Locking down server and workstation operating systems


Published on

Presentation: Locking down server and workstation operating systems

Given by: Ben Rothke

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Locking down server and workstation operating systems

  1. 1. Locking down server and workstation operating systems Ben Rothke, CISSP CISA BT Global Services Senior Security Consultant
  2. 2. About me….• Ben Rothke (too many certifications)• Senior Security Consultant – British Telecom• Frequent writer and speaker• Author - Computer Security: 20 Things Every Employee Should KnowBT Americas Inc. 2
  3. 3. Traditional thoughts about hardening & patching• Remove unnecessary protocols and services• design program around Patch Tuesday• in the hope of avoiding Exploit Wednesday• Is this approach working?BT Professional Services 3
  4. 4. Patching today• Attackers continue to scan enterprises and look for easy openings – deploy critical security patches - especially to laptops and Internet-exposed servers• some organizations are finding it more difficult to justify the broad QA testing and disruptive deployment efforts needed for rapid application and database patching.• Resources (people and budget) are limited, so spending and effort must be focused in a way thats most efficient and effective for current threats.• Patching faster isnt always the best approachBT Professional Services 4
  5. 5. Why harden and patch?BT Professional Services 5
  6. 6. Gartner on the issue• Rapid patching isnt an effective response to many threats, and isnt operationally practical for some IT infrastructure elements• Better shielding and monitoring are more effective in these cases. – Reducing the risk of new threats requires more than fast patching – Mark Nicolett & John PescatoreBT Professional Services 6
  7. 7. Why rapid patching is not a panacea• Variety of paths are being used by targeted attacks – patching doesnt address all of them• Targeted attacks dont only seek out unpatched OS’s – they also focus on weaknesses in users and applications to attack databases and other internal systems• Rapid patching isnt possible or practical for some PC, network, server and application components• Additional protection and monitoring strategies are needed to reduce riskBT Professional Services 7
  8. 8. A better approach• Threat assessment and penetration testing processes – to determine which vulnerabilities must be remediated immediately, which can be temporarily shielded and which can be addressed later• Implement network segmentation and shielding – for critical servers, databases and applications that cant be patched quickly• Implement user and resource access monitoring technologies and processes – for systems and applications containing data that might be subject to a targeted attackBT Professional Services 8
  9. 9. The best approach to app dev security• Strong application security• every CIO agrees about the important of app security• Forrester notes: – the need to protect applications and proactively eliminate application-level vulnerabilities is a growing concern for security professionals, but too few firms have taken action.• disconnect between the perceived importance of application security & willingness to tackle the problemBT Professional Services 9
  10. 10. Tacking the app dev security problem• Reactive – source code and/or or black box scanning – Citigal, Cenzic, Fortify, Veracode, WhiteHat, Ounce Labs• Proactive – proactive application security strategy into the dev life cycle – end-to-end application security program – can be modeled after Trustworthy Computing initiative – ensure all technologies are considered, especially Web 2.0BT Professional Services 10
  11. 11. Two approaches to app dev security1. Wait until someone exploits vulnerabilities in your system and then run to patch and fix it2. Proactively build security early on in the dev process – mitigating vulnerabilities before attackers find them• Proactive app sec program extends to every relevant phase of the application life cycle – conception => operation• Success = commitment and support from senior managementBT Professional Services 11
  12. 12. When you can’t patch…..• In-house web applications – detect and resolve vulnerabilities before deploying the web application – implement a web application firewall to shield vulnerabilities that cant be resolved• 3rd-party applications and databases – use host-based IPS on difficult-to-patch servers – segment unpatchable systems behind network IPS – Implement database and application monitoring or IDS to find breachesBT Professional Services 12
  13. 13. When you can’t patch…..• Windows laptops – deploy an aggressive policy on endpoint protection platforms, including firewalls and HIPS – require laptop data encryption for any laptop used by an employee who has access to sensitive data, regardless of patch management capabilities – enable network access control (NAC) to protect corporate IT resources from compromised mobile devices.• Networking equipment – shield network equipment behind network IPS and firewalls. – use change monitoring or IDS to detect breachesBT Professional Services 13
  14. 14. When you can’t patch…..• Windows/Unix/Linux servers and PoS – deploy HIPS on difficult-to-patch servers. – segment unpatchable systems behind network IPSs. – use database application monitoring or IDS to detect breachesBT Professional Services 14
  15. 15. Tools / standards / guides• Microsoft security guides – http://technet.microsoft.com/en-us/library/cc184906.aspx• DISA Security Technical Implementation Guides – http://iase.disa.mil/stigs/stig/index.html• NIST Guide to General Server Security (SP 800-123) – http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf• CIS Benchmark Assessment Tools – http://www.cisecurity.org/en-us/?route=downloads.audittoolsBT Professional Services 15
  16. 16. Recommendations• Whenever possible, vulnerable software should be patched ASAP• When business realities dictate that this isnt possible – all devices at least should be configured as securely as possible to minimize attack apertures.• Follow general security principles of enabling only the required functions – deny by default, allow by exception, etc.• If not using the specific functions of a device, – ensure that these options are disabled• Ensure a formal app sec security program is in placeBT Professional Services 16
  17. 17. Contact info…• Ben Rothke, CISSP CISA• Senior Security Consultant• BT Professional Services•• www.linkedin.com/in/benrothke• www.twitter.com/benrothke• www.slideshare.net/benrothkeBT Professional Services 17