdf/chapter12.pdf · 9 implementing secure...

Documents