This will help but as mentioned in previous posts, with a VPS you do not have access to your kernal. That is good in some ways, because if you don’t have access to it, neither to hackers or spammers (which limits what they can do). Its bad in ways, because you lose control and if you secure your box as much as possible, you are still at risk because you cannot control your kernal.

At any rate, here are some helpful hints

=========================================
Checking for formmail
=========================================

Form mail is used by hackers to send out spam email, by relay and injection methods. If you are using matts script or a version of it, you may be in jeopardy.

Command to find pesky form mails:
find / -name “[Ff]orm[mM]ai*”

CGIemail is also a security risk:
find / -name “[Cc]giemai*”

Command to disable form mails:
chmod a-rwx /path/to/filename
(a-rwx translates to all types, no read, write or execute permissions).

(this disables all form mail)

If a client or someone on your vps installs form mail, you will have to let them know you are disabling their script and give them an alternative.

=========================================
Root kit checker – http://www.chkrootkit.org/
=========================================

Check for root kits and even set a root kit on a cron job. This will show you if anyone has compromised your root. Always update chrootkit to get the latest root kit checker. Hackers and spammers will try to find insecure upload forms on your box and then with injection methods, try to upload the root kit on your server. If he can run it, it will modify *alot* of files, possibly causing you to have to reinstall.

To install chrootkit, SSH into server and login as root.
At command prompt type:

cd /root/
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xvzf chkrootkit.tar.gz
cd chkrootkit-0.44
make sense

To run chkrootkit

At command prompt type:
/root/chkrootkit-0.44/chkrootkit

Make sure you run it on a regular basis, perhaps including it in a cron job.

Execution

I use these three commands the most.
./chkrootkit
./chkrootkit -q
./chkrootkit -x | more

=========================================
Install a root breach DETECTOR and EMAIL WARNING
=========================================

If someone does happen to get root, be warned quickly by installing a detector and warning at your box. You will at least get the hackers/spammers ip address and be warned someone is in there.

Server e-mail everytime someone logs in as root

To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.

At command prompt type:
pico .bash_profile

Scroll down to the end of the file and add the following line:

echo ‘ALERT – Root Shell Access on:’ `date` `who` | mail -s “Alert: Root Access from `who | awk ‘{print $6}’`” your@email.com

Save and exit.

Set an SSH Legal Message

To an SSH legal message, SSH into server and login as root.

At command prompt type:
pico /etc/motd

Enter your message, save and exit.
Note: I use the following message…

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.

=========================================
Web Host manager and CPANEL mods.
=========================================

These are items inside of WHM/Cpanel that should be changed to secure your server.

Goto Server Setup =>> Tweak Settings
Check the following items…

Under Domains
Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)

Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts – blackhole
(according to ELIX – set this to FAIL, which is what I am going to do to reduce server load)

Under System
Use jailshell as the default shell for all new accounts and modified accounts

Goto Server Setup =>> Tweak Security
Enable php open_basedir Protection
Enable mod_userdir Protection
Disabled Compilers for unprivileged users.

Goto Server Setup =>> Manage Wheel Group Users
Remove all users except for root and your main account from the wheel group.

Goto Server Setup =>> Shell Fork Bomb Protection
Enable Shell Fork Bomb/Memory Protection

When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.

Goto Service Configuration =>> FTP Configuration
Disable Anonymous FTP

Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)

Goto Mysql =>> MySQL Root Password
Change root password for MySQL

Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:
/sbin/depmod
/sbin/insmod
/sbin/insmod.static
/sbin/modinfo
/sbin/modprobe
/sbin/rmmod

=========================================
More Security Measures
=========================================

These are measures that can be taken to secure your server, with SSH access.

Update OS, Apache and CPanel to the latest stable versions.
This can be done from WHM/CPanel.

Restrict SSH Access
To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.

SSH into server and login as root.
Note: You can download Putty by Clicking Here (http://www.chiark.greenend.org.uk/~s…/download.html). It’s a clean running application that will not require installation on Windows-boxes.

At command prompt type:
pico /etc/ssh/sshd_config

Scroll down to the section of the file that looks like this:
#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::

Uncomment and change
#Port 22
to look like
Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number AND do not use 5678 lol )

Uncomment and change
#Protocol 2, 1
to look like
Protocol 2

Uncomment and change
#ListenAddress 0.0.0.0
to look like
ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)

Note 1: If you would like to disable direct Root Login, scroll down until you find
#PermitRootLogin yes
and uncomment it and make it look like
PermitRootLogin no

Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.

Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.

Now restart SSH
At command prompt type:
/etc/rc.d/init.d/sshd restart

Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.

Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.

After SSH has been redirected, disable telnet.

Disable Telnet
To disable telnet, SSH into server and login as root.
At command prompt type: pico -w /etc/xinetd.d/telnet
change disable = no to disable = yes
Save and Exit
At command prompt type: /etc/init.d/xinetd restart

Disable Shell Accounts
To disable any shell accounts hosted on your server SSH into server and login as root.
At command prompt type: locate shell.php
Also check for:
locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts

Note: There will be several listings that will be OS/CPanel related. Examples are
/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
etc.

Disable identification output for Apache

(do this to hide version numbers from potentional hackers)

To disable the version output for proftp, SSH into server and login as root.
At command prompt type: pico /etc/httpd/conf/httpd.conf

Scroll (way) down and change the following line to
ServerSignature Off

Restart Apache
At command prompt type: /etc/rc.d/init.d/httpd restart

=========================================
Install BFD (Brute Force Detection – optional)
=========================================

To install BFD, SSH into server and login as root.

At command prompt type:
cd /root/
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
cd bfd-0.4
./install.sh

After BFD has been installed, you need to edit the configuration file.

At command prompt type:
pico /usr/local/bfd/conf.bfd

Under Enable brute force hack attempt alerts:
Find
ALERT_USR=”0?
and change it to
ALERT_USR=”1?

