James Jara Portfolio 2014 - InfoSec White Paper- Part 5
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

James Jara Portfolio 2014 - InfoSec White Paper- Part 5

on

  • 179 views

James Jara Portfolio 2014 - InfoSec White Paper- Part 5

James Jara Portfolio 2014 - InfoSec White Paper- Part 5

Statistics

Views

Total Views
179
Views on SlideShare
178
Embed Views
1

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 1

http://www.slideee.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

James Jara Portfolio 2014 - InfoSec White Paper- Part 5 Document Transcript

  • 1. James Jara Arroyo – White Paper – Portfolio 2014 Case Study for my portfolio InfoSecurity White Paper
  • 2. INFOSECURITY WHITE PAPER / WWW.JAMESJARA.COM Contact name James Jara E-mail address Jamesjara@gmail.com Phone number (506) 87944598 Website Www.jamesjara.com Solution offering InfoSecurity White Paper Project name or title Security Company Anonymous Case Study Business situation I found the system vulnerable with high risk, full escalation privileges into the servers.. Solution Apply following document to each element of the network. WWW.JAMESJARA.COM CONFIDENTIAL PAGE 2
  • 3. Security Methodology How to Secure a Company
  • 4. Table of Contents Step by Step Guide..................................................................................................3 Create a network and system administration policy........................................3 Create a Map/Vision of the IT architecture of the company............................3 Execute and testing phase for each IT element of the company.....................3 Creating a Network and System Admin Policy.........................................................4 What is a network and system admin Policy?..................................................4 Creating a Map/Vision of the IT architecture of the company.................................5 Describe all IT elements , with all information possible...................................5 Secure each IT element....................................................................................5 Security through obscurity...............................................................................5 Hardening OS system.................................................................5 Hardening Services....................................................................6 Securing SSH:............................................................................6 Securing postifix........................................................................6 Securing NFS..............................................................................7 Securing apache .......................................................................7 Securing php .............................................................................7 Updates, patch and upgrades..........................................................................8 Monitoring and logging services.......................................................................8 IDS services.....................................................................................................8 Disaster recovery policy...................................................................................8 Backup policy...................................................................................................8
  • 5. Step by Step Guide In this page will be only the steps and tasks with no information or definitions. This document has attached a printed version as a checklist forms, these steps must be repeated each 4-6 months. Create a network and system administration policy. Write a public wiki with policies for your employers. Create a legal version. Create a Map/Vision of the IT architecture of the company. 1. Describe all IT elements , all information possible. 1. Usage and objective of the IT element. 2. Services provided by the IT element. 3. Versions and flags. 4. Policy only for this IT element. 5. User access , credentials and privileges. 6. Mode production/development. 2. Secure each it element 1. Apply security through obscurity , this means hardening or blackboxing. 1. Hardening OS system. 2. Hardening services. 3. Hardening Apache. 4. Hardening mysql. 5. Hardening other services. 2. Apply Updates , patch and upgrades to all possible, try to use only stable versions. 3. Install Monitoring and logging services. 4. Install IDS Services. 5. Disaster recovery policy 6. Backup policy. Execute and testing phase for each IT element of the company. • Penetration testing focused on information gathering. • Penetration testing focused on common vulnerabilities. • Penetration testing focused on brute forces techniques.
  • 6. Creating a Network and System Admin policy What is a network and system admin policy? The objective of this document includes protection of information and property from theft, hacking or corruption, while allowing the information and property to remain accessible and productive to its intended users. A state of computer "security" is the conceptual ideal, attained by the use of the three processes: 1. Prevention 2. Detection 3. Response To easy understanding i'm adding definition from wikipedia, A network security policy is a generic document that outlines rules for computer network access, determines how policies are enforced and lays out some of the basic architecture of the company security/ network security environment. Security policy should keep the malicious users out and also exert control over potential risky users within your organization. The first step in creating a policy is to understand what information and services are available (and to which users), what the potential is for damage and whether any protection is already in place to prevent misuse. In addition, the security policy should dictate a hierarchy of access permissions; that is, grant users access only to what is necessary for the completion of their work. Here are some examples: http://www.sans.org/security-resources/policies/network.php The prevention stage is more about configuring and setting up walls against malicious users, on the detection stage we have already running up, and we are only monitoring and logging information, we have to setup a central server to control,monitoring,etc all the production servers from one place.
