Mod 11 Fundamentals of InfoSec OS Security WGU
Answer these questions
1. What is a vector for malware propagation? 2. What is an exploit framework? 3. What is the difference between a port scanner and a vulnerability assessment tool? 4. Explain the concept of an attack surface. Why might we want a firewall on our host if one already 5. exists on the network? 6. What is operating system hardening? 7. What is the XD bit and why do we use it? 8. What does executable space protection do for us? 9. How does the principle of least privilege apply to operating system hardening? 10. Download Nmap from www.nmap.org and install it. Conduct a basic scan of scanme.nmap.org using either the Zenmap GUI or the command line. What ports can you find open?
Exploit Frameworks
A category of tools, or more accurately, a category of sets of tools, called an exploit framework, enjoyed a rise in popularity in the first few years of the 2000s and is still going strong. Many exploit frameworks provide a variety of tools, including network mapping tools, sniffers, and many more, but one of the main tools we can find in exploit frameworks is, logically, the exploit. Exploits are small bits of software that take advantage of, or exploit, flaws in other software or applications in order to cause them to behave in ways that were not intended by their creators. Exploits are commonly used by attackers to gain access to systems or gain additional privileges on them when they already have access.
we should configure and turn on the appropriate logging and auditing features for our system
Although the particulars of how we configure such services may vary slightly depending on the operating system in question, and the use to which the system is to be put, we generally need to be able to keep an accurate and complete record of the important processes and activities that take place on our systems. We will generally want to log significant events such as the exercise of administrative privileges, users logging in to and out of the system, or failing to log in, changes made to the operating system, and a number of similar activities taking place. For a simple Windows OS, there are over 200 security-related logs that can be turned on so it is important to find the right balance of logs and storage. Key logs should be tied to alerts and a monitoring program.
HIDS
Host-based intrusion detection system. An IDS used to monitor an individual server or workstation. It protects local resources on the host such as the operating system files. HIDS are used to analyze the activities on or directed at the network interface of a particular host. They have many of the same advantages as network-based intrusion detection systems (NIDS) have but with a considerably reduced scope of operation. As with software firewalls, such tools may range from simple consumer versions to much more complex commercial versions that allow for centralized monitoring and management.A potential flaw with centrally managed HIDS is that, in order for the software to report an attack to the management mechanism in real time, the information needs to be communicated over the network. If the host in question is being actively attacked via the same network we would report over, we may not be able to do this. We can attempt to mitigate such issues by sending a regular beacon from the device to the management mechanism, allowing us to assume a problem if we stop seeing multiple devices unexpectedly, but this might not be a complete approach.
We can look to the various items of malware propagating over the Internet at any given time as an excellent example of performing updates
Many pieces of malware are able to spread by exploiting known vulnerabilities that have long since been patched by the software vendors. Although it does pay to be prudent when planning to install software updates and to test them thoroughly before doing so, it is generally unwise to delay this process for very long
Anti-malware tools
Most anti-malware applications detect threats in the same way the IDS do: either by matching against a signature or by detecting anomalous activities taking place. Anti-malware tools do tend to depend more heavily on signatures than on anomaly detection, which is typically referred to in the anti-malware field as heuristics. Malware signatures are usually updated by the vendor of the application at least once a day and may be updated more often than that if the need arises.
A well-known scanning tool is Tenable's Nessus
Nessus is now primarily a commercial tool, with a limited free license available for noncommercial use. Nessus is chiefly a graphically interfaced vulnerability assessment tool. In essence, Nessus will conduct a port scan on a target, then attempt to determine what services and versions of service are running on any ports it finds open. Nessus will then report back with a specific list of vulnerabilities that we might find on a given device. Nessus, as a part of its feature set, includes a port scanner, as a port scan is needed in order to find the listening services before we can identify the vulnerabilities that might be resident in them. Nessus also includes some other functionalities, including the ability to add custom features to the tool through the Nessus Attack Scripting Language (NASL)
There are a number of specific hardening standards
Some of the more commonly discussed are the Security Technical Implementation Guides (STIGs) from the US Defense Information Systems Agency (DISA) and the hardening guidelines available from the US National Security Agency (NSA)
OS Hardening
Tightening security during the design and coding of the OS.We use this technique when we are configuring hosts that might face hostile action in order to decrease the number of openings through which an attacker might ultimately reach us.
Scanning tools
We can use scanners to examine how our hosts interact with the rest of the devices on the network, vulnerability assessment tools to help point out particular areas where we might find applications or services that may be open to attack, privilege escalation tools to gain unauthorized access on our systems, and various exploit frameworks to allow us access to a broad array of tools and attacks that might be used by those who would attempt to subvert our security. The tools we will discuss in this section do not resemble an exhaustive list, but we will hit a few of the highlights. We can use a large number of scanning tools to assist in detecting various security flaws when we are looking at hosts. We can look for open ports and versions of services that are running, examine banners displayed by services for information, examine the information our systems display over the network, and perform a large number of similar tasks. Results of an Nmap scan directed against a network printer in image. In the image in this case, we asked Nmap to also look for the particular versions of the services it found and to attempt to identify the operating system running on the device. If we look at port 9220 in the listing, we can see that the service is hp-gsg, which, although a bit cryptic, might give us somewhat of a clue that it is a service specific to HP printers, but if we look at the version information on the same line, we can see very specifically that the service is HP Generic Scan Gateway 1.0. Based on this information, we might have a much better chance of successfully being able to attack the device. Looking closer at the Nmap results, note that Nmap told us the device being scanned was a printer, but it also told us it was running Mac OS X as an operating system. Sometimes Nmap's OS fingerprints can be a little skewed from what is actually on the device, so it is often best to verify the output from Nmap with another tool if something looks odd.In addition to the many features built into Nmap, we can create custom Nmap functionality of our own, through the use of the Nmap Scripting Engine (NSE).
We can find anti-malware tools deployed on mobile devices, individual systems, and a variety of servers but monitored at the enterprise level as a matter of course for large enterprise environments in order to protect these systems
We may also find such tools installed on proxy servers in order to filter malware out of the incoming and outgoing traffic. This is very common in the case of proxies for e-mail, as many items of malware use e-mail as a method of propagation. In the case where malware is detected by such a tool, we may see the e-mail rejected entirely, or we may merely see the malware stripped out of the message body or the offending attachment removed
Executable space protection
a hardware- and software-based technology that can be implemented by operating systems in order to foil attacks that use the same techniques we commonly see used in malware. In short, executable space protection prevents certain portions of the memory used by the operating system and applications from being used to execute code. This means classic attacks such as buffer overflows that depend on being able to execute their commands in hijacked portions of memory may be prevented from functioning at all. Many operating systems also use address space layout randomization (ASLR) in order to shift the contents of the memory in use around so that tampering with it is even more difficult. Executable space protection requires two components to function: a hardware component and a software component. Both AMD and Intel CPU chip manufactures, Intel and AMD, support executable space protection, with Intel calling it the Execute Disable (XD) bit and AMD calling it Enhanced Virus Protection, support the hardware and many operating systems support the software required. The software implementation of executable space prevention can be found in many common operating systems. Both executable space prevention and address space layout randomization (ASLR) can be found in many operating systems from Microsoft and Apple, as well as a number of Linux distributions, just to name a few.
software firewall
a program that runs on a computer to allow or deny traffic between the computer and other computers to which it is connected. Such softwares can range from the relatively simple versions that are built into and ship with common operating systems, such as Windows and OS X, to large versions intended for use on corporate networks that include centralized monitoring and the capability for considerably more complex rules and management options
It is also important to note that while logs are key to a post event investigation
actually reviewing the logs is a vital part of the process. If we collect logs but never review them we will miss detecting attacks early and suffer much greater overall impact.
Admin and administrator usernames are changed
alter default accounts
Nmap can allow us to discover the devices on our networks
but it can also allow us to determine on which network ports a given system is listening. If we run the following Nmap command: Nmap <IP address> In this case, we can immediately point out several common services running on the target: Port 22: Remote access to the system, secured with Secure Shell (SSH) Port 53: Domain name system (DNS), which translates friendly names to IP addresses Port 80: Hypertext Transfer Protocol (HTTP), which serves Web content Port 443: Hypertext Transfer Protocol Secure (HTTPS), which serves Web pages secured with Secure Sockets Layer (SSL) and/or Transport Layer Security (TLS) Several other ports are open as well, running various services. We can use this information as a starting place for closing down undesirable services. In the case of our example target, ports 22, 80, and 443 being open might be notable if we did not intend to allow remote access or serve Web content
Anti-malware tools generally detect malware in one of two main ways:
by detecting the presence of, or traffic indicative of, malware in real time or by performing scans of the files and processes already in place on the system. When malware is found, responses by the anti-malware tool may include killing any associated processes and deleting the files, killing the processes and quarantining the files so that they are not able to execute but are not deleted, or simply leaving whatever has been detected alone. Leaving the files intact is not a typical response but may be required as anti-malware tools do sometimes detect security tools and other files that are not malware, which we may want to leave alone and ignore in the future.
Regular and timely updates to our operating systems and applications are
critical to maintaining strong security. New attacks are published on a regular basis, and if we do not apply the security patches released by the vendors that manufacture our operating systems and applications, we will likely fall victim very quickly to a large number of well-known attacks.
