Host Hardening Achieve or Avoid. Nilesh Kapoor Auckland 2016

Similar documents
CSWAE Certified Secure Web Application Engineer

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

The 3 Pillars of SharePoint Security

Automating the Top 20 CIS Critical Security Controls

the SWIFT Customer Security

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

IoT & SCADA Cyber Security Services

Certified Secure Web Application Engineer

Cyber Hygiene: Uncool but necessary. Automate Endpoint Patching to Mitigate Security Risks

Security Configuration Assessment (SCA)

CISSP - Certified Information Systems Security Professional

Chapter 5: Vulnerability Analysis

Practical Guide to Securing the SDLC

TEL2813/IS2820 Security Management

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Software Updating: Hitting the Mark

Tenable.io for Thycotic

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Asset Management conference 2016

epldt Web Builder Security March 2017

What every IT professional needs to know about penetration tests

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

CPTE: Certified Penetration Testing Engineer

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Strategic Infrastructure Security

7 Steps to Complete Privileged Account Management. September 5, 2017 Fabricio Simao Country Manager

Tripwire State of Cyber Hygiene Report

Expedition. Hardening Guide Version Palo Alto Networks, Inc.

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Securing Your Cloud Introduction Presentation

How-to Guide: Tenable Nessus for BeyondTrust. Last Revised: November 13, 2018

Security Management Models And Practices Feb 5, 2008

Back to Basics: Basic CIS Controls

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

About the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

CoreMax Consulting s Cyber Security Roadmap

Cyber Security - Information Security & Testing

External Supplier Control Obligations. Cyber Security

During security audits, over 15,000 vulnerability assessments are made, scanning the network IP by IP.

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Tools For Vulnerability Scanning and Penetration Testing

Certified Vulnerability Assessor

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

Total Security Management PCI DSS Compliance Guide

Hackproof Your Cloud Responding to 2016 Threats

Tips for Passing an Audit or Assessment

VANGUARD WHITE PAPER VANGUARD GOVERNMENT INDUSTRY WHITEPAPER

CompTIA CAS-002. CompTIA Advanced Security Practitioner (CASP) Download Full Version :

10 FOCUS AREAS FOR BREACH PREVENTION

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

CompTIA Cybersecurity Analyst+

Development*Process*for*Secure* So2ware

K12 Cybersecurity Roadmap

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

TestBraindump. Latest test braindump, braindump actual test

The State of Security

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Host. Computer system #1. Host Hardening

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

Compliance with CloudCheckr

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

SYMANTEC DATA CENTER SECURITY

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Definitive Guide to PENETRATION TESTING

Turn-key Vulnerability Management

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

Information Security Controls Policy

Insurance Industry - PCI DSS

Protect Your Organization from Cyber Attacks

Wireless e-business Security. Lothar Vigelandzoon

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

A Model for Penetration Testing

Administering System Center 2012 Configuration Manager

CyberSecurity: Top 20 Controls

Qualys Integration with CyberArk Application Identity Manager (AIM)

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Application Security Approach

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

P a g e 1. Teknologisk Institut. Online kursus k SysAdmin & DevOps Collection

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Understanding the Changing Cybersecurity Problem

GFI product comparison: GFI LanGuard 12 vs Microsoft Windows Intune (February 2015 Release)

White Paper April McAfee Protection-in-Depth. The Risk Management Lifecycle Protecting Critical Business Assets.

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

Tenable for Palo Alto Networks

Asset Discovery with Symantec Control Compliance Suite WHITE PAPER

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Turn-key Vulnerability Management

Automating Security Practices for the DevOps Revolution

Principles of ICT Systems and Data Security

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

ANATOMY OF AN ATTACK!

Transcription:

Host Hardening Achieve or Avoid Nilesh Kapoor Auckland 2016

Introduction Nilesh Kapoor Senior Security Consultant @ Aura Information Security Core 8 years experience in Security Consulting Co- Author Security testing handbook for Banking Applications CREST & CEH Certified

Outline Real world attack on a SECURE server Statistics What is host review & hardening? Standards for secure configuration review & hardening Audit tools Challenges, Approach & Optimization

Real World Attack Performed a external website and supported infrastructure review for a very well- known NZ e- commerce company Website running latest Magento CMS Found limited website vulnerabilities and open ports

Real World Attack Next target - website hosting server Only SSH & SSL is running No issues with the SSL layer on port 443 All secure, right?

