Upload
ben-rothke
View
810
Download
1
Embed Size (px)
DESCRIPTION
Presentation: Locking down server and workstation operating systems Given by: Ben Rothke
Citation preview
Locking down server and workstation
operating systemsBen Rothke, CISSP CISA
BT Global Services
Senior Security Consultant
BT Americas Inc. 2
About me….
• Ben Rothke (too many certifications)
• Senior Security Consultant – British Telecom
• Frequent writer and speaker
• Author - Computer Security: 20 Things Every Employee
Should Know
Traditional thoughts about hardening & patching
• Remove unnecessary protocols and services
• design program around Patch Tuesday
• in the hope of avoiding Exploit Wednesday
• Is this approach working?
BT Professional Services 3
Patching today
• Attackers continue to scan enterprises and look for
easy openings
– deploy critical security patches - especially to laptops and Internet-exposed servers
• some organizations are finding it more difficult to justify
the broad QA testing and disruptive deployment efforts
needed for rapid application and database patching.
• Resources (people and budget) are limited, so
spending and effort must be focused in a way that's
most efficient and effective for current threats.
• Patching faster isn't always the best approach
BT Professional Services 4
Why harden and patch?
BT Professional Services 5
Gartner on the issue
• Rapid patching isn't an effective response to many
threats, and isn't operationally practical for some IT
infrastructure elements
• Better shielding and monitoring are more effective in
these cases.– Reducing the risk of new threats requires more than fast patching
– Mark Nicolett & John Pescatore
BT Professional Services 6
Why rapid patching is not a panacea
• Variety of paths are being used by targeted attacks
– patching doesn't address all of them
• Targeted attacks don't only seek out unpatched OS’s
– they also focus on weaknesses in users and applications to attack databases and other internal systems
• Rapid patching isn't possible or practical for some PC,
network, server and application components
• Additional protection and monitoring strategies are
needed to reduce risk
BT Professional Services 7
A better approach
• Threat assessment and penetration testing processes
– to determine which vulnerabilities must be remediated immediately, which can be temporarily shielded and which can be addressed later
• Implement network segmentation and shielding
– for critical servers, databases and applications that can't be patched quickly
• Implement user and resource access monitoring
technologies and processes
– for systems and applications containing data that might be subject to a targeted attack
BT Professional Services 8
The best approach to app dev security
• Strong application security
• every CIO agrees about the important of app security
• Forrester notes:
– the need to protect applications and proactively eliminate application-level vulnerabilities is a growing concern for security professionals, but too few firms have taken action.
• disconnect between the perceived importance of
application security & willingness to tackle the problem
BT Professional Services 9
Tacking the app dev security problem
• Reactive
– source code and/or or black box scanning
– Citigal, Cenzic, Fortify, Veracode, WhiteHat, Ounce Labs
• Proactive
– proactive application security strategy into the dev life cycle
– end-to-end application security program
– can be modeled after Trustworthy Computing initiative
– ensure all technologies are considered, especially Web 2.0
BT Professional Services 10
Two approaches to app dev security
1. Wait until someone exploits vulnerabilities in your
system and then run to patch and fix it
2. Proactively build security early on in the dev process
– mitigating vulnerabilities before attackers find them
• Proactive app sec program extends to every relevant
phase of the application life cycle
– conception => operation
• Success = commitment and support from senior
management
BT Professional Services 11
When you can’t patch…..
• In-house web applications
– detect and resolve vulnerabilities before deploying the web application
– implement a web application firewall to shield vulnerabilities that can't be resolved
• 3rd-party applications and databases
– use host-based IPS on difficult-to-patch servers
– segment unpatchable systems behind network IPS
– Implement database and application monitoring or IDS to find breaches
BT Professional Services 12
When you can’t patch…..
• Windows laptops
– deploy an aggressive policy on endpoint protection platforms, including firewalls and HIPS
– require laptop data encryption for any laptop used by an employee who has access to sensitive data, regardless of patch management capabilities
– enable network access control (NAC) to protect corporate IT resources from compromised mobile devices.
• Networking equipment
– shield network equipment behind network IPS and firewalls.
– use change monitoring or IDS to detect breaches
BT Professional Services 13
When you can’t patch…..
• Windows/Unix/Linux servers and PoS
– deploy HIPS on difficult-to-patch servers.
– segment unpatchable systems behind network IPSs.
– use database application monitoring or IDS to detect breaches
BT Professional Services 14
Tools / standards / guides
• Microsoft security guides
– http://technet.microsoft.com/en-us/library/cc184906.aspx
• DISA Security Technical Implementation Guides
– http://iase.disa.mil/stigs/stig/index.html
• NIST Guide to General Server Security (SP 800-123)– http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf
• CIS Benchmark Assessment Tools
– http://www.cisecurity.org/en-us/?route=downloads.audittools
BT Professional Services 15
Recommendations
• Whenever possible, vulnerable software should be
patched ASAP
• When business realities dictate that this isn't possible
– all devices at least should be configured as securely as possible to minimize attack apertures.
• Follow general security principles of enabling only the
required functions
– deny by default, allow by exception, etc.
• If not using the specific functions of a device,
– ensure that these options are disabled
• Ensure a formal app sec security program is in place
BT Professional Services 16
Contact info…
• Ben Rothke, CISSP CISA
• Senior Security Consultant
• BT Professional Services
•
• www.linkedin.com/in/benrothke
• www.twitter.com/benrothke
• www.slideshare.net/benrothke
BT Professional Services 17