One of the most crucial times to ensure that we have properly patched a system is
directly after we have finished installing it. If we connect a newly installed and completely unpatched system to our network, we may see it attacked and compromised in very short order, even on internal networks. The commonly considered best practice in such a situation is to download the patches onto removable media and use this media to patch the system before ever connecting it to a network. Part of solid configuration management program is to monitor patch announcements. There are services that will do this for you. You must also consider auto patching for systems like your home computer. Patching is one of the most important parts of your security program (even it is part of the IT department function)
Typical measures we would take to mitigate default account permissions as security risks are
generally very simple to carry out. We should first decide whether the accounts are needed at all, and disable or remove any we will not be using. In the case of guest accounts, support accounts, and others of a similar nature, we can often quickly and easily turn the accounts off or remove them entirely without causing problems for ourselves. In the case of administrative accounts, often with names such as administrator, admin, or root, we may not be able to safely remove them from the system, or the operating system may prevent us from doing so. In most cases, however, such accounts can be renamed in order to confound attackers who might attempt to make use of them. Lastly, we should not leave any account with a default password, no matter what its status; as such passwords are often documented and well known
Vulnerability assessment tools
often include some portion of the feature set we might find in a tool such as Nmap, are aimed specifically at the task of finding and reporting network services on hosts that have known vulnerabilities.
Our problems begin to arise when we see other software installed on the machine
often with the best of intentions. For example, let us say that one of our developers logs in remotely and needs to make a change to a Web page on the fly, so they install the Web development software they need. Then they need to evaluate the changes, so they install their favorite Web browser and the associated media plug-ins, such as Adobe Flash and Acrobat Reader, as well as a video player to test the video content. In very short order, not only do we have software that should not be there, but the software quickly becomes outdated since it is not patched, because it is not "officially" installed so is not part of the configuration management plan. At this point, we have a relatively serious security issue on an Internet-facing machine
One of the largest areas in which we find weaknesses is on the
operating system that hosts all of these (be it a computer, router, or smartphone). If we do not take care to protect our operating systems, we really have no basis for getting to a reasonably strong security posture.
Exploit frameworks such as Rapid7's MetasploitPro, Immunity CANVAS, and Core Impact
provide large sets of prepackaged exploits in order to make them simple to use and to make a larger library available to us than we might have if we had to put them together individually. Many exploit frameworks come in the form of graphically interfaced tools that can be run in much the same way that any other application functions. Some tools can even be configured to automatically seek out and attack systems, spreading further into the network as they gain additional access. We commonly see the use of exploit frameworks in penetration testing.
Anti-malware
software that prevents attacks by a wide range of destructive, malicious, or intrusive programs that protect us from the broad variety of malicious code to which our system might be exposed, particularly if it is Internet facing.
A common weakness in many operating systems is
the use of accounts known to be standard. In many operating systems (as well as some applications), we can find the equivalent of a guest account and an administrator account. We may also find a variety of others, including those intended for the use of support personnel, to allow services or utilities to operate, and a plethora of others, widely varying by the operating system vendor, version, and so forth. Such accounts are commonly referred to as default accounts.In some cases, the default accounts may come equipped with excessively liberal permissions to regulate the actions they are allowed to carry out, which can cause a great deal of trouble when they are being used by an informed attacker. We may also find that default accounts are set with a particular password or no password at all. If we allow such accounts to remain on the system with their default settings, we may be leaving the proverbial doors that protect access to our system wide open so that attackers can simply stroll right in and make themselves at home.
PLP on most UNIX and Linux-like operating systems
we can often see such roles strictly enforced. Although it would be possible for the administrator of such a system to allow all users to act with the privileges of an administrator, this is generally not the convention and administrative or "root" access is often guarded carefully. On Microsoft operating systems, we can often find the exact opposite to be true. On a windows system the default is to give users more control, so care needs to be taken to change permissions to be more restrictive. While there are more threats focused on MS due to the fact they have larger market share, the security posture for any system is based on the administrator. The same paradigm exists between Apple IOS and Android IOS in the smartphone market.
If we limit the privileges on our systems to the minimum needed in order to allow our users to perform their required tasks
we go a long way toward mitigating many security issues. In many cases, attacks will fail entirely when an attacker attempts to run them from a user account running with a limited set of permissions. This is a very cheap security measure we can put in place and is simple to implement. Many users will complain about the inability to install new software, so it is key to have policy supporting this practice and ensure users understand the reason for the policy
When we allow the average system user to regularly function with administrative privileges
we leave ourselves open to a wide array of security issues. If the user executes a malware-infected file or application, he does so as the administrator and that program has considerably more freedom to alter the operating system and other software installed on the host. If an attacker compromises a user's account, and that account has been given administrative rights, we have now given the keys to the entire system directly to the attacker. Nearly any type of attack we might discuss, launched from nearly any source, will have considerably more impact when allowed access to administrative rights on a host. Thus one of the first actions a hacker will take if they break in via a user account is privilege escalation. It is important to monitor admin accounts for misuse!
