1 / 74

CSCD 303 Essential Computer Security Winter 2014

CSCD 303 Essential Computer Security Winter 2014. Lecture 9 - Desktop Security Recovery, Prevention and Hardening Reading: Links are in Lecture. Overview. Host Defense Mechanisms Defense in Depth Recovery Antivirus/Antitrojan Restore System Restore – Windows Boot disks

jett
Télécharger la présentation

CSCD 303 Essential Computer Security Winter 2014

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSCD 303Essential Computer Security Winter 2014 Lecture 9 - Desktop Security Recovery, Prevention and Hardening Reading: Links are in Lecture

  2. Overview • Host Defense Mechanisms • Defense in Depth • Recovery • Antivirus/Antitrojan • Restore System Restore – Windows • Boot disks • Prevention • Patching – All systems • Harden OS – Features • Backup System • Train users

  3. Defense in Depth orLayered Security • Defense in depth is an information assurance (IA) concept • Multiple layers of security controls (defense) are placed throughout a system • Its intent is to provide redundancy in the event a security control fails • Defense in depth is originally a military strategy that seeks to delay, rather than prevent, advance of an attacker by yielding space in order to buy time

  4. Purpose of Defense In Depth • Defense in depth, • Philosophy that no real possibility of achieving total, complete security against threats by implementing collection of security solutions • Rather, layered security strategy will be stumbling blocks that hinder progress of a threat, • Slowing and frustrating it until either it ceases to threaten or some additional resources not strictly technological in nature can be brought to bear

  5. Defense in Depth Examples • Using more than one of the following layers constitutes defense in depth. Anti-virus software Authentication and password security Biometrics Firewalls (hardware or software) Intrusion detection systems (IDS) Physical security (e.g. deadbolt locks) Internet Security Awareness Training Virtual private network (VPN) Hardening Systems

  6. The Attack Surface • Security people talk about “Reducing the Attack Surface” • What does that mean? • Get Secure • Reduce the Attack Surface • Patch • Harden • Stay Secure • Maintain secure infrastructure • Patches • Updates • Upgrades • Read, Research, Results

  7. The Attack Surface • What is an Attack Surface? Weak Passwords Open Ports Open File Shares Systems too complex Unknowns People Un-patched Web Server Unused Services Left On Excessive privileges No Auditing No Policies

  8. The Attack Surface • Now for The Attacks ... Port Scanners Viruses Password Cracking Trojan Horses Unknowns People Denial of Service Network Spoofing Packet Sniffing Poisons (Packets, DNS, etc.)‏ Worms

  9. Recovery

  10. Anti-virus • Anti-virus • Will identify infections, viruses, trojans, worms • Not always able to exactly identify what got you • First step, • Detect something is wrong • Try to identify it - Key • Next step • Try to remove it and restore the files if possible

  11. Updated signatures • Anti-virus companies must release new signatures each time a new virus is discovered • A virus’s spread is unimpeded for a while… • According to Andreas Marx of AV-Test.org, • Took Symantec 25hours to release an updated signature file in response to W32/Sober.C worm attack

  12. The arms race • Viruses can Morph • Make it hard for virus scanners to detect their viruses, virus writers can add morphing behavior to their creations: • A polymorphicvirus ‘morphs’ itself in order to evade detection. … • Metamorphic viruses attempt to evade heuristic detection techniques by using more complex obfuscations

  13. Morphing • A virus may morph itself by • Encrypting part of itself using a different key for each infection • Changing variable names (in a script virus) • Binary obfuscation techniques • Polymorphic virus examples • Chameleon -- first polymorphic virus, 90’s • A partial list of the viruses that can be called 100 percent polymorphic (late 1993) • Bootache, CivilWar (four versions), Crusher, Dudley, Fly, Freddy, Ginger, Grog, Haifa, Moctezuma (two versions), MVF, Necros, Nukehard, PcFly (three versions), Predator, Satanbug, Sandra, Shoker, Todor, Tremor, Trigger, Uruguay (eight versions)

  14. Anti-virus • Two main ways – Treating Infection • Quarantine • Disinfect

  15. Anti Virus Software • Quarantine • Only temporary until user decides how to handle it, user asked to make a decision

  16. Anti Virus Software • Why do Anti-Virus Programs Quarantine? • Virus detection was generic, can’t determine how to clean it off of system • Wants user, you, to make a decision • Quarantine Actions • Copy infected file to quarantine directory • Remove original infected file • Disable file permissions so user can’t accidentally transfer it out of directory

  17. Anti Virus Software • Disinfect Files • a. Disinfection by Specific Virus • Multiple ways to disinfect files • Depends on the type of virus • From virus DB, get file executable start address • Run generic clean-up routine with start address • Can derive this information by running virus in test lab, recording information from infected file • Store this information for specific virus

  18. Anti Virus Software • b. Disinfect by Virus Behavior • Disinfect based on assumptions from virus behavior • Prepend or Appended viruses • Restore original program header • Move original byte contents back to original location • Can store in advance for each executable file on an uninfected system, system file • Program header, file length, checksum of executable file contents, which is a computed check of the file contents • Compute various checksums until you get the exact checksum of the file, can be tricky need to figure out which part of the file is original, look for checksum match

