Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Defending Servers - Cyber security webinar part 3

260 views

Published on

There are many ways to protect servers from cyber-attacks. However, in the end, your best defense is to limit the attacker’s options. You can do this by minimizing the possible entry points into your network, by minimizing the tools available on the server, by making the data difficult to access in various ways, and by making the data useless when extracted from the content. Learn more about the ways to defend servers by watching the webinar recording from the following link and find more information in this presentation slides.
https://business.f-secure.com/defending-servers-recording-from-cyber-security-webinar-3/

Published in: Technology
  • Be the first to comment

Defending Servers - Cyber security webinar part 3

  1. 1. 1 DEFENDING SERVERS CYBERSECURITY WEBINARPART3 JARNONIEMELÄ F-SECURE 21st ofSeptember2015
  2. 2. CYBERSECURITY WEBINAR SERIES-PART3 © F-Secure2 • INTRODUCTION TO CYBERSECURITY • DEFENDING WORKSTATIONS • DEFENDING SERVERS – NOW • DEFENDING NETWORK 15TH OCTOBER 2015 • RESPONDING TO AN INCIDENT 9TH NOVEMBER 2015 • BUILDING SECURE SYSTEMS 3RD DECEMBER 2015 RECORDINGS: HTTPS://BUSINESS.F-SECURE.COM
  3. 3. 3 DEFENDING SERVERS JARNONIEMELÄ SENIORRESEARCHER F-SECURE
  4. 4. SERVERS ANDWORKSTATIONS HAVETHESAMETHREATS  Software vulnerabilities and exploits  Anything that is accessible can be attacked  However attacker has interactive access  Software misconfigurations  If access control can be bypassed, exploit is not needed  Badly configured software will leak, crypto can be degraded  Credential cracks and leaks  Bad passwords are the most common cause for a breach  And even a strong password does not protect you if it is leaked © F-Secure4
  5. 5. https://www.exploit-db.com/exploits/18121/http://www.w3schools.com/sql/sql_injection.asp TYPICAL ATTACKSAGAINST SERVERS  Code execution attacks  Attacker is able to feed bad data and take over a service  SQL and other query injection  Attacker is able to give commands to DB server  For example read all data on the server, or modify it  Cross site scripting  Attacker is able to feed the victim a link which changes behavior of your web service  More info https://www.owasp.org/index.php/Top_10_2013-Top_10 © F-Secure5 https://www.exploit-db.com/exploits/38105/
  6. 6. GETTHEBASICSRIGHT  Choose the right OS and install the latest feasible version  E.g. Windows server 2012 has a lot of improvements over 2008  Close all services that you don’t need  And have minimal configurations for what you need  Follow OS and service security baselines and best practices  Microsoft security baseline, NSA guides, NIST guides, CIS , Sans CSC, etc  Isolate services with sandboxes or at least account and access controls  Use memory hardening tools © F-Secure6
  7. 7. MAKEUSEOFVIRTUALIZATION  Run services in hardware only if you really have to  Each function should have its own well-isolated virtual instance  Don’t get too attached to servers you have virtualized  Aim to have stateless systems that you can create and destroy at will  If a system alarms on a likely compromise, freeze the instance and launch a new one  Cycle VMs once per a couple of hours, make the attacker work for his foothold  However, don’t go naked into the clouds  Hosting servers or services in an environment you don’t own adds its own risks  Bring Your Own Encryption (BYOE) © F-Secure7
  8. 8. MAKESUREYOUHAVE VISIBILITY  Logs are critical for investigation  Log to a remote system and store logs long enough, at least 12 months  ELK stack (Elastic search, Logstash and Kibana) for the win  Collect and maintain integrity logs  Use an integrity checker to spot any new executables  If you use VMs, make sure you regularly compare against the base image  Have alerts for critical situations  Have log monitoring systems that send email or SMS alerts on critical problems © F-Secure8
  9. 9. MAKESUREYOURSERVICES ARESECURE  The most common cause for a server breach is third party services  Thus make sure you follow the security announcements and update  Especially WordPress  Also update any components used by your own code  Make sure that secure coding is practiced in your own code  https://www.owasp.org  http://www.cert.org/secure-coding/publications/index.cfm  http://resources.infosecinstitute.com/secure-code-review-practical-approach/ © F-Secure9
  10. 10. MAKEITDIFFICULTFORTHE ATTACKER  Most attacks rely on exploits, EMET breaks most of the exploits  http://microsoft.com/emet  Even as some attacks run in memory, many drop executables  So use application control to prevent unknown EXEs  Many attackers circumvent detections by using PowerShell  allow only signed PowerShell scripts, or disable it  http://blogs.technet.com/b/heyscriptingguy/archive/2010/06/17/hey-scripting-guy-how-can-i- sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-2-of-2.aspx © F-Secure10
  11. 11. AUDIT,MAKESURETHINGS STAYSECURE  Do regular audits, or at least use vulnerability and configuration scanners  F-Secure Karhu, Nessus, OpenVAS  Spot the vulnerabilities before attacker  Focus on mitigations that fix a class of vulnerability  If you lack time, use consulting  Audit by a consultant is cheaper than Incident Response services © F-Secure11
  12. 12. PROTECT YOURSECRETS  Ashley Madison hack, et al were possible because of bad hygiene  Store only the user info you need, drop the rest  Do not store any info in internet facing servers  Have separate DB servers, preferably with HTTP or other API, no SQL, CQL,etc  Where possible crypt the user info with the user’s password  Do not just hash passwords, use PBKDF#2, Scrypt, key derivation functions  Monitor access to data  If the web or other server starts to read tons of data that is a cause for alarm © F-Secure12
  13. 13. UPCONVERT WHENCHANGING ALGORITHM  Originally AM was using MD5 hash  Later they updated to bcrypt with proper work factor  Unfortunately they failed to convert old accounts  Thus passwords for 11 million accounts could be cracked  http://cynosureprime.blogspot.in/2015/09/csp-our-take-on-cracked-am-passwords.html © F-Secure13 http://thehackernews.com/2015/09/ashley-madison-password-cracked.html
  14. 14. CONCLUSION  Servers are hard to defend as attackers are interactive  Thus your best defense is to limit the attackers’ options  Minimize attack surface  Minimize tooling available in the server  Make the data difficult to access  Make the data useless when taken out from the context © F-Secure14
  15. 15. © F-Secure15 Q&A
  16. 16. THANK YOUFORYOUR PARTICIPATION! 16 STAY TUNED FOR THE FUTURE CYBER SECURITY WEBINAR SERIES: 15 October 2015 at 11.00 EET: “Defending network” 9 November 2015 at 11.00 EET: “Responding to an incident” 3 December 2015 at 11.00 EET: “Building secure systems” The Recording will be available at the BUSINESS SECURITY INSIDER https://business.f-secure.com

×