Find
EMAIL_USR=”root”
and change it to
EMAIL_USR=”your@email.com”

Save the changes then exit.

To start BFD

At command prompt type:
/usr/local/sbin/bfd -s

Modify LogWatch
Logwatch is a customizable log analysis system. It parses through your system’s logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.

To modify LogWatch, SSH into server and login as root.

At command prompt type:
pico -w /etc/log.d/conf/logwatch.conf

Scroll down to
MailTo = root
and change to
Mailto = your@email.com
Note: Set the e-mail address to an offsite account incase you get hacked.

Now scroll down to
Detail = Low
Change that to Medium, or High…
Detail = 5 or Detail = 10
Note: High will give you more detailed logs with all actions.

Save and exit.

A number of suggestions to improve system security. Some of this is specific to CPanel, but much can be applied to most Linux systems.
————————————————–
Use The Latest Software
Keep the OS and 3rd party software up to date. Always!
CPanel itself can be updated from the root WHM.
————————————————–
Change Passwords
Change the root passwords at least once a month and try to make them hard to guess. Yes it’s a pain to have to keep remembering them, but it’s better than being hacked.

————————————————–
Set Up A More Secure SSH Environment As described here.
————————————————–
Disable Telnet
1. Type: pico -w /etc/xinetd.d/telnet
2. Change the disable = no line to disable = yes.
3. Hit CTRL+X press y and then enter to save the file.
4. Restart xinted with: /etc/rc.d/init.d/xinetd restart
Also, add the following line to /etc/deny.hosts to flag Telnet access attempts as ‘emergency’ messages.

in.telnetd : ALL : severity emerg

————————————————–
Disable Unnecessary Ports (optional)
First backup the file that contains your list of ports with:
cp /etc/services /etc/services.original
Now configure /etc/services so that it only has the ports you need in it. This will match the ports enabled in your firewall.
On a typical CPanel system it would look something like this:
<?php
tcpmux 1/tcp # TCP port service multiplexer
echo 7/tcp
echo 7/udp
ftp-data 20/tcp
ftp 21/tcp
ssh 22/tcp # SSH Remote Login Protocol
smtp 25/tcp mail
domain 53/tcp # name-domain server
domain 53/udp
http 80/tcp www www-http # WorldWideWeb HTTP
pop3 110/tcp pop-3 # POP version 3
imap 143/tcp imap2 # Interim Mail Access Proto v2
https 443/tcp # MCom
smtps 465/tcp # SMTP over SSL (TLS)
syslog 514/udp
rndc 953/tcp # rndc control sockets (BIND 9)
rndc 953/udp # rndc control sockets (BIND 9)
imaps 993/tcp # IMAP over SSL
pop3s 995/tcp # POP-3 over SSL
cpanel 2082/tcp
cpanels 2083/tcp
whm 2086/tcp
whms 2087/tcp
webmail 2095/tcp
webmails 2096/tcp
mysql 3306/tcp # MySQL
?>
Additional ports are controlled by /etc/rpc. These aren’t generally needed, so get shot of that file with: mv /etc/rpc /etc/rpc-moved
————————————————–
Watch The Logs
Install something like logwatch to keep an eye on your system logs. This will extract anything ‘interesting’ from the logs and e-mail to you on a daily basis.
Logwatch can be found at: http://www.logwatch.org
Install instructions here.
————————————————–
Avoid CPanel Demo Mode
Switch it off via WHM Account Functions => Disable or Enable Demo Mode.
————————————————–
Jail All Users
Via WHM Account Functions => Manage Shell Access => Jail All Users.
Better still never allow shell access to anyone – no exceptions.
————————————————–
Immediate Notification Of Specific Attackers
If you need immediate notification of a specific attacker (TCPWrapped services only), add the following to /etc/hosts.deny

ALL : nnn.nnn.nnn.nnn : spawn /bin/ ‘date’ %c %d | mail -s”Access attempt by nnn.nnn.nnn.nnn on for hostname” notify@mydomain.com
Replacing nnn.nnn.nnn.nnn with the attacker’s IP address.
Replacing hostname with your hostname.
Replacing notify@mydomain.com with your e-mail address.
This will deny access to the attacker and e-mail the sysadmin about the access attempt.
————————————————–
Check Open Ports
From time to time it’s worth checking which ports are open to the outside world. This can be done with:
nmap -sT -O localhost
If nmap isn’t installed, it can be selected from root WHM’s Install an RPM option.
————————————————–
Set The MySQL Root Password
This can be done in CPanel from the root WHM Server Setup -> Set MySQL Root Password.
Make it different to your root password!
————————————————–
Tweak Security (CPanel)
From the root WHM, Server Setup -> Tweak Security, you will most likely want to enable:
- php open_basedir Tweak.
- SMTP tweak.
You may want to enable:
- mod_userdir Tweak. But that will disable domain preview.
————————————————–
Use SuExec (CPanel)
From root WHM, Server Setup -> Enable/Disable SuExec. This is CPanel’s decription of what it does:
“suexec allows cgi scripts to run with the user’s id. It will also make it easier to track which user has sent out an email. If suexec is not enabled, all cgi scripts will run as nobody. ”
Even if you don’t use phpsuexec (which often causes more problems), SuExec should be considered.
————————————————–
Use PHPSuExec (CPanel)
This needs to built into Apache (Software -> Update Apache from the root WHM) and does the same as SuExec but for PHP scripts.
Wisth PHPSuExec enabled, you users will have to make sure that all their PHP files have permissions no greater than 0755 and that their htaccess files contain no PHP directives.
————————————————–
Disable Compilers
This will prevent hackers from compiling worms, root kits and the like on your machine.
To disable them, do the following:

chmod 000 /usr/bin/perlcc
chmod 000 /usr/bin/byacc
chmod 000 /usr/bin/yacc
chmod 000 /usr/bin/bcc
chmod 000 /usr/bin/kgcc
chmod 000 /usr/bin/cc
chmod 000 /usr/bin/gcc
chmod 000 /usr/bin/i386*cc
chmod 000 /usr/bin/*c++
chmod 000 /usr/bin/*g++
chmod 000 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
chmod 000 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1

