Part 1: What is it and Why do we need it

Platform Hardening

CONTACTS

Michael Gough –CISSP, CISA

Senior Risk Analyst - Comptroller of Public Accounts

Author –‘SkypeMe!’and ‘Video Conferencing overIP’by Syngress Press

Contributor to the Center for Internet SecurityBenchmarks.

AGENDA

Part 1 –What is Platform Hardening and Whydo we have to do it

Part 2 –What do we need to do and How do weneed to prepare to Harden systems

Part 3 –How to Harden (Win, *NIX, Cisco,Handhelds)

WHAT

Is Platform Hardening?

WHAT IS A PLATFORM?

A Platform consist of all components that are a part of and can beconfigured on any type of, or group of Information Systems including but notlimited to the following components:

BIOS

Hardware included in or on the system

The booting or Base Operating System (Bos)

Any Virtual Operating System (Vos)

Any Guest operating system

Any applications

Any middleware

Any databases

Any storage device

Network that connects it all (firewalls, routers, switches, VoIP)

Any security applications installed on the completed system

And of course…ALL configuration settings (auditing, options, etc.)

PLATFORMS

TYPICAL NETWORK

WHAT IS HARDENING?

Bret Hartman, CTO at RSA says it is“appropriate (security) settings and removingunused code,”

Hardening is a goal of deploying a system in themost secure state as possible, yet maintainfunctionality and reducing as many threatvectors as possible.

WHAT IS HARDENING?

Hardening is the process of securely deploying systems. Hardening is the practice of ‘least privilege’ Hardening is not just the operating system Hardening includes:

Understanding what you actually need to run on the system !!! DOCUMENTATION !!! (Policy, Standards & Guidelines) Operating systems Virtual servers Coding Application settings Database setup & configuration Network devices Portable devices Etc., etc. etc…

WHAT IS PLATFORM HARDENING?

Platforms are depended upon to deliver data in asecure, reliable fashion. There must be assurancethat data integrity, confidentiality and availabilityare maintained.

One of the required steps to attain this assuranceis to ensure that the platforms are installed andmaintained in a manner that preventsunauthorized access, unauthorized use, anddisruptions in service.

* From UT Medical Branch

DEFINITIONS

Hardened System

(H) Is the final state we are trying to achieve

Baseline OS Hardening

(BOS) Is the Baseline Operating System hardening.CIS Benchmark ‘Baseline’settings.

Application / System Function Hardening

(AF) Is any hardening of applications that may reside on topof the operating system, such as Apache, IIS, Oracle orspecific functions, such as File/Print, DNS/DHCP, etc.

DEFINITIONS

Base Hardening Base Hardening = Baseline Operating System hardening +

Application or System Function hardening

(B)= (BOS) + (AF)

Custom Hardening (C) Is any additional hardening applied to the system, such

as ‘Specialized Security Limited Functionality’settings, DMZsettings, addition system service settings (KIOSK, BastionHost, etc), custom OS specific security controls(TCPWrappers, Bastille, etc.)

DEFINITIONS

Virtual System (Needs Host OS)

(V) Is the Virtual Machine hardening

Virtual OS Hardening (Bare Metal OS)

(VOS) Is the Virtual Server hardening - VM Ware ESXi

HARDENING FORMULA

Putting System Hardening into a mathematicalformula:

H = Hardened System

B = Base Hardening

C = Custom Hardening

So…

H = B+C

HARDENING FORMULA

Also stated:

Hardened System or Secure Deployment

Custom Hardening

Baseline OSHardening

Application /Function

Hardening

HARDENING FORMULA

Also stated as layered security:

Hardened System or Secure Deployment

Custom Hardening

Baseline OSHardening

Application /Function

Hardening

Virtual Server Hardening

Baseline OS Hardening

HARDENING VIRTUAL SYSTEMS

For Virtual Operating System:

H = Hardened System

Vos = Virtual OS Hardening

B = Base Hardening

C = Custom Hardening

So…

H = Vos+B+C

HARDENING FORMULA

Also stated as layered security:

Hardened System or Secure Deployment

Custom Hardening

Baseline OSHardening

Application /Function

Hardening

Virtual OS Hardening

WHY ?

Do we need to harden

WHY DO WE NEED TO HARDEN?

Any Information System that is visible to the public, such as a web server or mailserver, must be "hardened" to minimize the risk of successful attacks against it.

Hardening is the process of preparing an operating system for use as a firewall orother public server by removing as many vulnerabilities as possible(1).

The following areas need careful attention when hardening an operating system:

File System Security User Account Security Logging and Auditing Removing Unnecessary Services Running Essential Services with Unprivileged Accounts Physical Security Network Protocol Vulnerabilities Other related security settings and configuration

(1) Technology Training Limited (UK)

TIME BASED SECURITY

In Winn Schwartau’s words the concept is this:

Pt > Dt + Rt

Protection (Pt), Detection (Dt) and Reaction (Rt).

“The amount of time offered by the Protection device or system‘P-sub-t’, must be greater than the amount of time it takes todetect the attack ‘Dsub-t’, plus the amount of time it takes toreact to the detection, ‘R-sub-t’.

MOBIUS DEFENSE?

Pete Herzog

Defense-in-Depth is the delaying versus theprevention of the advance of an attacker

Isn’t this just Time Based Security ?

HARDENING & TIME BASED SECURITY

Platform Hardening falls under the or Protection(Pt) category.

The goal of Platform Hardening is to improve theprotection of our assets to provide more time todetect and react to a security incident.

A good hardening process improves the ability toaudit our systems and the platforms they reside on

WHY SHOULD WE CARE?

Our own Policies, Standards & Guidelines Audits SANS Top 20 CSI / FBI Security Survey PCI TAC / TGC FISMA - NIST IRS 1075 Best Practice… Minimize attack vectors

WHY SHOULD WE CARE?

We have and use more and more complexapplications and features.

More and more coding and more and moresystems and applications facing the Internet

.NET, Java, PHP

Windows services

*NIX daemons

All those security settings and configuration

SANS TOP 20 VULNERABILITIES:

S2 –Windows Services

RPC, Services, Registry

S3 –UNIX Services

Brute-force attacks against remote services such as SSH, FTP,and telnet are still the most common form of attack tocompromise servers facing the Internet

H.1b Excessive User Rights and Unauthorized software

Local Admin, root, sa, etc…

H3. Unencrypted Laptops and Removable Media

USB ports still active –really???

SANS TOP 20 CRITICAL SECURITY CONTROLS:

CAG: Critical Control 3:

Secure Configurations for Hardware and Software onLaptops, Workstations, and Servers

CAG: Critical Control 4:

Secure Configurations for Network Devices such asFirewalls, Routers, and Switches

CAG: Critical Control 7:

Application Software Security

CSI/FBI SECURITY SURVEY 2008:

The Exploits…

Many of these could beprevented or detected byHardening

CSI/FBI SECURITY SURVEY 2008:

These are all Products…

Where is the Process ?

Where is the Practice of Least Privilege ?

CSI/FBI SECURITY SURVEY 2008:

Where is “Improved Internal Processes”?

CSI/FBI SECURITY SURVEY 2008:

BENEFITS OF PLATFORM HARDENING

More secure deployments of information systems.

Improve Configuration Management for securityrelated settings

Compliance and Regulatory requirements

Ability to implement Security Configuration toolslike Tripwire

Easier ability to Audit our systems…we now havesomething to measure against…assuming wehave implemented a hardening process

THE END

Part 2 –What do we need to do and How do we need toprepare to Harden systems

Thank you !

Contact me at: Michael@SECiFY.com

Security is not a goal, it is a process, Security is not a product, it is amindset. Security is a never ending task. If you think you aresecure... just wait a few minutes until the next sploit is released.

Security is like breathing - If you stop, you die... (Pezzo - May 2001)