  19. Best Recommended Free Antivirus Programs 2013 • A number of recommended programs are free to help keep your computer malware free • Avast Free • Panda Cloud • Emisoft Emergency Kit • Zone Alarm Free • Malwarebytes Antivirus • Avira Free Antivirus http://www.techradar.com/us/news/software/applications/best-free-antivirus-9-reviewed-and-rated-1057786

  20. Test Your Virus Scanner • Good to test your anti-virus software to see how well it does • There is test file you can use to test your anti-virus software • The Anti-Virus or Anti-Malware test file • From European Expert Group for IT Security, www.eicar.org • Run this file against your virus scanner to determine its effectiveness http://www.eicar.org/anti_virus_test_file.htm

  21. Other Defenses Restore, Boot Options and More

  22. System Restore Windows • Purpose of System Restore • Create snapshot of system's configuration • Want to return a system back to a known good configuration • System Restore is designed to automatically create a restore point • Each time system recognizes a significant change in the file or application http://www.bleepingcomputer.com/tutorials/system-restore-from-windows-vista-recovery-environment/

  23. System Restore Go to Start>> All Programs>> Accessories>> System Tools>> System Restore

  24. System Restore and MalwareMay Not Work • Malware authors intentionally write viruses with same extensions as Windows files that are backed up by System Restore … How dare they !!!! • Common people with virus, run virus scans to remove it • But, once System Restore recovers computer to an earlier date, very possible to introduce that same virus back to system • When malware is found on a system, • System Restore should be completely disabled, all Restore Points should be deleted ... • So, whats the point? System restore not for malware!! • After scanning computer, restore can be turned back on

  25. Making a Boot Disk Vista and Other OS's Blue Screen of Death • If your computer is un-bootable, what do you do? • Try to use a recovery disk. • How many know where your recovery disk is? • Do you know how to make one?

  26. Vista Recovery Disk • Recovery Disk or a Recovery Partition • Will allow you to restore your computer to original settings from hardware manufacturer, • Will not be able to use it to repair your Windows Vista installation • For that, you will need an actual • Windows Vista DVD that contains the Windows Recovery Environment

  27. Making a Boot Disk Vista/Windows 7/8 • Yes, you can make an installation disk if your computer didn't come with one • Complete burnable images for Vista/Windows 7 • And ... a DVD or CD writer http://www.howtogeek.com/howto/windows-vista/how-to-make-a-windows-vista-repair-disk-if-you-dont-have-one/ • Versions of 32 and 64 bit and Windows 7/8 http://neosmart.net/blog/2008/download-windows-vista-x64-recovery-disc/

  28. Boot Disk for Ubuntu • Ubuntu or Debian • Can make Ubuntu/Debian into a live image CD • Really easy, Use it to boot and possibly fix Ubuntu Instructions are here for Ubuntu https://help.ubuntu.com/community/LiveCD Instructions are here for Debian http://www.debian.org/CD/live/

  29. Live CD RestoreWindows • Live CD for non-Windows may be used to repair Windows - Fix Windows problems on a machine that doesn't have a dual-boot - Fix anti-virus problems on a Windows system - Data recovery such as corrupted or deleted files

  30. Live CD Backtrack • Backtrack Live CD • Used for mostly attacking other systems but can be used for defense http://www.backtrack-linux.org/downloads/ • Recover Windows passwords with Backtrack http://webistricky.blogspot.com/2013/01/ how-to-reset-windows-password-using.html • Recover Windows 8 passwords in Easy Steps http://shishirceh.blogspot.com/2013/06/reset-windows-8-password-using.html#!/2013/06/reset-windows-8-password-using.html

  31. Live CD Backtrack • Backtrack Live CD • Fix Windows Registry with Backtrack • Often times, we mess up with the registry leaving the system in hanged state • In such situations BackTrack plays major role to put you back on track. http://securityxploded.com/backtrackregistry.php • With a little experimentation, for example, you can learn how to access almost any file on the failed PC • This offers a way to recover and back up data files before you erase the hard drive and completely reinstall Windows http://www.jagtutorials.com/VideoPages/V_CorruptedSystem.html

  32. Prevention

  33. Patching • What is patching? • Allows it to limp along until the next major version • Windows XP before Vista • Vista then quickly Windows 7 etc. • Software producers give you patches to fix “holes” in between major software versions • Security updates, new devices supported or old devices not supported, performance issues, • Can patching cause problems? Yes or No.