You will need to enable them again when you need to perform system updates. To do this, run:

chmod 755 /usr/bin/perlcc
chmod 755 /usr/bin/byacc
chmod 755 /usr/bin/yacc
chmod 755 /usr/bin/bcc
chmod 755 /usr/bin/kgcc
chmod 755 /usr/bin/cc
chmod 755 /usr/bin/gcc
chmod 755 /usr/bin/i386*cc
chmod 755 /usr/bin/*c++
chmod 755 /usr/bin/*g++
chmod 755 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
chmod 755 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1

————————————————–
Obfuscate The Apache Version Number
1. Type: pico /etc/httpd/conf/httpd.conf
2. Change the line that begins ServerSignature to:

ServerSignature Off

3. Add a line underneath that which reads:

ServerTokens ProductOnly

4. Hit CTRL+X, they y, the enter to save the file.
5. Restart Apache with: /etc/rc.d/init.d/httpd restart
——————–

COMMON COMMANDS I USE
System Information
who
List the users logged in on the machine. –

rwho -a
List all users logged in on your network. The rwho service must be enabled for this command to work.

finger user_name
System info about a user. Try: finger root last. This lists the users last logged-in on your system.

history | more
Show the last (1000 or so) commands executed from the command line on the current account. The | more causes the display to stop after each screen fill.

pwd
Print working directory, i.e. display the name of your current directory on the screen.

hostname
Print the name of the local host (the machine on which you are working).

whoami
Print your login name.

id username
Print user id (uid) and his/her group id (gid), effective id (if different than the real id) and the supplementary groups.

date
Print or change the operating system date and time. E.g., change the date and time to 2000-12-31 23:57 using this command

date 123123572000
To set the hardware clock from the system clock, use the command (as root)
setclock

time
Determine the amount of time that it takes for a process to complete+ other info. Don’t confuse it with date command. For e.g. we can find out how long it takes to display a directory content using time ls

uptime
Amount of time since the last reboot

ps
List the processes that are have been run by the current user.

ps aux | more
List all the processes currently running, even those without the controlling terminal, together with the name of the user that owns each process.

top
Keep listing the currently running processes, sorted by cpu usage (top users first).

uname -a
Info on your server.

free
Memory info (in kilobytes).

df -h
Print disk info about all the file systems in a human-readable form.

du / -bh | more
Print detailed disk usage for each subdirectory starting at root (in a human readable form).

lsmod
(as root. Use /sbin/lsmod to execute this command when you are a non-root user.) Show the kernel modules currently loaded.

set|more
Show the current user environment.

echo $PATH
Show the content of the environment variable PATH. This command can be used to show other environment variables as well. Use set to see the full environment.

dmesg | less
Print kernel messages (the current content of the so-called kernel ring buffer). Press q to quit less. Use less /var/log/dmesg to see what dmesg dumped into the file right after bootup. – only works on dedciated systems

Commands for Process control
ps
Display the list of currently running processes with their process IDs (PID) numbers. Use ps aux to see all processes currently running on your system (also those of other users or without a controlling terminal),
each with the name of the owner. Use top to keep listing the processes currently running.

fg
PID Bring a background or stopped process to the foreground.

bg
PID Send the process to the background. This is the opposite of fg. The same can be accomplished with Ctrl z

any_command &
Run any command in the background (the symbol ‘&’ means run the command in the background?).

kill PID
Force a process shutdown. First determine the PID of the process to kill using ps.

killall -9 program_name
Kill program(s) by name.

xkill
(in an xwindow terminal) Kill a GUI-based program with mouse. (Point with your mouse cursor at the window of the process you want to kill and click.)

lpc
(as root) Check and control the printer(s). Type ??? to see the list of available commands.

lpq
Show the content of the printer queue.

lprm job_number
Remove a printing job job_number from the queue.

nice program_name
Run program_name adjusting its priority. Since the priority is not specified in this example, it will be adjusted by 10 (the process will run slower), from the default value (usually 0). The lower the number (of niceness to other users on the system), the higher the priority. The priority value may be in the range -20 to 19. Only root may specify negative values. Use top to display the priorities of the running processes.

renice -1 PID
(as root) Change the priority of a running process to -1. Normal users can only adjust processes they own, and only up from the current value (make them run slower).

Optimizing your VPS server (help it run more efficiently)

VPSes are really hard to use with the memory restrictions and CPU limitations…but with some optimization they can definitely serve your websites fast!

MySQL Optimization
Here are my suggested settings for the my.cnf file. This should work well for a VPS with 256-512MB RAM.

[mysqld]
max_connections = 400
key_buffer = 16M
myisam_sort_buffer_size = 32M
join_buffer_size = 1M
read_buffer_size = 1M
sort_buffer_size = 2M
table_cache = 1024
thread_cache_size = 286
interactive_timeout = 25
wait_timeout = 1000
connect_timeout = 10
max_allowed_packet = 16M
max_connect_errors = 10
query_cache_limit = 1M
query_cache_size = 16M
query_cache_type = 1
tmp_table_size = 16M
skip-innodb

[mysqld_safe]
open_files_limit = 8192

[mysqldump]
quick
max_allowed_packet = 16M

[myisamchk]
key_buffer = 32M
sort_buffer = 32M
read_buffer = 16M
write_buffer = 16M

In order to make things even faster, you can customize these settings specifically for your VPSs’ usage. There’s a great howto on InterWorx’s forum for this –> http://www.interworx.com/forums/showthread.php?p=2346

Lastly, I recommend installing mytop to help you monitor your usage…

wget http://dll.elix.us/mytop-1.4.tar.gz
tar -zxvf mytop-1.4.tar.gz
cd mytop-1.4
perl Makefile.PL
make
make test
make install

Once that’s done, just enter in “mytop” .

PHP & Apache Optimization
I strongly recommend installing eAccelerator. There’s an easy to follow howto here: http://forum.ev1servers.net/showthre…t=eaccelerator. If you use the default cache dir for eAccelerator (/tmp/eaccelerator) make sure you check it reguarily and clean it every once and a while. (it can really get quite large from my experience)

For httpd.conf I suggest:
Timeout 200
KeepAlive On
maxKeepAliveRequests 100
KeepAliveTimeout 3
MinSpareServers 10
MaxSpareServers 20
StartServers 15
MaxClients 250
MaxRequestsPerChild 0
HostnameLookups Off

You can use ab to benchmark your Apache before and after you make changes.

ab -c 5 -n 20 somephpbasedsiteonyourserver.com/file.php

I suggest doing 2 or 3 tests like that to get an average.

If you want to check the Apache error log, try this –>
cat /usr/local/apache/logs/error_log

Monitoring Usage
On a Virtuozzo VPS you can use cat /proc/usr_beancounters to output your usage of the VZ parameters. You should pay most attention to oomguarpages and privmpages. (although anything with a failure is generally bad)

You can find the amount of connections to Apache with this command:
netstat -nt | grep :80 | wc -l

To find the amount of Apache processes use this command:
ps -A | grep httpd | wc -l (this will show the process count)
ps -aux | grep httpd (this will show the actual processes)

To find the amount of MySQL processes use this command:
ps -A | grep mysql | wc -l (this will show the process count)
ps -aux | grep mysql (this will show the actual processes)

Just simply using top (standard view) or top -c (will show the actual command being used and/or location of each process as opposed to just the name) can help you monitor your VPS usage very wel.

To see your disk space usage, try using this command –> df -h

Mitigating (D)DOS
If you’re being DDOS’d or DOS’d you can use this command:
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

That will help you see how many connections each IP address has in total to your server.

There’s a very decent script you can use to automate the banning of IP addresses available here –> http://forums.deftechgroup.com/showthread.php?t=825

Although I haven’t tried it myself, I suggest you take a look at Scrutinizer as well which sounds very useful –> http://www.solutix.ch/cgi-bin/index.pl

Spam Assassin
Spam Assassin can take up a lot of memory and make it really hard to host just a few sites on a VPS, but there is a way around this…

Login to WHM as root, scroll down to “cPanel 10.8.1-R15? (it may be slightly different depending on what version you are using) then goto “Addon Modules” and install “spamdconf”. Once it’s done, refresh the WHM page, scroll down to “Add-ons” on the nav bar and then click on ‘Setup Spamd Startup Configuration”. Set “Maximum Children” to “2?. Then hit Submit. Wait a few seconds (15-30, but usually less) for exim to restart and you’re done .

cPanel Tweak Setings
Login to WHM as root, and under “Server Configuration” on the nav bar hit “Tweak Settings”.

Here are some suggested settings:
Default catch-all/default address behavior for new accounts. fail will generally save the most CPU time.
- Use “FAIL”. If you already have some accounts setup not to use “FAIL” (by default it will not) then run this command to convert to FAIL from BLACKHOLE –> perl -pi -e “s/:blackhole:/:fail:/g;” /etc/valiases/*

Mailman
- Mailman tends to use a lot of resources, so if you don’t need cpanel mailing lists then uncheck this.

Number of minutes between mail server queue runs (default is 60).:
- You may want to set this to 180 to reduce load.

Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)
- This is just generally a good idea. So check this.

Analog Stats
- I find this useless, so uncheck this. If you want to delete the existing analog stats files just run this command –> rm -rf /home/*/tmp/analog/*

Awstats Reverse Dns Resolution
- Make sure this is unchecked, I find it pretty much useless for most users.

Awstats Stats
- You can check this if you need a robust stats software that integrates with cPanel, if you don’t need it, then don’t check it. *Note most hosting clients will want to use this. If you want to delete the existing awstats stats files just run this command –> rm -rf /home/*/tmp/awstats/*

Webalizer Stats
- Not many hosting clients will want to use this so, you can uncheck this to reduce load. If you want to delete the existing webalizer stats files just run this command –> rm -rf /home/*/tmp/webalizer/*

Delete each domain’s access logs after stats run
- Make sure this is checked, otherwise disk space usage can really rack up!

In my previous CIO articles I tried to focus on several problems simultaneously – clearly there has been a better approach. So I am beginning a series of articles devoted to the consistent, practical side of IT security – or more precisely the things that can be used immediately, or can be included in an Action Plan.

Contrary to popular belief, ITSEC does not begin by protecting the perimeter. Firewalls, security systems – this should be the last concern when building any protection. Our goal is to protect the information, not make the providers of different “solutions” rich, right?

FIRST STEP – Protection of the last link in the chain
There are several “last links in the chain” – a workstation, a database, protected commercial information, protected business practices, even the user may be considered as the last (final) unit to protect… Let’s start with workstations – I will ask a series of questions and then offer appropriate solutions – in most cases, they are generally valid, as well as the problems they solve.

1. Are your workstations protected from physical theft?
If not, consider ways to protect them. For example, many business laptops have an option to lock them with a steel cable to the desk – if you have such an opportunity, use it. Guards and security officers need to stop and authenticate anyone extracting computers from the building. Video surveillance in this case is of little benefit and may not be a preventive measure – several infrared diodes around the face of a man or on a hat can make their existence meaninglessl. Keep it in mind.
Ask yourself: Do you know how to enter your office building, without anyone asking you a badge or permission? If there is any way, eliminate it. Until now, wherever I worked I have not seen a fully secure building – perhaps because no one is asking that question or not asking it correctly (are doors the only way one can enter a building?). Movement sensors must be placed at an angle towards each other, always in pairs and in such a way that slow movement or an IR beamer towards the sensor is not sufficient to eliminate the entire security system.

2. Does each workstation have a password for it’s BIOS, preventing booting off a Live CD or a Bootable USB?
If not, it’s time to draw up a strategy for using different BIOS passwords for each computer and server. You can develop an algorithm for the variation of the password as the serial number or location of your computer – so administrators will not need to remember passwords, and users (or “attackers”) will not know the logic and can not guess them. If you do not deem it a necessary step, take a look at http://www.piotrbania.com/all/kon-boot/ – got goosebumps? Okay, now think about how to prevent this happening in your organization …

3. Ports: USB, FireWire, optical devices …
If you have FireWire ports, that is a huge hole in security – this port allows direct memory access, without taking into account the operating system controls (meaning anyone who can access the port physically has also full access to the drive, and it doesn’t matter what OS you’re using and how secure it is). Disable the FireWire ports in BIOS, unless it is absolutely essential for your business. The same goes for USB devices – controlling at least their use if you can not disable them. On my site – http://www.securityguy.org/disable-usb-storage-devices/ – there are instructions on how to take control of USB devices. Optical devices should be present only where necessary for the operation of the business or daily work of your employees.
If you still have to use USB memory sticks for business purposes, your best choice would be Ironkey (https://www.ironkey.com/enterprise) – the Enterprise version can offer all the security you would need (FIPS 140-2), and more.

4. The user – does he have administrative rights on the computer he works on?
If yes, this is bad. The best you can do is to join any user, including network and system administrators to the Guests group (I imply the use of Microsoft Windows operating systems in most companies) and create accounts that can be used to carrie out administrative actions but which cannot be used for Interactive Login. If someone needs to carry out administrative action on their computer, they can always use the option Run As (one click away and just needs entering your credeintials once when you need to install a program – and that should not happen that often, really).
Build better system security policies. For Windows XP and Windows 2003, you can apply boldly (with minor edits) the following link – http://www.nsa.gov/ia/_files/os/winxp/Windows_XP_Security_Guide_v2.2.zip – + there is a document containing some examples of securty policies. Do not forget to test everything in a test environment. On the same site you can find relevant policies recommended for other operating systems. Reading and applying them will take some time and effort, but it’s worth it. With a little scripting and implementation of policies in Active Directory, once you decide which settings are needed, applying them on all servers and computers in the company is a matter of minutes (don’t forget to test!).

5. Antivirus systems…
There may be a lot to discuss on that topic. Personally, I am an “enemy” of the most widely used systems, because the most effective viruses are written with the idea to disable these particular products, but this does not mean that you don’t need an antivirus program. Look for one that can intercept browser sessions and to block access to dangerous sites before loading malicious code. I think one of the best blogs on IT security is the blog of F-Secure – http://www.f-secure.com/weblog/, their dedication and the way you communicate with the Internet community means more then the beautiful brochures and giant marketing departments. Take time to look at their blog – they have many products in beta stage of development, free and at the same time very effective – try them in a test environment, you can find something to improve the security in your company, even at this stage, even when products not which have not yet hit the market.

6. Stolen data carriers
According http://datalossdb.org/statistics, 35% of data loss (exfiltration) is due to stolen or lost storage media – disks, computers, flash drives, laptops, mobile phones. This means that a simple strategy for the encryption of all data media will prevent 35% of incidents involving loss or theft of information at your company!
Firstly, start with full encryption of the operating system – I recommend the free TrueCrypt program for small environments, for bigger ones you can use the built-in BitLocker in Vista or Windows Server 2008 and Windows 7, the same applies to other media. In addition to preventing leakage and loss of information on lost and stolen carriers, imagine that someone broke into the network in some way and can see only ubiquitous encrypted data, always with different passwords… not good for them. Try a simple, restrictive (preventing “workarounds”) policies IT security, not with huge documents describing the obligations of employees – just install the encryption program, and make a plan to phase out encryption, no need for long explanations or policies.
It is possible to task your IT department to produce a script that encrypts the workstations outside working hours – so you will avoid the loss of working hours. It is also simple to devise a strategy for passwords … see item 7.

7. Passwords …
Take the time for training – this is something that is more in the psychology and HR field than in IT. Help people understand how easy it is to create and remember passwords that are hard to guess. Teach your people the l337 alphabet – 1 =!, 3 = e, 4 = A, @ = a, 7 = t, 0 – O, 9 = g, and so on. For example … 4l!G@70r, would mean Aligator, the second being present in most bruteforce dictionaries, and the first – not. It is fun and it is secure!
Corporate systems should not accept passwords shorter than 8 (better 12) characters. Or give them the following idea – a favorite music group and favorite song form one long phrase which is at the same time a the perfect password – impossible to guess, easy to remember. Even better is to use phrases in their native language (if they’re not native English speakers) with Latin letters … just imagine how difficult it is for someone from another country to guess this password …
Make the learning process fun – use striking, pungent, funny phrases – let people perceive security as something positive rather than just another workout containing only a dry “food”.

8. The human factor
The last, most internal level of protection besides the workstation is the human working on it. The battle is often fought on an intellectual level before it goes to the physical. As it is in war and in business – someone might want to steal information using simple human relationships, but without external force – information may leak through e-mail, chat, facebook, etc. Most often this happens accidentally, in a small percentage of cases – on purpose.
In order prevent this from happening, again we need to rely on behavioral psychology – there is a need for training, changing attitudes towards knowing the value of information. Some people post online anything new and interesting, whether confidential or not. Someone sends an e-mail “help the child, send to all”, 20 minutes later the letter has been seen by all company employees and goes out, exporting with it a list of all their e-mail addresses … two years of work on a new product, and someone shares it in Facebook – give colorful, vivid and emotional examples to people so they can remember them on an emotional level – people are emotional, use it. If you’re not using it first, someone else will do it for sure.
As a last resort, you can use the principle of “rod and donut – penalties and incentives, as appropriate. Note that incentives must meet the value of penalties – the penalty can not be a percentage of salary, and the incentive – a company pen or tapping on the shoulder.
One question that you should ask yourself: if your employee finds a flash memory stick on the street right outside the office building, will he (or she) immediately plug it in their computer to see what’s inside? Have you trained your employees to recognize such risks?

9. 0-day attacks and protection
Having said all of the above, that risk remains unnoticed and at the same time extremely dangerous – 0-day vulnerabilities in popular software such as Adobe Acrobat Reader, Microsoft Word, Microsoft Excel, etc. – The software vendors regularly provide patches but the IT department sometimes overlooks them or does not update on time. If someone sends an “infected” file to someone’s mail and succeeds to execute code, even with all those steps above your information will be exfiltrated unless you take steps to prevent Internet access from inside out.
Since this article deals with internal protection systems located in the terminal – in this case a workstation, laptop – I recommend using a firewall which is blocking access of certain programs or processes to the Internet unless the user (or administrator) explicitly authorizes it. Just as an example I am giving the free version of http://personalfirewall.comodo.com/ – naturally, for business purposes you will have to select or the paid version or a similar product – here I am just mentioning this software only because of my personal preferences and opinion, which is subject to critics.

Leaving aside the commercial or noncommercial products for protection, are your employees aware of the risks when opening pdf, doc, xls files from unknown sources? If not, it is just the right time to teach them. A single pdf attachment sent to the assistant of the CEO may commemorate the end of one company – the day on which all the confidential data from his/her computer leaked out (not necessarily publicly) …
Are you protected from this risk? In fact, there are very few people who know how to deal with such risks. In practice, there is no commercial solution and no product which you could just buy and solve the problem … But there are logical decisions, or rather a sequence of actions that can prevent leaks in this manner.
Any code, any program is executed in the context of the user. You can change somewhat the standard environment in which the user performs each command or a program with the same privileges, adding at least one more level of complexity – some programs, such as browsers, mail clients can be executed as Guest (in MS Windows), while all others which are unable to work as Guest – as User, and only in exceptional cases – executed as Administrator. There are solutions for virtualization – virtualization of browsers, programs, or operating sysetms – also you can look into segregated networks. You can use VPN connection for Internet access and a normal connection for a corporate network (or the opposite). You can also use VPN to access both internal and external networks – do not think that is too paranoid, and it’s not as complicated to implement.
But returning again to the previous risk – execution of malicious code sent by a document received in the mail of an employee on a computer which has extremely confidential information on it. To protect the data, we can execute programs such as Outlook in Citrix, or better yet – in Windows Server 2008 – virtualization applications or hosting of applications. Thus, the program does not run on the potentially infected client computer, the data is not kept on it.

I want to remind you once again – any application used by the user, unless this is expressly required must not run with administrative rights. But we have a problem. If you execute code on a workstation, the “attacker” can “listen” and “hear” the password used even for hosted or virtualized applications, and gain access to the data in them. What is the method of protection? Somehow you have to protect yourself from the already leaked (or not public) 0-day scripts, whether they have patches or not. One solution is a free program that is still in beta, F-Secure Exploit Shield. The program is regularly updated against the latest exploits and it works very well – it monitors executable binary code in memory – not for executable files, but executable code – compares with its database, and if something does not loog good – block its execution. Personally I tested it with an exploit for which Microsoft had not yet released a patch – and the shield worked, and did not allow the code to execute.
To reduce the chance of “hacking” you can upgrade to Windows Vista or Windows 7 (recommended) this is a good solution because they feature ASLR, significantly hindering the possibility of running exploits and compromise of vulnerable programs or the operating system. Some applications may also be implemented in Web 2.0 – an example of this is a new project called EyeOS, a working version of which will be released in 2010, product featuring an open source operating system in the browser … but until this method of work is ready for business, there is still much to work to defend the current system in which data is available and vulnerable on the workstation.

So … we have protected the BIOS, we have protected the passwords amd encrypted the data, we introduced a security policy for the operating system recommended by the NSA, have a good antivirus program, a good firewall preventing unknown and unapproved by the user or administrator processes to access the external network, most ideally, we’ve included in the scheme virtualization applications or operating systems, separating the company from outside network with VPN, and have installed F-Secure Exploit Shield – in terms of security, workstations are already looking like a fortresses. There still remain some things for a sweet finish.

10. HIDS
How many companies are using Host Intrusion Detection Systems? At least in Bulgaria … quite a few. Bear in mind – from what I know from experience and from friends and acquaintances, the multitude of security breaches should trigger an active response… well, perhaps the reason is that these breaches remain unknown to the companies themselves? This is my opinion at least.
OSSEC http://www.ossec.net/) has a free version of HIDS, working with both Linux clients and servers and a Windows-based ones. Without going into details – HIDS monitors for unauthorized changes to the file system on a workstation or a server – new files, new programs, new entries in the configuration or new users, etc. – and if it finds something suspicious, sends a REPORT where needed.

It’s not so hard to implement – you would rather worry of making sure you have the human resources to review the logs regularly. What’s the point if you have HIDS and nobody to monitor the logs? It may sound strange, but some companies pay thousands of dollars for such commercial systems, only to own them, but not reviewing the logs – this is not a good idea.

11. Protection of databases
They are also one of the “last links” in the chain – if someone gains access to them, the game is over. Much can be said on the topic. But instead of suggesting you following instructions for protection, go seek instructions for bypassing database security. This is the best approach for detecting vulnerabilities in your own database, and the shortest way to success. Key words that I would use when searching are: “pentesting oracle”, “pentesting ms sql”, “database penetration testing”, etc. You can replace “pentesting” by “attacking”.
And don’t limit yourself just by the database – I’ve seen cases where the applications accessing the database are written so poorly, that the passwords for accessing the database are coded right into the app (obscured, but easy to deobfuscate), and can be seen just by looking at the strings of the app in a special editor or decompiler. Have you protected your database from such risks? Look for these vulnerabilities, request full source code review from your software vendor if possible! They may have not build the weakness in there on purpose – but if you find it, you will help yourlef and them fixing it before it’s too late. Trust, but verify!

CONCLUSION
This article could serve as a plan for “war preparation” of workstations and even servers – for small to medium organizations the planning and execution of every step in it could take somewhere between few weeks to a month in the worst case, including testing in a test environment. As a result, just in a few months you can take care of the IT Security in a medium company with little to no expenses – which is not that bad in a time of global financial crisis!

The cost of the “State of the Art” security is exactly the cost of one cheap computer for each employee, and the cost of a completely separate network, tied to the cheap computers.

I’ll explain now.

How do most security breaches occur? Via browsing, via е-mail attachments, and via social engineering in social networks (today, yesterday it was mostly the phone).

So… in order to protect your company, what did you do until now? Yes, you purchased all these security systems, and your computers/servers/users are still being “owned” by attackers. Why? because you’re doing the silliest thing one can do in a modern dangerous world – you’re exposing your most critical IT resources to the Internet.

Separate them.

Let your users have 1 computer (or it could be virtual if your workstations are good enough) for browsing, reading e-mail, chat, etc. And let them use another computer, for access to company critical IT systems. (I will write a detailed article on this for CIO, so stay tuned for more details).

Does it cost much? No. Basically, it’s just a monitor and a cheap PC – say… 400 USD per seat, including the cost of building the separate netwrok. That is a small cost, compared to what you could lose in a breach. To be honest, I would prefer the virtual solution – but it completely depends on your environment. Just keep in mind that for the virtual one – you will need to add one additional network card in each pc or server, and still need to build the completely separated network – and use that network for the virtual machines.

Рано или късно, някой ще придобие достъп до вътрешната ви мрежа. Дали чрез social engineering, или чрез браузър експлоит, чрез пробив в уязвим сървър, приложение или просто като постъпи на ниска позиция в компанията за да открадне данни – това ще се случи

Александър Свердлов

Това твърдение се базира на солиден опит и много, много случаи в които съм виждал компрометирани защити. Нека разгледаме най-добрия възможен вариант на добре защитена компания.

Имаме изградени процедури по създаване, проверка, одобрение и изпълнение на всяка възможна промяна в бизнес системите, имаме най-добрите корпоративни защитни стени и антивирусни системи, имаме IDS и IPS системи пред и зад защитната стена, включително и на всеки клиентски компютър. Обаче… в един момент тези системи се обръщат срещу нас. Имаме сървъри, на които работят критични за бизнеса приложения. Един ден разбираме, че е налице уязвимост в сървърната операционна система, но не можем да си позволим да приложим кръпката – има опасност за бизнес процесите ако сървъра престане да работи, и просто приемаме риска. “Кой ще атакува точно нас, точно сега, с точно тази уязвимост? Едва ли. Затова, приемаме риска”.

Никой няма да се цели точно в нашата компания

Да… реално, никой няма да атакува точно сега, срещу точно тази уязвимост, точно вас. Защото наистина, едва ли на някой ще му се занимава да следи точно вашата компания и да чака да се появи уязвимост (освен ако не сте “на прицел” – ще се спра и на това) и причината е проста. Когато е налице публично експлоатирана уязвимост, т.нар. 0-day, изключително бързо на сцената излизат роботи, програмирани да сканират цели мрежови сегменти за тези уязвимости и да се възползват от тях. Никой няма да се занимава да ви атакува, да търси уязвимости, да рискува безопасността си с опасни действия – просто ще се случи автоматично. Естествено, не говорим за частни експлоити, които се търгуват на черния пазар и излизат наяве чак след като някой независим изследовател намери същата уязвимост и я публикува – тези частни експлоити се използват, когато сте под таргетирана атака.

Когато сте на прицел

Ако разполагате с информация, която може да е търсена на черния пазар – лични и банкови данни, уникален и скъп софтуер, медицински тайни, патентовани непубликувани технологии – и някъде по света някой е готов да плати за тях, има голяма вероятност също така някъде, някой по света да иска да вземе парите и да открадне информацията от вас. И ако този някой е опитна група от специалисти, … не съм чувал за случай, в който такава група да не постигне целта си и да не успее да проникне в целевата организация. Може да има такива случаи, но аз не знам за такива. Когато чуя “таргетирана компания”, чувам всъщност “компания в чиято мрежа има нарушител”.

Следователно е време да смените начина си на мислене – от “какви защити имаме” е време да минете на “как пазим информацията” – а ако информацията ви е от особена стойност просто приемете, че във всеки момент от време, в мрежата ви има нарушител(и). Дори не е нужно те да имат връзка помежду си – чувал съм за това как някой прониква в дадена компания, и открива следи от предишни прониквания. И ето една интересна мисъл: ако компанията знаеше за предишните, мислите ли че нямаше да изчисти тези следи? Имайки предвид това, въпросът който трябва да си задавате в момента е: “Ако в мрежата ни има нарушител, как ще предпазим данните си?”

Този начин на мислене може да ви предпази много по-добре, отколкото оглеждането за най-добрата защита на пазара. Просто няма такава – има най-добре продавана защита, но не най-добра сама по себе си.

Враг в крепостта

И така, имаме нарушител (не “потенциален,”, реален). Ако е в мрежата, той вече има достъп до потребителското име и парола на поне един служител в най-добрия случай, в най-лошия има достъп до домейн контролер като администратор и може да получи достъп до всяка точка в мрежата, която се контролира от този домейн контролер. Може би е придобил права да чете и модифицира информация в база данни, достъпна отвън, може би има възможност да променя корпоративния уеб-сайт и да компрометира информацията на вашите клиенти, дори да ги заразява със зловреден код… вариантите за проникване са много, фактът е един. Някой е зад “стената” от погрешната страна, и вече търси това, което ще му донесе пари или слава. Опираме до принцип, известен от десетилетия, но все още, по неизвестни никому причини, не прилаган почти никъде.

Defense in Depth

Нека поспрем за момент. Аз съм човек, който мрази сложните термини, като intrusion detection, intrusion prevention, firewalls, honeypots, и т.н. Добри маркетинг инструменти са за тези които ги продават, важното е – какво са те за вас? Дали са амулети с магична сила, които по някакъв начин ще направят информацията с която работите, неценна за потенциалните нападатели? Защото освен ако не е ценна, те ще продължат да идват, да търсят, да атакуват, докато не я получат. И никой не ви гарантира, че след като го направят, ще ви информират за постъпката си. Ако не ви информират, защо сте толкова сигурни че “се пазите”, а не, че “вече е късно”?

Ако сте чели руски приказки като деца, има една много интересна история с иглата, която нашият приятел Иван тръгва да търси. Тя е скрита в яйце, яйцето – в патица, патицата – в заек, заекът – е в шок… Но не в това е въпроса. Къде е уязвимостта? Историята ни показва, че моделът на защита на иглата е повреден – защитата е стъпаловидна, също като защитите (като пример) в някои информационни системи на важни български ведомства. Какъв е проблемът със стъпаловидните защити? Последното стъпало, преди самата информация. В случая с иглата – това е яйцето, и по-точно крехката му черупка.

Непробиваемата черупка

Използвайки горния пример с приказката. Смъртта на главния зъл герой е възможна, само ако някой се добере до иглата, скрита в яйцето. Възможно ли е същото да важи за смъртта на една компания? Възможно ли е дадена компания да бъде буквално изтрита от лицето на земята, ако най-големите и тайни бъдат откраднати? Отговорът е да, вие сигурно го знаете по-добре от мен.

Многостепенните защити ще забавят потенциалния враг, но няма да го спрат. Важното е какво правите с “иглата”, с информацията си. Каква е последната степен на защита, кое е нещото, с което пазите Вашата информация, това, след преодоляването на което някой може просто да я вземе и да я изнесе?

Криптирайте информацията си. Пазете ключа към криптираната информация която е критична за вашия бизнес в сейф, който не може да бъде отключен от един човек (или поне такъв с два механизъма за защита, и поне двама души трябва да имат достъп до всеки един, но никой – и до двата). Добрите стари методи на физическа защита не са отживелица. Няколкото минути които ще бъдат загубени за достъп са нищо, сравнени с потенциална тотална вреда за бизнеса.

Когато говорим за информация, която се съхранява на потребителски компютри и сървъри от ниско ниво без особено значение – и ако тази информация може да бъде продадена, или може да причини вреда на бизнеса ако бъде изгубена или публикувана – криптирайте и нея. Има много добри, безплатни програми за целта като TrueCrypt. Криптирането на една флаш памет отнема няколко минути, обучението на служителите да работят с програмата отнема няколко минути, колко трудно е да го въведете като практика?

Да, дори MI-6 не го правят – постоянно четем новини за изгубени топ секретни лаптопи и флаш памети, чиято информация не е криптирана… Е, добре, след като те не го правят, трябва ли да следваме техния пример? Или можем да се справим по-добре? Друг метод: ако всеки служител имащ достъп до конфиденциална информация, може да я достъпи само с помощта на смарт-карта с чип, върху който се пази криптографският ключ – това вече е защита, която изключително трудно се преодолява отдалечено, без физически достъп до мрежата или до вещите на служителите и искрено ви я препоръчвам.

Александър Свердлов

Искате ли да бъдете в състояние да заявите на своите служители, клиенти и инвеститори, че информацията им е “защитена”? Не можете да бъдете честни, правейки такова изказване, ако не е налице някой, който постоянно атакува мрежата ви и потвърждава тази защитеност на практика. Най-евтиният и понякога най-ефективният начин за целта е да създадете собствен “тигров екип”. Обикновено това формирование включва добър комуникатор (за социална инженерия), програмист, “мрежар”, специалист по *nix системи и по Windows системи, както и специалист по пробиване на уеб приложения. В зависимост от големината на компанията и нейната мрежа, всяка от тези функции може да бъде изпълнявана от повече от един човек, или пък един човек да изпълнява няколко от тях. Естествено, не всеки програмист е подходящ за целта – задължителен е опит в преодоляване на системи за сигурност, писане на експлоити, все неща, за които много разработчици само са чували от техни познати, които са виждали как техен приятел го прави… Трябва да имате предвид също, че такива хора не се намират лесно – те не четат обяви за работа, не се предлагат сами на пазара, а в редките случаи когато работят “на чисто”, са доста заети.

Как да сформирате “tiger team”?

Ако не разполагате вече с такива специалисти (отново подчертавам, с опит в преодоляване на системи за сигурност от най-различно естество) ви остава ви само едно – да отделите служители, и да им поставите цел – за една година да се обучат да атакуват собствената ви мрежа. В тази криза, инвестирането на цяла година заплати, време, ресурси при риска тези хора да отидат другаде по-късно, не е лесно решение. Да, това не е звучало приемливо и на нито една от държавните и частни институции, ежедневно компрометирани от най-различни индивиди – от индустриални шпиони до крадци на лична информация – въпросът е, колко плащат те, техните клиенти и партньори като резултат от това? Готови ли сте да поемете риска да загубите неизвестно количество информация, клиенти, имидж, само заради желанието си да спестите пари за обучение на такъв екип? Един-единствен penetration test в зависимост от мащабите на мрежата ви, може да струва десетки хиляди евро – и повече – а продължителността му обикновено е около седмица. Кой ще проверява системите ви за уязвимости през останалата част от годината? От тази гледна точка, собственият екип е невероятна ценност. