Chapter 12: Secure Systems Design and Deployment
System Security is our initial set of best practices. It includes:
-
- Disabling non-essential systems and services
- Hardening operating systems by
- Applying updates and
- Securing file systems
- Hardening applications by
- Hardening servers (daemons or services) and
- Hardening data stores
- Hardening networks through
- Firmware upgrades and
- Secure network configuration
Hardware / Firmware Security
Firmware upgrades
Computers, routers and other network equipment store fixed firmware in ROM modules, including:
- Erasable Programmable Read-Only Memory (EPROM)
- Electronically Erasable Programmable Read-Only Memory (EEPROM)Computer manufacturers (such as Dell), chipset manufacturers (such as Intel) and router manufacturers (such as Cisco) frequently issue firmware updates. The system administrator is responsible for knowing about and implementing these updates.
Cisco routers in particular must be carefully updated. More than one bad update has been issued by Cisco, but Cisco users will still have to do their best to keep up-to-date.
FDE / SED
TPM
HSM
UEFI / BIOS
Secure Boot and Attestation
Supply Chain
Hardware Root of Trust
EMI / EMP
Operating Systems
Patch Management
In Windows:
-
-
-
- Service Packs are cumulative sets of updates
- Hotfixes are single-issue fixes, typically correcting software problems, not security issues
- Patches are software updates, often to correct security problems
-
-
Popular Patch Management Systems for Windows are Windows Update Services (for standalone computers), Microsoft Operations Manager (MOM, formerly known as Software Update Services, SUS, and by other names), and the Shavlik family of security/patch management tools.
In Linux:
-
-
-
- Patches typically require re-compiling software, or performing an upgrade installation of binary software distributions
Red Hat provides update services through the Red Hat Network update system.
- Patches typically require re-compiling software, or performing an upgrade installation of binary software distributions
-
-
Disabling Unnecessary Ports and Services
In Windows, view Services:
Start > Settings > Control Panel > Administrative Tools > Services
or
the msconfig command from Start > Run
or
the services.msc command from Start > Run
Visit www.microsoft.com/technet or www.BlackViper.com for discussion of any services with which you’re not familiar.
Note that services can be Automatic, Manual or Disabled.
Probably the single most dangerous service is UPnP, Universal Plug-and-Play. Unless you have a specific, compelling reason to enable this, disable it.
Service names and display names in the Services applet are not always the same.
In Linux, view processes with:
ps -aux
Generally, services are processes ending with a “d,” e.g. httpd.
Services, Port Numbers and Sockets:
The combination of an IP address and a port number is a socket (e.g. 192.168.2.1:80).
Most ports are available to both TCP and UDP.
A total of 65,535 ports are available.
The first 1,023 are called the “well-known port numbers.”
Least Functionality
Secure Configurations
Trusted Operating System
Application Whitelisting / Blacklisting
Disable Default Accounts / Passwords
Peripherals
Wireless keyboards
Wireless mice
Displays
WiFi-enabled SD cards
Printers / MFDs
Storage
Digital Cameras
Sandboxing
Environments
Development
Test
Staging
Production