  • 7. Creating a Map/Vision of the IT architecture of the company Describe all IT elements , with all information possible. Create a document up to date with all elements of the IT architecture(you can use the attached excel document for this). 1. Net 2. Usage 3. Objective 4. Services 5. Version and flags 6. Policy for this it element 7. User access , credentials and privileges 8. Mode production/development
  • 8. PREVENTION Secure each IT element. Now, we have a table with all IT elements, its time to perform security actions to each IT element. 1. Apply security through obscurity , this means hardening or black boxing. 2. Hardening OS system. 3. Hardening services. 4. Hardening Apache. 5. Hardening mysql. 6. Hardening other services. 7. Apply Updates , patch and upgrades to all possible, try to use only stable versions. 8. Install Monitoring and logging services. 9. Install IDS Services. 10. Disaster recovery policy 11. Backup policy. Security through obscurity Hardening is the action to hidden all flags , to avoid the possibility of the attacker can get versions and software used by the company. Notice: is not required to follow all items one by one , just the necessary. Hardening SO system • Encrypt Data Communication: scp, ssh, rsyn, sftp , ssl , etc. • Remove insecure services: > yum erase inetd xinetd ypserv tftp-server telnet-server rsh-serve. • Uninstall unnecessary programs: > yum erase inetd xinetd ypserv tftp-server telnet-server rsh-serve. • Keep Linux Kernel and Software Up to Date: yum update • Use of SELinux • Add user with lapse time usage: > chage -M 60 -m 7 -W 7 userName • Locking User Accounts After Login Failures: faillog • How Do I Verify No Accounts Have Empty Passwords? > awk -F: '($2 == "") {print}' /etc/shadow • Disable Unwanted Services: > chkconfig --list | grep '3:on' > chkconfig serviceName off • Find Listening Network Ports and associated programs: > netstat -tulpn > nmap -sT -i localhost • Configure Iptables. • Use of OpenLDAP or Kerberos • Removing Unnecessary Software Packages (RPMs) • Reviewing Inittab and Boot Scripts • Locking ip After Too Many Login Failures • Displaying Login Banners
  • 9. PREVENTION • # cat /etc/motd This system is classified... Use of this system constitutes consent to official monitoring. For SSH you can edit the Banner parameter in the /etc/ssh/sshd_config For local console logins you can edit the /etc/issue Hardening Services Securing SSH: • Disable login root • PermitRootLogin no • Use ssh protocol version 2 • Protocol 2 • prevent SSH from setting up TCP port and X11 forwarding if you don't need it: • AllowTcpForwarding no • X11Forwarding no • StrictModes directive is enabled which checks file permissions and ownership of some important files in the user's home directory like ~/.ssh, ~/.ssh/authorized_keys etc. If any checks fail, the user won't be able to login. • StrictModes yes • host-based authentications are disabled. These methods should be avoided as primary authentication. • IgnoreRhosts yes • HostbasedAuthentication no • RhostsRSAAuthentication no • Disable sftp if is not needed: #Subsystem sftp /usr/lib/misc/sftp-server lSecuring postfix • Check if postfix is local # alternatives --set mta /usr/sbin/sendmail.postfix The following parameters in /etc/postfix/main.cf should be set to ensure that Postfix accepts only local emails for delivery: mydestination = $myhostname, localhost.$mydomain, localhost inet_interfaces = localhost • To verify whether Postfix is still listening for incoming network request, you can run one of the following commands from another node: # nmap -sT -p 25 <remode_node> # telnet <remote_node> 25 Securing NFS Securing Apache Mod security: yum install mod_security
  • 10. PREVENTION /etc/init.d/httpd restart vi /etc/httpd/conf.d/mod_security.conf <IfModule mod_security.c> SecFilterEngine On SecAuditEngine RelevantOnly SecFilterCheckURLEncoding On SecFilterCheckUnicodeEncoding On SecFilterForceByteRange 1 255 SecFilterCheckCookieFormat On SecAuditLog logs/audit_log SecFilterScanPOST ON SecFilterDefaultAction "deny,log,status:406" # SecFilter 111 # Prevent path traversal (..) attacks SecFilter "../" # Weaker XSS protection but allows common HTML tags SecFilter "<( |n)*script" # Prevent XSS atacks (HTML/Javascript injection) SecFilter "<(.|n)+>" # Very crude filters to prevent SQL injection attacks SecFilter "delete[[:space:]]+from" SecFilter "insert[[:space:]]+into" SecFilter "select.+from" # Require HTTP_USER_AGENT and HTTP_HOST headers SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" # Only accept request encodings we know how to handle # we exclude GET requests from this because some (automated) # clients supply "text/html" as Content-Type SecFilterSelective REQUEST_METHOD "!^GET$" chain SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$| ^multipart/form-data)" # Require Content-Length to be provided with # every POST request SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" # Don't accept transfer encodings we know we don't handle # (and you don't need it anyway) SecFilterSelective HTTP_Transfer-Encoding "!^$" </IfModule> httpd.conf • hide servers flags ServerSignature Off • hide server flags on headers ServerTokens Prod • Handle errors ErrorDocument 404 errors/404.html ErrorDocument 500 errors/500.html • Secure the path <Directory /opt/apache2/htdocs">
