INF526: Secure Systems Administration Student Presentations And Review for Final Prof. Clifford Neuman Lecture July 2016 OHE100C
Announcements Final exam on Friday August 5 th –Material will be on the lectures, assigned readings, and what was learned from the projects. –Two hour, closed book (if I need you to refer to specific material I will include it on the exam) Review for final exam at end of todays lecture 1
Group Report for Lab Exercise 2 By Tuesday August 9th please submit a report including: A network diagram: –including your virtual machines and other systems like client browsers –Show containment regions A description of all software components used in the implementation of your scenario, including: –Application software components (e.g. databases, servers) –Security software components –Administration and management software components For each software component: –Describe where it is installed –Where obtained (or written yourself), and version information »How you manage updates –A table listing the authorized information flows. For the system as a whole –List tools used to monitor, detect and recover from intrusions –What kind of red-teaming or pen-testing you performed –A risk assessment – what threats do you defend against, how do you mitigate impact of an attack, what are you still vulnerable to, and justification for your decisions regarding such threats. 2
Student Presentations July 29th Disaster Recover Planning – Vini Gupta 10:00-10:45 As proposed: –Steps to recover and protect IT assets in event of a disaster –To Minimize downtime and Data Loss –Includes discussion of the steps to be taken in advance, how to manage backups, and how to manage redundant sites. Some specific suggested points to be covered: –How to facilitate a switchover to redundant resources, and possibly separate sites, when the disaster event occurs. –How to keep the redundant sites and storage up to date. 3
Exercise One Please have your systems up and running with ability to connect to the web service from the outside. –One designated individual from each group (0 and 1) should show me how to connect and verify operation. –We should also be provided with VNC access to the web server machine so that we can run tests from the inside. –The majority of your grade will be based on the written report submitted, however. 4
Second Exercise - Criminal Enterprises Chosen because of differences in the high level principles. –Not because I expect you to implement these kinds of systems in your future endeavors. –But you may be called upon to break some of these systems if later employed by government organizations. Your organization must: –Accept Bitcoin as payment (not really, but it must accept something that stands in for bitcoin) –Manage an inventory of stolen account identifiers with passwords –Control access to such information –Prevent collection of evidence or intelligence by third parties. –Note, do not deal in any illegal goods, but use dummy information to stand in for such goods. Also, do not use terms associated with such illegals goods or information in communications, make up new names for this dummy information. 5
Group Exercise Two Last Weeks Assignment Decide on the software components to be deployed to implement software requirements on next slide. –Custom development should be simple scripts. –Use packages for database and other components. Decide on the VM’s to be created to run those software components. –You can run more than one software component within a VM if you choose. –Decide on the methods you will use to contain access to those software components, and to the information managed by those components. Configure communication between VM’s and to the outside Install packages Write scripts and demonstrate basic flow through system. Report on progress as group by on Wednesday. 6
Project Status Updates/Discussion Group A and B working on scenario 2. –Group A VMs setup and accessible via VNC Nessus run to assess vulnerabilities and mitigation plan developed. Application for purchasing created. –Group B Has submitted their plan for VMs, software, and allowed flows. They are developing the application scripts. Have set up some of the VMs. 7
INF526: Secure Systems Administration Review for Final Exam Prof. Clifford Neuman Lecture July 2016 OHE100C
Mid-term Outline Comprehensive, so there may still be items on: –Introduction to Secure System Administration –Generation of Security Requirements –Composition of systems and protection domains –Adversarial Security Plan –Red teaming and penetration testing tools –Linux security administration –Network Security Components –Network Security administration But focus will be on second half: –Detecting Intrusions –Configuration Management –Network Monitoring and Forensics –Network Administration –Black Hat Attack Tools –Intrusion response and event handling –Virtualization for Security Administration –Disaster Recovery Planning 9
Detecting Intrusions Best Observation Point is Outside System Network based vs Host Based Anomaly Based vs Signature Based SIEM Tools (e.g. Snare) 10
Configuration Management –Purpose to Track and maintain consistency in deployment of hardware and software artifacts. Detect unauthorized change in the state of the system. –Manage updates –Determine which components might be vulnerable 11
Network Monitoring and Forensics –Network Monitoring Monitor liveness of a system Monitor traffic flowing through a system Visibility –Addressing information –Internal packet information in some cases Visibility of monitoring points and volume are issues. Visualization tools to provide situational awarness –Forensics Live monitoring Collected and used after the fact What may be pieced together Visualization tools 12
Network Administration –Admission control or network access control –Virtual Lans (VLANS) and Port Security –AAA tools –Management of policies 13
Black Hat Tools –You need awareness of the kinds of tools that are out there. –You may use some tools to evaluate your own systems. 14
Incident Response Plans –Formal Plan is needed in any organization –Lifecycle: Preparation Detection and Analysis Eradication and Recovery Post Incident Activities –Must define responsibilities and how to contact Including required notifications to external entities 15
Virtualization –Isolation of the OS –Isolation on the Network –Virtual Desktop tools –Configuration management for the VMs 16
Disaster Recovery 1. Risk identification (Risk register and matrix) 2. Assess vulnerability to those risks (Business impact analysis (BIA)) 3. Determine impact on the business 4. Identify critical business functions 5. Design and implement mitigation strategies 6. Agree on activation plans - Writing the runbook 7. Testing and documentation 8. Ongoing changes and maintenance Backup and Parallel Operation Technologies 17