  34. Study on Unpatched Computers http://www.computerworld.com/s/article/9109938/Unpatched_Windows_PCs_fall_to_hackers_in_under_5_minutes_says_ISC?taxonomyId=82&intsrc=kc_top&taxonomyName=cybercrime_and_hacking • 2008 • Computerworld - “It takes less than five minutes for hackers to find and compromise an unpatched Windows PC after it's connected to the Internet” • The SANS Institute's Internet Storm Center (ISC) currently estimates "survival" time of an Internet-connected computer running Windows at around four minutes if it's not equipped with the latest Microsoft Corp. security patches

  35. More Patching Stories http://www.circleid.com/posts/20090915_major_organizations_overlooking_high_priority_security_risks/ • Security report by SANS Institute, TippingPoint and Qualys, Sept. 2009 • Number of vulnerabilities found in applications is far greater than number of vulnerabilities discovered in operating systems • "On average, major organizations take at least twice as long to patch software vulnerabilities as they take to patch operating system vulnerabilities”

  36. Patching • Types of Patches • Patch – Simple small fix, one or two problems • Update – Add or fix problem or earlier patch • Cumulative – Includes all previously released patch for one application • Service Pack – Generally, large files, typically include lots of patches to many problems • Vista is up to service pack 2 • Windows 7 - Service pack 1 • Windows 8 – None yet, but we have 8.1 out

  37. What Should you Patch? • Microsoft releases Windows security updates on second Tuesday of every month • Recommended you turn on automatic updates, all versions of Windows • Configure this in control panel

  38. Updates for Microsoft Vista/7 • What gets updated? • Updates OS & Internet Explorer,also other Microsoft Windows software, such as Microsoft Office, Windows Live applications, and Microsoft Expression • But, older versions of Windows updated only OS components, • Windows Updates vs. Microsoft update • Users had to go to Microsoft update to update their Office suite and SQL Server ... etc. http://arstechnica.com/microsoft/news/2010/04/isvs-to-blame-for-vista7-infections-office-updates-ignored.ars

  39. Updates for Microsoft Vista/7 • Does it update other software on your computer? Like Adobe Flash Player ... • Microsoft does not, update other software running on your computer

  40. Updates for Ubuntu, Mac OS X • Ubuntu updates • All the software on its distribution automatically • Built into the system as a service • Need to turn it on, update manager • Mac OS X • Updates all software on Mac

  41. Patching • Third party Software • Vendors often provide free patches on their web sites • Should know how vendor supplies patches • Automatically contact their web sites and install them or • Automatic updates tell you when patches are available, you download them, and install them

  42. Patching • Boring but ... • Make a list of the software on your computer • Games, office, document readers, Adobe, media players • Adobe, Database, Multi-media, • Voip – Skype • Security software • Device Drivers • What is their patching strategy? • Websites? Auto-update?

  43. Patch Management • Patches are issued for good reasons • Should test before deploying • Can get an Automation Tool • Monitoring/Alerting • Data Collection/Archiving • HfNetChk – weird name, great tool! • Windows machines queries it for up-to-date patches http://majorgeeks.com/HFNetChk-FE_d1103.html

  44. Harden OS

  45. OS Hardening Defined • What does it mean to Harden an Operating System?Reconfiguring an OS to be more secure, stable and resistant to attacks. • Examples: • Removing unnecessary processes. • Setting file permissions. • Patching or updating software. • Setting network access controls.

  46. Linux Hardening • Examine Linux System Features • In Design • Linux is more modular than Windows • Multi-user design from beginning • Main Challenge in cracking Linux • Gain Root access !!!! • Main Goal in Defense of Linux • Make unauthorized root access impossible

  47. Linux Hardening • Setuid and Setgid • Everything in Linux is a file • Files have read, write and execute permissions • One more permission is setuid (similar with setgid)‏ • Executable programs run with same privileges of file owner • If owner is root ... gain root privileges • Goal is to use buffer overrun or some other means of gaining a root shell session, attacker can do anything after that

  48. Linux Programs Running Setuid Examples of some SetUID programs -rwsr-xr-x 1 root root 27256 2010-01-29 00:02 /bin/fusermount -rwsr-xr-x 1 root root 78096 2009-10-23 09:58 /bin/mount -rwsr-xr-x 1 root root 35600 2009-05-12 03:13 /bin/ping -rwsr-xr-x 1 root root 31368 2009-05-12 03:13 /bin/ping6 -rwsr-xr-x 1 root root 36864 2009-07-31 19:29 /bin/su -rwsr-xr-x 1 root root 56616 2009-10-23 09:58 /bin/umount -rwsr-xr-x 1 root root 42856 2009-07-31 19:29 /usr/bin/passwd -rwsr-xr-x 1 root root 14880 2009-10-16 17:13 /usr/bin/pkexec -rwsr-xr-x 1 root root 852296 2009-05-23 06:01 /usr/bin/schroot -rwsr-xr-x 1 root root 143656 2009-06-22 21:45 /usr/bin/sudo

  49. Linux Hardening • Example chmod 4755 removemyfiles.sh -rwsr-xr-- 1 ctaylor fac removemyfiles.sh Assume remove my files is a script #! /bin/bash rm -rf /home/ctaylor/*.* The -rws in above permissions on file, says to run this program with the privileges of ctaylor

  50. Linux Servers – Web, File, DB • Limited use machines, user services not needed • Don't install some software • X - windows • RPC Services • R-Services, rlogin, rpc - ssh instead • Inetd daemon • SMTP daemons - enabled by default • Telnet, ftp, pop3 and Imap • Might want to disable LKM - Loadable Kernel Modules

More Related