Applied Security Strategies Alun Rogers Principal Consultant - Lynx alun.rogers@lynxtec.com
Some clarity Quote from Encarta Dictionary: Applied - practical: able to be put to practical use, especially as a branch of a subject that has both practical and theoretical aspects. Strategy - planning in any field: a carefully devised plan of action to achieve a goal, or the art of developing or carrying out such a plan
Trying to get control of this lot? Enterprise and personal firewall IPSEC Intrusion Detection Authentication, Biometrics, Smartcards, Single Sign-on Virtual Private Networks SPAM Content Filtering Wireless Remote workers Anti-Virus Standard builds Quarantine / Network Admission Control SSL
Do you have an Organic Infrastructure? I don’t mean the people problem though you should serious consider social engineering & security awareness Project based implementations tend to be islands of “in”security Holistic approach needed If you want MainFrame Security then treat your systems in that way
How often is your Risk Assessed? And by whom What steps do you take to update your mitigation steps?
How are your mitigation steps evaluated? By an external auditor? By a hacker Do they get in? Or out? By you?
How do you deal with Emergencies? Have a process That’s been proven to work Automation to expedite response and mitigation That users can feed into
Impact of Change Things Break Supportability
Need to be Realistic Evolution NOT Revolution Security Architecture’s work brilliantly on paper Need to review “where we are” Plan for “where we’d like to be” Take steps along the way
Defining an approach Evaluate your assets Evaluate your surface attack area Evaluate risk - You are at threat from: Other people Other computers Your own people Your own computers Plan for change
Architect for security Good security design & planning can mitigate many attacks and limit their impact Separation of duties, isolation of systems, quarantine & segmentation can all help Automation reduces administrative overhead and increases security Prevent people adding unauthorised software Enforce non-admin and least privilege Secure by default
An holistic approach to defining strategy
Policies and Procedures If you do not have processes then all the technology in the world won’t help you ITIL, Microsoft Operations Framework (MOF), Microsoft Solutions for Management (MSM) MOF Security Management SMF Security Roles - Policy Security Administration - Process
Do you have one of these? Security Policy That’s aligned to business objectives That’s aligned to technical realities That has Teeth That your users are aware of That makes sense
Where Policy Goes Wrong Technology Operations Implementation Process Policy Documentation
Security Policy Model Policy Operations Documentation Implementation Technology Policy Process Start with policy Build process Apply technology
Measuring Security Policy Compare to standards and best practices Security Policy Documented Procedures Operations “What you must do” “What you say you do” “What you really do”
Strategies for Creating Security Policy Root your security policy in well-known industry standards or regulations ISO 17799 – Security Management Best Practices ISC2 Common Book of Knowledge RFC 2196 – Site Security Handbook Security policies have to start from the top down Illustrate the value of security policy to management Get corporate legal and HR departments to assist you
Patch Management Process 1. Assess Environment to be Patched Periodic Tasks A. Create/maintain baseline of systems B. Assess patch management architecture C. Review infrastructure/ configuration Ongoing Tasks A. Discover assets B. Inventory clients 2. Identify New Patches Tasks A. Identify new patches B. Determine patch relevance C. Verify patch authenticity and integrity 1. Assess 2. Identify 3. Evaluate and Plan 4. Deploy the Patch Tasks A. Distribute and install patch B. Report on progress C. Handle exceptions D. Review deployment 4. Deploy 3. Evaluate and Plan Patch Deployment Tasks A. Obtain approval to deploy patch B. Perform risk assessment C. Plan patch release process D. Complete patch acceptance testing
Monitoring Patch Status Subscribe to notification services Microsoft Security Notification Service Third-party mailing lists Check websites www.microsoft.com/technet/security Product-specific pages Third-party sites Implement regular review and deployment schedule Microsoft’s patch release schedule: second Tuesday of each month Exception: customers are at immediate risk Configure automated tools to check for new updates daily
Recommended Patching Time Frame When to Apply Patches Apply as soon as possible Apply only after testing Implement mitigating measures Apply according to severity rating Severity Rating Definition Recommended Patching Time Frame Critical Exploitation could allow the propagation of an Internet worm such as Code Red or Nimda without user action Within 24 hours Important Exploitation could result in compromise of the confidentiality, integrity, or availability of users’ data or in the integrity or availability of processing resources Within 1 month Moderate Exploitation is serious but has been mitigated to a significant degree by factors such as default configuration, auditing, need for user action, or difficulty of exploitation Wait for next service pack or patch rollup that includes the patch, or deploy the patch within 4 months Low Exploitation is extremely difficult, or impact is minimal Wait for next service pack or patch rollup that includes the patch, or deploy the patch within 1 year
Microsoft Tools for Patch Management Analysis Tools Microsoft Baseline Security Analyzer (MBSA) Office Inventory Tool Online Update Services Windows Update Office Update Content Repositories Windows Update Catalog Office Download Catalog Microsoft Download Center Management Tools Automatic Updates (AU) feature in Windows Software Update Services (SUS) Systems Management Server (SMS) Prescriptive Guidance Patch Management Using SUS Microsoft Guide to Security Patch Management Patch Management Using SMS
Reporting and Monitoring Enforce policy Audit changes Centralised, alerting Audit Access Constant review Enrol to Microsoft Security bulletin Patch management Use automated patch management solution Windows server and clients Applications for servers and clients
Physical Security Are all your servers in a server room? Who has access to server rooms? Is the server room physically secure? Where are your workstations? Laptops?!?!
Securing the Network Protect your network with a firewall Protect your application with a firewall Use the right type of firewall appropriately Enforce authentication for all traffic that goes in and out of the network Try to remove direct connections to hosts to the Internet where possible
Secure the Network All connections should be treated as un-trusted Isolate before allowing access to resources Remote Local
Secure the Platform Anti Virus Anti Spyware and malware Select Anti Virus software that is easy to manage Is centrally configurable to initiate on-demand scans Is centrally configurable to force updates across estate Applies to all entry points (devices) Applies to all entry points (applications) Provides gateway protection Anti Spyware and malware Harden OS and browsers Monitor and restrict access to sites Restrict privileges
Secure the Platform Authentication Principle of Least Privilege 2 Factor, Kerberos, MSCHAP v2 Select the correct methods appropriately Access point Type of access Service/application accessed Privileges granted Principle of Least Privilege Manage access to admin rights centrally
Active Directory can help Active Security Management Use Organisational Units Group systems by role Automatically remove non-compliant items
Secure The Application Making the application more robust Security Operations Guide Writing Secure Code II Provide protection at the perimeter for external access Harden application Consider requirement ot duplicate perimeter security measures for internal access Delegation of control Code reviews and assessment
Secure The Application Always use SSL for authentication AND data transfer Use tools such as MBSA to check for OS configuration and patch levels Uses the Best Practice Analyzers to verify application configuration for application such as Exchange and SQL
Protecting Intellectual Property Encrypt storage of data that may be vulnerable Enforce access controls Think about in document encryption and signing
Legal reasons to act Corporate Governance – SOX Freedom of Information Regulation of Investigator Powers Act(RIPA) California Security Law SB-1386 http://www.informationweek.com/story/showArticle.jhtml?articleID=10700814 Numerous Privacy laws HIPPA The state passes a tough law regarding public disclosure of security breaches after a hacker breaks in to a state employee database. Any company that does business in the state to report security breaches that involve personally identifiable financial information.
Learn from others ISO 17799 Mapping MOF to International Security Standards ISO 17799 http://www.microsoft.com/downloads/details.aspx?familyid=b305cc14-de60-4fdb-93d0-4346492e375d RFC 2196: Site Security Handbook http://www.ietf.org/rfc/rfc2196.txt Prescriptive Guidance http://www.microsoft.com/technet/Security/topics/default.mspx MS ITShowcase http://www.microsoft.com/services/microsoftservices/howmsdoesIT.mspx How to Get your Network Hacked in 10 Easy Steps http://searchwindowssecurity.techtarget.com/originalContent/0,289142,sid45_gci1002600,00.html 10 Immutable Laws of Security http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx Security Update notification http://www.microsoft.com/technet/security/bulletin/notify.mspx
Event Information What’s Next? Technical Roadshow Post Event Website www.microsoft.com/uk/techroadshow/postevents Available from Monday 18th April Please complete your Evaluation Form!
© 2004 Microsoft Corporation. All rights reserved © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.