Upload
f-secure-corporation
View
152
Download
1
Embed Size (px)
Citation preview
CYBER SECURITY WEBINAR SERIES - PART 3
© F-Secure2
• INTRODUCTION TO CYBERSECURITY • DEFENDING WORKSTATIONS• DEFENDING SERVERS – NOW• DEFENDING NETWORK 15TH OCTOBER 2015• RESPONDING TO AN INCIDENT 9TH NOVEMBER 2015• BUILDING SECURE SYSTEMS 3RD DECEMBER 2015
RECORDINGS: HTTPS://BUSINESS.F-SECURE.COM
SERVERS AND WORKSTATIONS HAVE THE SAME THREATS
Software vulnerabilities and exploits Anything that is accessible can be attacked However attacker has interactive access
Software misconfigurations If access control can be bypassed, exploit is not needed Badly configured software will leak, crypto can be degraded
Credential cracks and leaks Bad passwords are the most common cause for a breach And even a strong password does not protect you if it is leaked
© F-Secure4
https://www.exploit-db.com/exploits/18121/http://www.w3schools.com/sql/sql_injection.asp
TYPICAL ATTACKS AGAINST SERVERS
Code execution attacks Attacker is able to feed bad data and take over a service
SQL and other query injection Attacker is able to give commands to DB server
For example read all data on the server, or modify it
Cross site scripting Attacker is able to feed the victim a link which changes behavior of your web service
More info https://www.owasp.org/index.php/Top_10_2013-Top_10
© F-Secure5
https://www.exploit-db.com/exploits/38105/
GET THE BASICS RIGHT
Choose the right OS and install the latest feasible version E.g. Windows server 2012 has a lot of improvements over 2008
Close all services that you don’t need And have minimal configurations for what you need
Follow OS and service security baselines and best practices Microsoft security baseline, NSA guides, NIST guides, CIS , Sans CSC, etc
Isolate services with sandboxes or at least account and access controls
Use memory hardening tools
© F-Secure6
MAKE USE OF VIRTUALIZATION
Run services in hardware only if you really have to Each function should have its own well-isolated virtual instance
Don’t get too attached to servers you have virtualized Aim to have stateless systems that you can create and destroy at will If a system alarms on a likely compromise, freeze the instance and launch a new one Cycle VMs once per a couple of hours, make the attacker work for his foothold
However, don’t go naked into the clouds Hosting servers or services in an environment you don’t own adds its own risks Bring Your Own Encryption (BYOE)
© F-Secure7
MAKE SURE YOU HAVE VISIBILITY
Logs are critical for investigation Log to a remote system and store logs long enough, at least 12 months
ELK stack (Elastic search, Logstash and Kibana) for the win
Collect and maintain integrity logs Use an integrity checker to spot any new executables
If you use VMs, make sure you regularly compare against the base image
Have alerts for critical situations Have log monitoring systems that send email or SMS alerts on critical problems
© F-Secure8
MAKE SURE YOUR SERVICES ARE SECURE
The most common cause for a server breach is third party services
Thus make sure you follow the security announcements and update Especially WordPress
Also update any components used by your own code
Make sure that secure coding is practiced in your own code https://www.owasp.org
http://www.cert.org/secure-coding/publications/index.cfm
http://resources.infosecinstitute.com/secure-code-review-practical-approach/
© F-Secure9
MAKE IT DIFFICULT FOR THE ATTACKER
Most attacks rely on exploits, EMET breaks most of the exploits http://microsoft.com/emet
Even as some attacks run in memory, many drop executables So use application control to prevent unknown EXEs
Many attackers circumvent detections by using PowerShell allow only signed PowerShell scripts, or disable it http://blogs.technet.com/b/heyscriptingguy/archive/2010/06/17/hey-scripting-guy-how-can-i-
sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-2-of-2.aspx
© F-Secure10
AUDIT, MAKE SURE THINGS STAY SECURE
Do regular audits, or at least use vulnerability and configuration scanners F-Secure Karhu, Nessus, OpenVAS
Spot the vulnerabilities before attacker
Focus on mitigations that fix aclass of vulnerability
If you lack time, use consulting Audit by a consultant is cheaper than Incident Response services
© F-Secure11
PROTECT YOUR SECRETS
Ashley Madison hack, et al were possible because of bad hygiene
Store only the user info you need, drop the rest Do not store any info in internet facing servers
Have separate DB servers, preferably with HTTP or other API, no SQL, CQL,etc
Where possible crypt the user info with the user’s password
Do not just hash passwords, use PBKDF#2, Scrypt, key derivation functions
Monitor access to data If the web or other server starts to read tons of data that is a cause for alarm
© F-Secure12
UPCONVERT WHEN CHANGING ALGORITHM
Originally AM was using MD5 hash
Later they updated to bcryptwith proper work factor
Unfortunately they failed toconvert old accounts
Thus passwords for 11 millionaccounts could be cracked
http://cynosureprime.blogspot.in/2015/09/csp-our-take-on-cracked-am-passwords.html
© F-Secure13
http://thehackernews.com/2015/09/ashley-madison-password-cracked.html
CONCLUSION
Servers are hard to defend as attackers are interactive
Thus your best defense is to limit the attackers’ options Minimize attack surface
Minimize tooling available in the server
Make the data difficult to access
Make the data useless when taken out from the context
© F-Secure14
THANK YOU FOR YOUR PARTICIPATION!
16
STAY TUNED FOR THE FUTURE CYBER SECURITY WEBINAR SERIES:
15 October 2015 at 11.00 EET: “Defending network”9 November 2015 at 11.00 EET: “Responding to an incident”
3 December 2015 at 11.00 EET: “Building secure systems”
The Recording will be available at the BUSINESS SECURITY INSIDERhttps://business.f-secure.com