  • 11. PREVENTION <LimitExcept GET POST> deny from all </LimitExcept> Options -FollowSymLinks -Includes -Indexes -MultiViews AllowOverride None Order allow,deny Allow from all </Directory> Securing php • Disable allow_url_fopen in php.ini for security reasons allow_url_fopen = Off • Disable allow_url_include in php.ini for security reasons allow_url_include = Off • Disable Functions: curl_exec - perform a cURL session curl_multi_exec - run the sub-connections of the current cURL handle dl - loads a PHP extensat runtime exec - execute an external command fsockopen - open internet or unix domain socket connection parse_ini_file - parse a configuration file passthru - execute an external program and display raw output popen - opens process file pointer proc_open - execute a command and open file pointers for Input/Output proc_close - close a process opened by proc_open and return the exit code process shell_exec - execute command via shell and return the complete output as a string show_source - show the source of a file symlink - creates a symbolic link system - execute an external program and display the output • Disable display_errors in php.ini for security reasons display_errors = Off log_errors = On • Disable expose_php in php.ini for security reasons expose_php = Off • Disable Magic Quotes in php.ini for security reasons magic_quotes_gpc = Off • Set open_basedir in php.ini for security reasons open_basedir = "/var/www/html/:/usr/local/php/" • Lower post_max_size ini php.ini for security reasons post_max_size = 256K • Disable register globals in php.ini for security reasons register_globals = Off • Enable save_mode in php.ini for security reasons safe_mode = On
  • 12. PREVENTION Backup policy • System administrators should establish and follow a procedure to carry out regular system backups. • Backups must be verified at least monthly, either through automated verification, through customer restores, or through trial restores. • Systems administrators must maintain documented restoration procedures for systems and the data on those systems.
  • 13. RESPONSE Disaster recovery policy To Do.
  • 14. DETECTION Monitoring and logging services • Logging: LogAnalizer + rsyslog : log analysis software, sends the logs from each server to a central log server machine, has a useful administration web panel, the logs used the datamining(apache) should not be used by this software, is more intended to server logs. • Monitoring: icinga : https://www.icinga.org/nagios/feature-comparison/ : monitoring all the company servers from one place. To begin, Icinga offers two interfaces - “Icinga Classic” and “Icinga New Web“. For a fair comparison, we have put Icinga in both its variants against the open source ‘Nagios Core’. See the many differences between Icinga and Nagios in not only the core and web interfaces, but also in their reporting capabilities, support and development style below. I'm preferring Icinga based on the facilities to the web users. Icinga Classic Icinga New Web Nagios Core GENERAL License GPLv2 GPLv2 GPLv2 Monitor unlimited hosts Distributed monitoring Distributed systems Agent based & agentless monitoring INSTALLATION / CONFIGURATION Web based configuration Via addon Via addon Via addon Virtual appliance CORE Databases supported MySQL PostgreSQL Oracle MySQL PostgreSQL Oracle MySQL SNMP & Syslog monitoring Via addon Via addon Via addon Triggers & multi-channel alerts IPv6 capabilities WEB USER INTERFACE Dynamic, shareable dashboards Dynamic table / data grid view (sort, filter monitoring data) Underlying infrastructure CGI/C HTML/CSS/JS AJAX/ExtJs PHP5/Agavi HTML/CSS CGI/C HTML/CSS Live search
  • 15. Log file search & Logging (eg. Commands) Compound commands (Send one command to multiple hosts/services simultaneously) Acknowledgements with expiry time Dynamic drill down maps Internal authentication by HTTP Basic LDAP Active Directory HTTP Basic HTTP Basic Control access to objects by Contact group Contact group Host group Service group Custom variable Contact group HTTP / REST interface Mobile version for iPhone & Android Via 3rd party apps HTML 5 in-house version (Icinga Mobile) Via 3rd party apps Via 3rd party apps Multilingual interface 20+ languages Support "Display Name" use Configurable REPORTING SLA reports Via addon Via addon Scheduled report distribution Via addon Via addon Multi-format reports Via addon Via addon Export data CSV, JSON, XML XML via REST API - Performance graphing Via addon Via addon Via addon Business process monitoring Via addon Via addon Via addon DOCS / SUPPORT Multilingual documentation Community support channels Mailing lists Forums IRC Mailing lists Forums IRC Mailing lists Forums DEVELOPMENT Global authentication & authorization architecture Public and detailed roadmap GIT repository GIT development tracker integration Extensions coding simplified by - Doctrine JSON -
  • 16. REST API IDS services • Snort + snorby: network intrusion prevention and detection system (IDS/IPS).
  • 17. Executing and testing phase • Manual Mode • OpenVAS If we found a security hole in manual mode, the proper way to report this is: Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.) • Product and version that contains the bug • version, security updates, or other updates for the product you have installed • Any special configuration required to reproduce the issue • Step-by-step instructions to reproduce the issue on a fresh install • Proof-of-concept or exploit code • Impact of the issue, including how an attacker could exploit the issue
  • 18. IT ELEMENT INFO Date: ____________________ Pentester: ________________ Element: _________________ 1. Net 2. Usage 3. Objective 4. Services 5. Version and flags 6. Policy for this it element 7. User access , credentials and privileges 8. Mode production/development