Depending on the environment into which we will be placing the system
we may also want to include additional features to supplement the tools built into the operating system for these purposes. We may want to install a variety of monitoring tools that watch the functionality of the system and alert us to issues with the system itself or anomalies that might show in the various system or application logs. We might also want to install supplementary logging architecture in order to monitor the activities of multiple machines or to simply allow duplicate remote copies of logs to be maintained outside the system to help ensure that we have an unaltered record of the activities that might have taken place on the system.
Principle of least privilege dictates that
we only allow a party the absolute minimum permission needed for it to carry out its function. Depending on the operating system in question, we may find this idea put into practice to a greater or a lesser extent. In almost any modern operating system, we can find the tasks a particular user is allowed to carry out separated into those that require administrative privileges and those that do not. In general, normal operating system users are allowed to read and write files, and perhaps execute scripts or programs, but they are limited to doing so within a certain restricted portion of the file system. Normal users are generally not allowed to carry out tasks such as modifying the way hardware functions, making changes to the files on which the operating system itself depends, and installing software that can change or affect the entire operating system. Such activities are generally restricted to those users that are allowed administrative access
In the same vein as removing unneeded software
we should also remove or disable unessential services. Many operating systems ship with a wide variety of services turned on in order to share information over the network, locate other devices, synchronize the time, allow files to be accessed and transferred, and perform other tasks. We may also find that services have been installed by various applications, to provide the tools and resources on which the application depends in order to function.
If we are preparing a Web server
we should have the Web server software, any libraries or code interpreters that are needed to support the Web server, and any utilities that deal with the administration and maintenance of the operating system, such as backup software and remote access tools. We should remove applications like Microsoft office or services like File Transfer Protocol (FTP). We really have no reason to install anything else if the system is truly going to function solely as a Web server.
6 main OS Hardening categories
~Removing unnecessary software ~Removing or turning off unneeded/unessential services ~Making alterations to common/default accounts ~Applying the principle of least privilege ~Applying software updates in a timely manner ~Making use of /implementing logging and auditing functions
Stuxnet
-cyber weapon designed to burrow deep into Iran's nuclear enrichment facility at Natanz and damage the nuclear enrichment equipment -aimed to shut down Uranium enrichment centrifuges in Iran -highly advanced malware The ultimate goal of Stuxnet appears to have been the sabotage of SCADA systems, largely targeted at portions of the equipment running in the nuclear program in Iran. Stuxnet has raised the bar for malware from largely being a virtual-based attack to actually being physically destructive
A security method that involves shifting the contents of memory around to make tampering difficult
Address space layout randomization (ASLR)
Each piece of software installed on our operating system
Adds to our attack surface. Some software may have a much greater effect than others, but they all add up. If we are truly seeking to harden our operating system, we need to take a hard look at the software that should be loaded on it, and take steps to ensure that we are working with the bare minimum need for a functional system. If we are truly seeking to harden our operating system, we need to take a hard look at the software that should be loaded on it, and take steps to ensure that we are working with the bare minimum need for a functional system.
All user ID's are password protected and were changed when setting up the computer
Alter default accounts
buffer overflow attack
An attack that occurs when a process attempts to store data in RAM beyond the boundaries of a fixed-length storage buffer.
The process of anomaly detection used by anti-malware tools to detect malware WITHOUT signatures
Heuristics
Type of host-based software may communicate with the management device by sending regular beacons
HIDS
Regular user ID's don't have the ability to install software
PLP
Never connect a new computer to the corporate network unless patches have already been installed
Perform updates
Knowing what ports are open is useful to complete this hardening task
Remove all unessential services
The DB server is stripped down except for mySQL
Remove all unnecessary software
the trail of significant OS events are places on the HD
Turn on logging and auditing
The larger our attack surface is
the greater chance we stand of an attacker successfully penetrating our defenses.
Turning operating services off can be an exercise in experimentation and frustration
In many cases, such services are not named in a fashion that indicates their actual function, and tracking down what each of them is doing may require a bit of research. One of the best things to do first when we are seeking to locate such extraneous services is to determine the network ports on which the system is actually listening for network connections. Many operating systems have built-in utilities that will allow us to do this, such as netstat on Microsoft operating systems, but we can also put Nmap to use for such tasks.
