Computer manufacturer and OS developers often build and deliver systems in default modes to secure the machine from external attacks. From developer's treat this is the most efficient mode of product delivery. As per the organisation or a user, they require more protected and secured system before it is placed into service.
Security baselines are standards which defines the very least group of security controls for organisations. Security baselines typically address both technical issues such as software configuration and operational issues such as keeping applications current with vendor patches. Within the security baselines, if hardware, OS, network and application followed the recommended minimum set of security settings then it will significantly decrease its vulnerability to security threats.
The process of securing and preparing the machine against the internal and external threats and system vulnerabilities is named hardening. Reduce the key reasons of attack that includes removing unnecessary services, software and unnecessary usernames or logins. It makes the system more secure, reliable, efficient and gives optimised performance.
12. 2 Password Selection
Password selection is one of the critical activities that often get neglected as part of a good security baseline. Currently most systems are protected by way of a user ID and password. If an attacker discovers the correct user ID and password by guessing or by using freely available password cracker tools, they can gain access to the machine. By following basic guidelines and principles in choosing passwords, the passwords used on the machine will protect the assets.
12. 2. 1 Choosing the Password
Users should consider a few basic requirements while choosing the password. Set a minimum variety of characters and never accept shorter password. Do not use dictionary words and mix of lowercase and uppercase letters with usually one or two numbers. Randomly created passwords are strong passwords and they are difficult to guess and can defeat most password-cracking utilities. However, randomly made passwords are difficult to remember and users often write down these passwords usually in a spot close to the machine. Thus it defeats the goal of the password.
12. 2. 2 Components of a Good Password
User should create their own easy to keep in mind passwords. Password is meant to safeguard access and resources from hackers. It should not be possible for these to guess or crack through password cracking tools.
It should be at least eight characters long.
It will include uppercase and lowercase letters, numbers, special characters or punctuation marks.
It shouldn't contain dictionary words.
It shouldn't contain the user's personal information such as their name, family member's name, birth date, pet name, phone number or any other detail that can simply be identified.
It shouldn't be the same as the user's login name.
It should not be the default passwords as supplied by the system vendor such as password, guest, admin and so forth.
12. 2. 3 Password Aging
Password aging is technique employed by system administrators and it forces an individual to change their passwords after specified time frame. If it's not changed within a specific time frame, it expires and must be reset. Password aging can also force a user to keep a password for a certain volume of weeks before changing it.
Changing passwords periodically will protect against brute-force attacks since when password is changed the attacker must restart the attack from the beginning. If password is changed periodically, an attacker will never have the ability to cycle through all the possible combinations before the password is changed again.
User must change their passwords atlanta divorce attorneys 60 to 3 months. An extremely secured service requires to improve passwords every 30 to 45 days.
System must remember each user's last five to ten passwords and should not permit the user to reuse those passwords.
12. 3 Hardening
Most computers provide network security features to regulate outside usage of the system. All nonessential softwares such as spyware blockers and antivirus programs prevent malicious software to run on the system. Even with each one of these security measures, systems are still vulnerable to outside access. System hardening is a detail by detail process of securely configuring a system to protect it against unauthorised access. In addition, it really helps to minimise the security vulnerabilities.
Operating system-based hardening - It offers information about securing and hardening various operating-system. It also includes methods to secure file systems.
Network-based hardening - It examines the techniques and procedures of hardening network devices, services and protocols.
Application-based hardening - It offers security of client-side user applications and services such as DOMAIN Service (DNS), Dynamic Host Configuration Protocol (DHCP) and Web servers.
12. 3. 1 Operating System-Based Hardening
Operating system hardening is the first step towards safeguarding systems from intrusion. Systems received from the vendors have preinstalled development tools and utilities which are advantageous to the new user as well as it provide back-door access to an organisation's systems.
Operating system hardening includes the removal of all non essential tools, utilities and other systems administration options by which hackers can simply access the system. Hardening process will ensure that security features are activated and configured correctly. This process makes the system secure, efficient, reliable and provides optimised performance.
Disable all unnecessary protocols.
Disable all unnecessary services.
Disable all unnecessary programs and processes.
Verify and then install all vendor patches.
Install all product updates.
Use vulnerability scanner to identify potential security weaknesses.
Configure file system security according to the least privilege rule.
Note: Least privilege rule states that, allow access to those individuals who require it and allow only all the access necessary to complete the task.
Controlling access to the resources can be an essential aspect in maintaining system security. The soundest environment follows the rule of least privilege. The network administrator receives more complaints from users after third, rule as they are unable to access resources. However, getting complaints from unauthorised users is more beneficial than suffering access violations that damage the organisation's capacity to conduct business. Minimal privileged environment can use the user groups to assign the same access to the resources rather than assigning individual access controls. However, in some instances individual users need more or less access than other group members. To keep security, network administrator provides greater control over what each user can and cannot access.
OS updates are provided by the manufacturer of the specific component. Updates contain improvements to the OS and therefore, will make the merchandise more secure, efficient and stable to the users. For instance, Microsoft updates are labelled with security updates. These updates address security concerns recognised by Microsoft and install them if required. In addition, updates enhance the capability of a particular function that was underdeveloped at the time the system or application was released. Updates should be thouroughly tested in non-production environments before implementation. Since this new and improved function has more security breaches than the original components, it requires complete testing.
Hotfixes, security packs and patches are product upgrades to resolve a known issue.
Hotfixes - Hotfixes are components that are designed to fix a particular critical system fault. Hotfixes are manufactured by owner when a quantity of client systems indicate that there is compatibility or functional problem with a manufacturer's products used on a particular platform. They are fixes for reported or known problems. Hence, hotfixes should only be installed to improve a particular problem.
Service Packs - Service packs are assortment of updates or hotfixes. It correct known issues and offer drivers, updates and system administration tools that extends product functionality that include enhancements developed following the product is released. Service packs are tested on different hardware and applications to ensure compatibility of existing patches and updates. Service packs must be thouroughly tested and verified in non-production environment before it installed on working systems.
Patches - Patches are being used to avoid hackers from invading the machine with virus and other malware that exploits the operating systems vulnerabilities. This improves the usability and performance of the machine. OS patches can be found on owner Website that supplies the merchandise. Since patches are issued at unpredictable intervals, it is important to configure the machine to automatically connect with the latest security patch updates. When the new update is released, the OS will prompt to set up. While preparing clean installation it is highly recommended to download and install all known patches before introducing the machine to the network.
12. 3. 2 Network-Based Hardening
The tremendous growth of the Internet allows to openly access any system over a network. Hence, proper control over network access must be established on systems by controlling the services that are running and the ports that are opened for network access. As well as the systems, network devices such as hub, routers, switches and modems must be examined for any security vulnerability.
Any flaws in the coding of the OS can be exploited to gain usage of the network components. These components should be configured with very strict parameters to keep network security. The softwares of these components require to be updated regularly.
By taking necessary steps, network administrator should limit or reduce attacks, accidental damage through their networks. Furthermore, network hardening also recommend the right configuration of network devices and the requirement to enable and disable the services and protocols in a network.
Updating the firmware of the hardware device is provided by the manufacturers. These updates fix incompatibility problems or device operation problems. These updates should be employed if the update includes fixes for an existing condition or if it will make these devices more secure and much more functional or extends its operational life. It is strongly recommended to install and test the firmware updates in a non-production environment to verify if the update provides the necessary fixes and benefits that are essential.
Network devices such as routers and switches configured with default installation settings. These default settings leave a system extremely vulnerable as it is defined for convenience rather than for security. Deciding on a good password and limiting usage of any open ports is vital in maintaining security of the devices. Good passwords are one of the most effective security tools because a good password can be resistant to many forms of attack. Determining the minimum group of services that the devices are running and good passwords is very important to maintaining security of these devices.
Apply patches and updates that are released by the product vendor in a normal interval.
Enabling and Disabling Services and Protocols - It's important to measure the current requirements and conditions of the network and infrastructure and then disable the unnecessary services and protocols. This contributes to network infrastructure that is less vulnerable to attack.
Access Control Lists - Configure access list at the network devices to control access to a network. Access list can prevent certain traffic from entering and exiting a network. Access control lists are controlled by an administrator.
12. 3. 3 Application-Based Hardening
Application hardening is the procedure to avoid exploitation of varied types of vulnerabilities in software application by implementing the latest updates. Applications such as browsers, office suites, e-mail client and services provided through servers such as Web servers, File Transfer Protocol (FTP), DNS servers and DHCP servers on a network require regular updates to provide protection against newly developed threats.
At present most of the organisations have an internet presence on the web for numerous business advantages. Because of Internet popularity, Web servers have become extremely popular targets for attackers. Original content on web sites are replaced with hacker's data. E-commerce sites are attacked and user's personal account information is stolen. Microsoft's Internet Information Server (IIS) or Apache server are most popular Web servers applications used today. To secure Web servers from hackers, administrator must apply updates and patches, remove unnecessary protocols and services and properly configured all native controls. It is also recommended to put the net server behind a firewall or a reverse proxy.
Microsoft is rolling out URLScan and IIS Lockdown tools which are made to secure IIS servers from attacks and exploits. URLScan is a monitoring utility that examines all incoming URLs and rejects any requests for files, directories or services outside the intended scope of the Website. The IIS Lockdown tool turns off unnecessary functions which reduces the attack surface open to an attacker.
E-mail servers and clients are vulnerable to different attacks such as Denial of Service (DoS) attacks, virus attacks, relay and spoofing attacks. There are numerous deficiencies in the various versions of e-mail server software such as Sendmail for Linux and UNIX and the Exchange or Outlook for Microsoft.
E-mail servers are frequent potential resources of virus attacks and for that reason must have the strongest possible protection for scanning incoming and outgoing messages. E-mail servers should not have non-essential services and applications installed. Administrative and system access should also be securely managed to block installation or execution of unauthorised programs and trojans.
Open mail relay allows unauthorised users to send e-mail through an e-mail server.
Storage limitation, to limit DoS attacks based on message size.
Spamming includes identical messages sent to numerous clients by e-mail.
Virus propagation, ensure the anti-virus programs and applications are performing correctly.
FTP allows variety of users to access and download remotely stored data. It distributes application updates, device drivers and free software to users. Users access this data anonymously. This anonymous access to FTP servers becomes a problem as administrator does not provide anonymous access or does not properly secure the FTP service. This calls for setting the appropriate permissions, not allowing the FTP process to be run by an unprivileged user rather than allowing users to upload or modify files. Some FTP servers allow upload and download service for authorised users and therefore, if so anonymous access should be completely removed. To overcome buffer overflow problem ensure that FTP server software is current and patched.
DNS server converts system's host names into IP addresses so that the communication can be appropriately routed through the network. Client systems use DNS to locate Web servers, e-mail servers, FTP servers and range of other servers and network services. DNS can be major target for an attacker.
Stealing zone transfers - DNS servers are configured to provide information such as set of hosts and routers with IP addresses to other secondary DNS servers. This secondary DNS server is employed to keep a backup copy of the DNS database and also to provide name resolution services for client systems. An attacker can receive a zone transfer and utilize it to track victim's network and seek out potential targets.
Zone update spoofing - An attacker can spoof the address of the principal DNS server and send a bogus update to a second DNS server. Client systems receive incorrect information and network communication out of this bogus server and redirects users to a spot manipulated by the attacker.
DNS cache poisoning - Some DNS servers allow attackers to insert bogus information into a DNS cache.
Do not place any information on publicly accessible DNS server to avoid snooping surrounding the DNS server.
Do not provide additional host information in Host Information (HINFO) records of DNS. HINFO record contains descriptive information about the OS and features of particular system and attacker could use this information to get access.
Configure the DNS servers to only allow zone transfers to specific secondary servers.
Berkeley Internet Name Domain (BIND) allows zone transfer to be signed. Zone transfer signing allows secondary servers to verify the credentials of the primary server before accepting data.
Ensure that DNS software is patched and up thus far to avoid DNS cache poisoning.
Network News Transfer Protocol (NNTP) servers allow news clients to connect to news servers to share information privately or even to post articles to a public NNTP server. NNTP servers are susceptible to DoS attacks, buffer overflows. To exploit server, attackers connect to an exclusive NNTP server to get any information to compromise network. Sometimes users post accurate diagrams of their network to ask a technical question and attacker may use these details to find ways to exploit a network. They can even offer bogus advice to make a hole in the network's defences.
To protect the organisation from NNTP server exploits, block the NNTP port at the firewall to make NNTP server inaccessible to external users. To protect posted private information, authenticate user to prevent anonymous logins to the NNTP server. Also encrypt communications using SSL/TLS to avoid packet sniffing of confidential data. Do not allow users to post confidential information to the public that will compromise their network.
File and Print Servers
Files and print servers in a network are being used to share resources but this can be a common way in which hackers can gain information and unauthorised access. When sharing is enabled to share the resources with a trusted internal network over the NIC, the system is also sharing those resources with the complete untrusted external network over the external interface connection. Attackers attempt to make unauthenticated connections to shared resources on the network. If sharing permissions are configured incorrectly for an easily exploited user account, attackers can access resources and alter them. To secure the file and printer shares block access to shares and related information at the firewall. Utilize the rule of least privilege to secure shares from external attacker. Virtual Private Network (VPN) is also used to encrypt communications between clients and servers to secure data transmission.
Data repositories are locations that hold information about networks, applications and users. Attackers can use the information stored in data repositories to formulate attacks against organisation. Hence, ensure that this information is bound and restricted for external users. Aswell as authentication and encryption of the data is necessary to safeguard them from external attacks.
A directory service is employed to store, organise and offer access to information in a directory. The information in a directory services can include system accounts, user accounts, mail accounts, service locations and shared resource information. The Lightweight Directory Access Protocol (LDAP) is a common directory service that organises data in a hierarchical manner. The most notable entry in a LDAP directory information tree is named root which LDAP root server creates the hierarchy. The directory service hierarchy and the information it stores provide a good map of network infrastructure. That is convenient for authorised users in a network as well for attacker. Attacker may use numerous ways to compromise LDAP servers such as attacker may use network resources information stored at directory service to examine network structure, resources and potential targets. Attacker can gain victim's network information that is transferred over LDAP through eavesdropping.
Protect LDAP hierarchy by configuring the strongest authentication to the several versions of LDAP. Both LADP v2 and LDAP v3 support anonymous and simple authentication that are not very secure. Anonymous authentication will not require password and simple authentication runs on the password in unencrypted format which attacker can certainly hack. Strong authentication over LDAP v2 and LDAP v3 is provided through Kerberos version 4 authentication and Simple Authentication and Security Layer (SASL) communications respectively.
Use Secure LDAP (LDAPS) that allows encrypting communications using SSL/TLS.
Block access to LDAP ports from the Internet so that attackers cannot make connections using these ports.
Database servers are used to store data. Both data and the database server can be target for an attacker. An attacker can steal the info or dominate the database server to exploit it.
Unexpected data queries or commands - Numerous database servers use Structured Query Language (SQL) which allows for the querying and posting of data. An attacker may use SQL commands to do unexpected things is named SQL injection.
Unauthenticated access - If unauthenticated usage of database server is allowed then your attackers can certainly connect and exploit the database server.
Test the database by running irrelevant queries and attempt to access unauthorised information.
Do not allow unauthenticated connections to the database server.
While transferring confidential data to and from database server, use SSL/TLS or VPN link with protect data.
To avoid database server to be queried by external users, block access to it at the firewall.
12. 4 Chapter Review Questions
1. How an individual should secure a password?
Selecting a password with at least eight characters, at least one change in case with least one number or special character
Storing the password in wallet or purse
Using the same password on every system
Changing passwords at least once a year
2. Which of the next steps is area of the hardening process for OS?
Remove unnecessary programs and processes
Setting appropriate permissions on files
Disable unnecessary services
All of these
3. Which amongst the following is the correct step to overcome buffer overflow problems?
Select strong passwords
Install the latest patches
Remove sample files
Set appropriate permissions on files
4. Which of the next requires software current and patched?
All of these
5. Rule of least privilege states that ____.
allow usage of users who requires it
allow limited access
allow usage of everyone
allow full access
Ans: A and C
6. Which of the following was created to fix a particular critical system fault?
None of these
7. Which of the next extends product functionality following the release of product?
None of these
8. Which of the following fixes incompatibility problems or device operation problems?
None of these
9. Which of the next steps are used to secure Web servers?
Apply patches and updates
Place the net server behind a firewall
Remove unnecessary protocols and services
All of these
10. BIND means _______.
Berkeley Internet Network Domain
Berkeley Intranet Name Domain
Berkeley Internet Name Domain
Business Internet Network Domain
12. 4. 1 Answers
5. A and C
Components of any good password and password aging.
Different ways to harden the OS.
Different ways to harden the network and its devices.
Different ways to harden applications such as browsers, office suites, e-mail client and services provided through servers such as Web servers, E-mail servers, FTP servers, DNS servers, NNTP servers, file and print servers, directory services and databases.
Also We Can Offer!
- Argumentative essay
- Best college essays
- Buy custom essays online
- Buy essay online
- Cheap essay
- Cheap essay writing service
- Cheap writing service
- College essay
- College essay introduction
- College essay writing service
- Compare and contrast essay
- Custom essay
- Custom essay writing service
- Custom essays writing services
- Death penalty essay
- Do my essay
- Essay about love
- Essay about yourself
- Essay help
- Essay writing help
- Essay writing service reviews
- Essays online
- Fast food essay
- George orwell essays
- Human rights essay
- Narrative essay
- Pay to write essay
- Personal essay for college
- Personal narrative essay
- Persuasive writing
- Write my essay
- Write my essay for me cheap
- Writing a scholarship essay