1. CSCD 303 Essential Computer Security Fall 2010
Lecture 8 - Desktop Security
Recovery, Prevention and Hardening
Reading: Links are in Lecture

2. Overview Recovery and Prevention Recovery Antivirus/Antitrojan
Restore System
Restore – Windows
Boot disks
Prevention
Patching – All systems
Harden OS - Features

3. The Attack Surface
Security folks talk about “Reducing the Attack Surface”
What does that mean?
Get Secure
Reduce the Attack Surface
Patch
Harden
Stay Secure
Maintain secure infrastructure
Patches
Updates
Upgrades
Read, Research, Results

4. Unused Services Left On
The Attack Surface
What is an Attack Surface?
Weak Passwords
Open File Shares
Open Ports
Systems
too complex
Unknowns
People
Un-patched Web Server
“The greatest threat to computer systems and their information comes from humans, through actions that are either malicious or ignorant. When the action is malicious, some motivation or goal is generally behind the attack.” --Best Practices for Enterprise Security, Microsoft Solutions Framework (
Unused Services Left On
Excessive privileges
No Policies
No Auditing

5. Poisons (Packets, DNS, etc.)‏
The Attack Surface
Now for The Attacks ...
Port Scanners
Viruses
Password Cracking
Trojan Horses
Unknowns
People
Denial of Service
Network Spoofing
Packet Sniffing
Worms
Poisons (Packets, DNS, etc.)‏

6. Anti-virus Anti-virus
Will identify infections, viruses, trojans, worms
Not always able to exactly identify what got you
First step, detect something is wrong
Try to identify it - Key
Then, try to remove it and restore the files if possible
Two main ways – Treating Infection
Quarantine
Disinfect

7. Anti Virus Software Quarantine
Only temporary until user decides how to handle it, user asked to make a decision

8. Anti Virus Software Why do Anti-Virus Programs Quarantine?
Virus detection was generic, can’t determine how to clean it off of system
Want user, you, to make a decision
Quarantine Actions
Copy infected file to quarantine directory
Remove original infected file
Disable file permissions so user can’t accidentally transfer it out of directory

9. Anti Virus Software Disinfect Files a. Disinfection by Specific Virus
Multiple ways to disinfect files
Depends on the type of virus
From virus DB, get file executable start address
Run generic clean-up routine with start address
Can derive this information by running virus in test lab, recording information from infected file
Store this information for specific virus

10. Anti Virus Software b. Disinfect by Virus Behavior
Disinfect based on assumptions from virus behavior
Prepend or Appended viruses
Restore original program header
Move original byte contents back to original location
Can store in advance for each executable file on an uninfected system, system file
Program header, file length, checksum of executable file contents, which is a computed check of the file contents
Compute various checksums until you get the exact checksum of the file, can be tricky need to figure out which part of the file is original, look for checksum match

11. Test Your Virus Scanner
Good to test your anti-virus software to see how well it does
There is test file you can use to test your anti- virus software
The Anti-Virus or Anti-Malware test file
From the European Expert Group for IT Security,
Run this file against your virus scanner to determine its effectiveness

12. System Restore Windows
Purpose of System Restore
Create snapshot of system's configuration
Want to return a system back to a known good configuration
System Restore is designed to automatically create a restore point
Each time system recognizes a significant change in the file or application

13. System Restore
Go to Start>> All Programs>> Accessories>> System Tools>> System Restore

14. System Restore and Viruses
Virus authors intentionally write viruses with same extensions as Windows files that are backed up by System Restore
Common for people to have a virus, then run virus scans to remove the virus
But, once System Restore recovers computer to an earlier date, it is very possible to introduce that same virus back to system
When a virus is found on a system,
System Restore should be completely disabled, all Restore Points should be deleted ...
So, whats the point? System restore not for malware!!
After scanning computer, restore can be turned back on

15. Making a Boot Disk Vista and Other OS's
If your computer is un-bootable, what do you do?
Try to use a recovery disk.
How many know where the recovery disk is?
Can you make one?

16. Vista Recovery Disk
Recovery Disk or a Recovery Partition will allow you to restore your computer to original settings from hardware manufacturer,
Will not be able to use it to repair your Windows Vista installation
For that, you will need an actual Windows Vista DVD that contains the Windows Recovery Environment

17. Making a Boot Disk Vista/Windows 7
Yes, you can make an installation disk if your computer didn't come with one
Complete burnable images for Vista
And ... a DVD or CD writer
make-a-windows-vista-repair-disk-if-you-dont-have-one/
vista-x64-recovery-disc/
Versions of 32 and 64 bit and Windows 7

18. Boot Disk for Ubuntu Ubuntu Can make Ubuntu into a live image CD
Really easy, Use it to boot and possibly fix Ubuntu
Instructions are here

19. Patching

20. Patching What does patching your computer do?
Allows it to limp along until the next major version
Windows XP before Vista
Vista then quickly Windows 7 etc.
Software producers give you patches to fix “holes” in between major software versions

21. Study on Unpatched Computers
_under_5_minutes_says_ISC?taxonomyId=82&intsrc=kc_top&taxonomyName=cybercrime_ and_hacking
2008
Computerworld - It takes less than five minutes for hackers to find and compromise an unpatched Windows PC after it's connected to the Internet, a security researcher said today.
The SANS Institute's Internet Storm Center (ISC) currently estimates the "survival" time of an Internet- connected computer running Windows at around four minutes if it's not equipped with the latest Microsoft Corp. security patches

22. More Patching Stories
rlooking_high_priority_security_risks/
Security report by SANS Institute, TippingPoint and Qualys, Sept. 2009
Number of vulnerabilities found in applications in far greater than the number of vulnerabilities discovered in operating systems
"On average, major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities
In other words highest priority risk is getting less attention than the lower priority risk"

23. Patching Types of Patches
Patch – Simple small fix, one or two problems
Update – Add or fix problem or earlier patch
Cumulative – Includes all previously released patch for one application
Service Pack – Generally, large files, typically include lots of patches to many problems
Vista is up to service pack 2
Windows 7 - not even to service pack 1

24. What Should you Patch?
Microsoft releases Windows security updates on the second Tuesday of every month
Recommended you turn on automatic updates, all versions of Windows
Configure this in control panel

25. Updates for Microsoft Vista/7
What gets updated?
Updates OS & Internet Explorer,also other Microsoft Windows software, such as Microsoft Office, Windows Live applications, and Microsoft Expression
But, older versions of Windows updated only OS components,
Windows Updates vs. Microsoft update
Users had to go to Microsoft update to update their Office suite and SQL Server ... etc.
blame-for-vista7-infections-office-updates-ignored.ars

26. Updates for Microsoft Vista/7
Does it update other software on your computer? Like Adobe Flash Player ...
Microsoft does not, update other software running on your computer

27. Updates for Ubuntu, Mac OS X
Ubuntu updates
All the software on its distribution automatically
Built into the system as a service
Need to turn it on,
update manager
Mac OS X
Updates all software on Mac

28. Patching Third party Software
Vendors often provide free patches on their web sites
Should know how vendor supplies patches
Provide programs bundled with their systems automatically contact their web sites looking for patches specifically
Automatic updates tell you when patches are available, download them, and install them

29. Patching Boring but ... Make a list of the software on your computer
Games, office, document readers, Adobe, media players – like Flash, Database, Multi-media, voip – Skype, security software – Semantic, Browser
What is their patching strategy?
Websites? Auto-update?

30. Patch Management Patches are issued for good reasons
Always test before deploying
Are some Automation Tools
Monitoring/Alerting
Data Collection/Archiving
HfNetChk – weird name, great tool!
Windows machines queries it for up-to-date patches

31. Harden OS

32. OS Hardening Defined
What is Operating System Hardening? Reconfiguring an OS to be more secure, stable and resistant to attacks.
Examples:
Removing unnecessary processes.
Setting file permissions.
Patching or updating software.
Setting network access controls.

33. Hardening Utilities Bastille Linux www.bastille-linux.org
Automated security program, Security wizard
SUID restrictions
SecureInetd
DoS attack detection and prevention
Automated firewall scripting
User privileges
Education
You can try it against your computer ....

34. Linux Hardening Examine Linux System Features Recall ....
Linux is more modular than Windows
Multi-user design from the beginning
Challenge in cracking Linux
Gain Root access
Goal in Defense of Linux
Make unauthorized root access impossible

35. Linux Hardening Setuid and Setgid Everything in Linux is a file
Files have read, write and execute permissions
One more permission is setuid (similar with setgid)‏
Executable programs run with same privileges of file owner
If owner is root ... gain root privileges
Goal is to use buffer overrun or some other means of gaining a root shell session, attacker can do anything after that

36. Linux Hardening Example chmod 4755 removemyfiles.sh
-rwsr-xr-- 1 ctaylor fac removemyfiles.sh
Assume remove my files is a script
#! /bin/bash
rm -rf /home/ctaylor/*.*
The -rws in above permissions on file, says to run this program with the privileges of ctaylor

37. Linux Servers Don't install some software X - windows RPC Services
R-Services, rlogin, rpc - ssh instead
Inetd daemon
SMTP daemons - enabled by default
Telnet, ftp, pop3 and Imap
Might want to disable LKM - Loadable Kernel Modules

38. Windows Hardening

39. Overview Services Account types of policies Software Restrictions
Data lock down
Bit Locker
EFS

40. Windows Vista and 7 Security Features
Windows Service Hardening
Most Windows exploits, install malware, result of flaws in Windows services
Windows services have been changed as follows:
Each service is given a SID number, Security ID
Services run with a lower privilege level by default
Unnecessary privileges for services have been removed
Services are isolated and cannot interact with users

41. Account Policies
Contain the password policy and the account lockout policy
Must be configured at the domain level
Password policy
Controls password characteristics for local user accounts
Available settings
Enforce password history
Maximum, Minimum password age
Minimum, Maximum password length
Complexity requirements 41 41

42. Account Policies Account lockout policy
Prevents unauthorized access to Windows Vista
Can configure an account to be temporarily disabled after a number of incorrect log-on attempts 42 42

43. Software Restriction Policies
Defines which programs are allowed or disallowed in the system
Used in corporate environments where parental controls are not able to be used
Default security level for applications
Disallowed
Basic User
Unrestricted
MCTS Guide to Microsoft Windows Vista 43 43

44. Software Restriction Policies
Software not affected by software restriction policies
Drivers or other kernel mode software
Programs run by the SYSTEM account
Macros in Microsoft Office 2000 or Microsoft Office XP documents
.NET programs that use the common language runtime (alternate security is used)‏ 44 44

45. Software Restriction Policies
Software restriction configuration options
Policies are evaluated each time an executable file is accessed
Executable files are identified by file extension
You can customize the list of extensions
Many Windows applications use DLL files when they are executing
DLL files are considered a lower risk than executable files and are not evaluated by default 45 45

46. Data Security NTFS permissions
Most basic level of data security in Windows Vista
Stop logged-on users from accessing files and folders that they are not assigned read or write permission to
Relatively easy to work around NTFS permissions!!!!
When you have physical access to the computer
To secure data on desktop computers and laptops, encryption is required
Vista includes Encrypting File System (EFS) and BitLocker Drive Encryption 46 46

47. Encryption Algorithms
Symmetric Encryption
What is Symmetric Encryption?
Same key to encrypt data and decrypt data
Symmetric encryption is strong and fast
Good for encrypting large volumes of data such as files
Used by both EFS and BitLocker Drive Encryption
Biggest problem is securing the key 47 47

48. Encrypting File System
Encrypting File System (EFS)‏
First included with Windows 2000 Professional
Encrypts individual files and folders on a partition
Suitable for protecting data files and folders on workstations and laptops
Can also be used to encrypt files and folders on network servers
File or folder must be located on an NTFS-formatted partition
MCTS Guide to Microsoft Windows Vista 48 48

49. Encrypting File System
To use EFS, users must have a digital certificate with a public key and a private key
Windows Vista can generate one for you
From the user perspective,
Encryption is a file attribute
Files can also be encrypted using the command-line utility Cipher
Lost encryption keys
If a user loses the EFS key, then an encrypted file is unrecoverable with the default configuration 49 49

50. Encrypting File System
Lost encryption keys
Some ways EFS keys may be lost
The user profile is corrupted
The user profile is deleted accidentally
The user is deleted from the system
The user password is reset
Backing up your EFS key is done by using the Certificates MMC snap-in
Only you can back up your own key
Creating a recovery certificate allows the files encrypted by all users to be recovered if required 50 50

51. BitLocker Drive Encryption
Data encryption feature included with Windows Vista
An entire volume is encrypted when you use BitLocker Drive Encryption
Also protects the operating system
Designed to be used with a Trusted Platform Module (TPM)‏
Part of the motherboard in your computer and used to store encryption keys and certificates
MCTS Guide to Microsoft Windows Vista 51 51

52. BitLocker Drive Encryption
MCTS Guide to Microsoft Windows Vista 52 52

53. BitLocker Drive Encryption
BitLocker Hard Drive Configuration
Hard drive must be divided into two partitions
Encrypted partition: the operating system volume
Unencrypted system partition: contains necessary files to boot the operating system
MCTS Guide to Microsoft Windows Vista 53 53

54. BitLocker Drive Encryption
Recovering BitLocker-Encrypted Data
A recovery password is generated automatically
You can save it to a USB drive or folder, display on the screen, or print
MCTS Guide to Microsoft Windows Vista 54 54

55. BitLocker Drive Encryption
Recovering BitLocker-Encrypted Data
Recovery password is required when the normal decryption process is unable to function
Most common reasons include:
Modified boot files
Lost encryption keys
Lost or forgotten startup PIN
Disabling BitLocker Drive Encryption
Decrypts all of the data on the hard drive and makes it readable again 55 55

56. Summary Recovery, Prevention and Hardening
Learn about restoring your computer and preventing problem before bad things happen
Learn how to use some tools now, while your computer is still running
Learn how to restore your system, learn how to patch and to keep updated on patches
What else to do to Harden your system beyond the usual default configuration

57. The End
Next Time
Authentication and Biometrics
Creative Midterm