Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security fundamentals Topic 2 Establishing and maintaining baseline security.

Published byJanel Holmes Modified over 8 years ago

Similar presentations

Presentation on theme: "Security fundamentals Topic 2 Establishing and maintaining baseline security."— Presentation transcript:

1 Security fundamentals Topic 2 Establishing and maintaining baseline security

2 Agenda Trusted computing base Evaluation and certification Security baselines Security templates and scripts Maintaining a baseline

3 Trusted computing base Represents the most secure computing environment that the organisation can provide Includes all the protection mechanisms used to secure computing devices and infrastructure Contains security baselines for specific computer systems Baseline is the initial configuration that security is built on Monitor the differences between your initial baseline and the current configuration and investigate causes

4 Trusted computing base goals Ensures that only authorised people have access They use systems in the manner intended Data remains confidential

5 Trusted computing base components Includes all elements of the computing environment Hardware – computers, peripherals and network devices Firmware – BIOS chips Software – operating system, application and custom Procedures – administrative regulations, access control, backup schedules, training requirements

6 Creating a trusted computing base Inventory all elements of computer security Document all elements of computer security Monitor and account for changes Make changes and configuration management Protect from new threats

7 Threats to a trusted computing base External threats: Originate from outside the trusted computing base (not necessarily outside the organisation) From attackers, natural disasters, insufficient enforcement Internal threats: Problems with the trusted computing base Inadequate monitoring (for changes and deviations) Noncompliance with procedures Poor design Failure to update the trusted computing base

8 Evaluation and certification Compliance with formal standards for security TCSEC – Trusted Computer System Evaluation Criteria – Orange Book set of standards for commercial operating systems – Several levels of security – C2 is the highest level for commercial systems ITSEC – Information Technology Security Evaluation Criteria – Similar standards to TCSEC

9 Evaluation and certification Compliance with formal standards for security Common criteria – CCITSE Common Criteria for Information Technology Security Evaluation – ISO standard – Set of processes for evaluating security features and capabilities – The security rating of a product evaluated in one country is recognised in other countries ISO 17799 – Information security standard – Generic security policy that describes general security settings but not system specific configurations

10 Security baselines A detailed description of how to configure and administer a device or systems so that it provides the best possible security – What hardware to use and BIOS settings – Procedures for physically securing a computer – Media to use for installing an OS or service, installation options and post installation configuration – Rules regarding content to be used – Procedures for reviewing the installation, monitoring and making changes to the configuration – Rules for who can access a server and authentication methods implemented – Documentation and record keeping requirements

11 Security baseline guidelines Guidelines for file systems Use NTFS not FAT and use permission assignments for access control Principle of least privilege Only minimal permissions required to perform a specific task Avoid Full Control and the Everyone group Put users into groups and assign permissions to the group Use permission inheritance- general permissions at a higher level and exceptions at a lower level Assign permissions for local and network access Encrypt files that must be kept private

12 Security baseline guidelines Guidelines for services/daemons Every running service is a potential entry point Enable only services that are required Default configurations are not the most secure Restrict the actions that can be performed by the service by running the system in a custom user account and not as administrator or root Consider which services start automatically Apply security updates Secure files and configurations used by the service/daemon

13 Security baseline guidelines Guidelines for critical applications Only use critical business applications Typically email, database and accounting Apply security updates Secure files and configurations used by the service Install only required components Grant appropriate access levels

14 Security baseline guidelines Guidelines for other applications Remove all unnecessary applications – reduce the surface area of attack PS or task manager to list running processes Ensure users don’t install unauthorised programs (standard user accounts) Prevent users from accessing system and program files on the hard drive

15 Security baseline guidelines Guidelines for network communications Disable unnecessary protocols Network access – Restrict open ports – Enable packet filters – Require authentication to access network or network resources – IPSec to secure communications and require computers authenticate with each other Encrypt network traffic – IPSec to encrypt for privacy – SSH (Secure Shell) – SSL (Secure Sockets Layer)

16 Security templates System security settings fall into the following categories: Account policies: User accounts – password requirements, account lockouts, who can perform tasks Local policies: How the system is audited, who can access logs, user rights assignment, and other settings Event log: Who can access event logs, how event logs are sorted and retained Restricted groups: Which users are members of which groups System services: Specify start up behaviour and permissions for services Registry: Sets permissions to access the registry File systems: Set permissions to access specific files and folders

17 Scripts Automated alternative to using security templates – Windows Scripting Host (WSH) – Shell scripts – Perl scripts – C scripts

18 Maintaining a security baseline Existing security benchmarks http://www.cisecurity.com Remain informed about current threats and vulnerabilities – CERT/CC advisories – Mailing lists (eg SecurityFocus™, Bugtraq) – Hardware/software vendor websites Update security baselines to reflect new emerging security requirements

19 Securing against known vulnerabilities Apply security updates: Hotfixes: fast release for one or more issues, perhaps less testing of hotfix Security Rollup Packages: several critical hotfixes with more testing Service Packs: all fixes available and included in previous service packs – extensive testing

20 Securing against known vulnerabilities Acquiring security updates Verify the authenticity of the update – is it really from the vendor? Check digital certificates – guarantees it is from the author and that it hasn’t been modified Checksums: hash MD5 computation to check integrity Cryptographically sign the hash (eg with Pretty Good Privacy (PGP))

21 Summary What a trusted computing base is Security evaluation and certification criteria available What security baselines are Security templates and scripts that help automate security application Practises for maintaining our baselines

Download ppt "Security fundamentals Topic 2 Establishing and maintaining baseline security."

Similar presentations

File Server Organization and Best Practices IT Partners June, 02, 2010.

File Server Organization and Best Practices IT Partners June, 02, 2010.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 14: Windows Server 2003 Security Features.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Network security policy: best practices

Network security policy: best practices
Corso referenti S.I.R.A. – Modulo 2 Local Security 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.

Corso referenti S.I.R.A. – Modulo 2 Local Security 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Similar presentations

Ads by Google