Real World Attack NMAP script scan (- A) shows ssh- hostkey Next, bit of Google

Real World Attack ssh- hostkey indicates Vagrant running on hosting server

Real World Attack What is Vagrant? Software that allows developers spin virtual development environment with pre- installed tools. Sounds interesting!!! Runs Ubuntu virtual machine without a UI By default, SSH accessible virtual machine Default SSH- key based authentication

Real World Attack What next?? SSH keys are publicly accessible Default SSH user: vagrant

Real World Attack One command to get a shell J ssh vagrant@<ip_address> -i /etc/ssh/vagrant If password authentication is enabled on remote server Default password: vagrant

Real World Attack

Solution Host review and hardening should have fixed this Remove default user vagrant Disable password based authentication Regenerate ssh keychain sudo rm -rf /etc/ssh/ssh_host_* sudo dpkg-reconfigure openssh-server sudo service ssh restart

Statistics Search ssh- hostkey on shodan.io List of Vagrant running servers Do not attempt exploiting without authorisation

Statistics In 2004, British Telecom & Gartner concluded up to 65% external attacks are due to insecure configuration In 2011, Gartner considered secure configuration management a must- have rather than nice- to- have control In 2012, SANS lists secure configuration as 3 rd and 10 th critical security control

2015/16 Statistics OWASP TOP 10 (Control A5) Security Misconfiguration NZISM 2015 Section 14.1 & 14.2 ASD TOP 4 SANS Critical Security Control 3 rd and 11th

What is Host Review & Hardening? Host Review & Hardening Identifies system level insecure configuration & settings Applies to operating system, network devices, databases and web servers

What is Host Review & Hardening? Patch OS & Application Configure and manage user privileges Application whitelisting & Encryption Security Hardening Close unused open network ports Remove default accounts Enforce password complexity

Security hardening standards Center of Internet Security (CIS) Audit & Hardening benchmarks for almost every OS, web server, database available free of charge OWASP Secure Configuration Guide (In Progress) Hardening guide available for web servers, application servers, web frameworks, CMS

Security hardening standards Microsoft s Baseline Server Hardening Guidelines Security hardening for base server install NZISM & ASD Top 4 Governance minimum baseline acceptable controls for system hygiene

Audit Tools Microsoft Baseline Security Analyzer (MBSA) Looks at OS patch level, default OS accounts, anonymous access, SQL & IIS checks Just released - Microsoft Policy Analyser Looks at group policy, local registry for security weaknesses

Audit Tools Nessus Professional ($$$) Paid tool. Lets you audit target machine against various industry benchmark or your own company baseline CIS- CAT Benchmark Assessment Tool ($$$$$) Paid tool. Lets you audit target machine against CIS security benchmarks.

Benefits Benefits Detect and fix issues at early stage Bring all systems to known security hardened state Minimize insiders threat Achieve IT audit compliance requirement

Challenges In an InformationWeek survey of CISOs, enforcing security policies was ranked as No. 2 biggest security challenge Virtual Operating Platforms Applications & databases Physical host OS Network devices Infrastructure

Challenges 1. Asset & Application platform visibility 2. Communication issues Introduces an opportunity for an attacker to look for exploit

Approach Discovery To overcome visibility, develop an asset inventory Categorize external and internal asset Establish process to discover new assets (or changes in assets)

Approach Hardening Determine set of secure configuration for your organisation Security requirement of a software development company differs from financial institute Develop a baseline security standard for each platform

Approach Hardening Continued Aim to bring each platform in known security state Stay aligned with industry security standard Document deviations, exceptions from the baseline

Approach Optimize hardening Develop process to harden server before deployment of any critical data Educate people of the hardening process Powershell cmdlets in Windows & Shell script in Linux could make life easier

email: nilesh@aurainfosec.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback