PACE-IT, Security+ 4.3: Solutions to Establish Host Security

Solutions used to establish host security.

Page 2

Instructor, PACE-IT Program – Edmonds Community College

Areas of Expertise Industry Certifications PC Hardware Network

Administration IT Project

Management

Network Design User Training IT Troubleshooting

Qualifications Summary

Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.

Page 3

Solutions used to establish host security.PACE-IT.

– Hardening physical hosts.

– Hardening virtual hosts.

Page 4

Hardening physical hosts.Solutions used to establish host security.

Page 5

The individual hosts on a network are the target of hackers. It is the resources that they contain that the attackers are after.

Because the major purpose of networks is to create a way in which communication and data can flow between systems, they are vulnerable to being breached by hackers. This means that, once a breach has occurred, it is vital that all of the hosts on a network be hardened against attack.Hardening hosts is the process of putting technological controls in place that help to ensure the safety and integrity of the hosts—including the data and resources that they contain.


Page 6


– Basic methods of hardening hosts.» Operating system (OS) hardening: remove or

disable any unnecessary features and services to reduce the OS’s attack surface

• All features and services will present some type of vulnerability that can be exploited.

» OS security settings: review all security settings available in the OS and enable as many of them as make sense to help harden the OS.

• Do not leave defaults in place; defaults are well known and may represent a chink in the OS’s armor.

» Anti-malware: install it to protect against common attacks.

• Anti-malware applications should contain antivirus, anti-spyware, pop-up blockers, and anti-spam features.

» Patch management: ensure that the OS is kept up to date with current security patches supplied by the manufacturer of the OS.

• All software installed on the host should also be part of the patch management program to ensure that those applications don’t become a weakness in the system.

• All firmware should also be patched as required.

Page 7


– More advanced methods of hardening hosts.

» Trusted OS: using an OS that implements multiple layers of security by design (e.g., requires authentication and authorization before granting access to host resources).

» Whitelisting applications: only applications that are specifically designated in the whitelist are allowed to run on the host.

» Blacklisting applications: explicitly denying (blocking) named applications from being run on a host.

» Host-based firewalls: using host-based firewalls to control what network traffic can be allowed into or out of the host.

• Especially important for mobile devices.» Host-based intrusion detection system (HIDS):

implemented to monitor the host to help detect when an intrusion has occurred to help minimize (or contain) any damage.

» Host software baselining: baselining software can be used to ensure that all OSs and applications on a host meet or exceed the minimum level of security that is required.

Page 8

Physical security controls can be overlooked when implementing host hardening methods.

If an attacker has unfettered physical access to a host, it will not matter how much hardening has been done to the host system. If nothing else, the attacker can just walk away with the asset in order to breach it at his or her leisure.To reduce a hacker’s physical access to hosts, some physical security controls should be put in place. Some of the controls that should absolutely be used include locking cabinets for networking equipment and servers. Safes may also be considered for storage of smaller hosts. Cable locks can also be used to help physically secure hosts from theft.


Page 9

Hardening virtual hosts.Solutions used to establish host security.

Page 10

Hardening virtual hosts.Solutions used to establish host security.

– Methods of hardening virtual hosts.» Snapshot: an image of the virtual host created at a

point in time when that host is secure.• It can be used to quickly revert the virtual host in

cases where security has been compromised.• Snapshots can also be used to bring new hosts into

service quickly and efficiently as needed, creating elasticity in the system.

» Patch management: same consideration as with physical hosts.

» Host availability: high availability methods should be used to ensure that virtual host systems are available to users as needed, removing single points of failure.

» Security control testing: separate security testing should be conducted on virtual systems to ensure that they operate as expected.

» Sandboxing: when high security is needed, a sandboxed environment can be created.

• Creating a virtual environment in which the virtual machines are restricted to what they have access to.

Page 11

What was covered.Solutions used to establish host security.

The individual hosts of a system are the actual targets of hackers. Hardening solutions (technological controls) should be put in place to help protect hosts from attack. Some of these controls include: OS hardening, OS security settings, anti-malware applications, patch management, using a trusted OS, whitelisting and blacklisting applications, installing a host-based firewall and HIDS, and using host baselining software. Physical security controls should also be put in place. These may include: locking cabinets, safes, and cable locks.

Topic

Hardening physical hosts.

Summary

Steps may also be taken to harden virtual hosts. These include: using snapshots to create an image of the host when it is considered secure, patch management, host high availability techniques (removing single points of failure), security control testing, and sandboxing.

Hardening virtual hosts.

Page 12

THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.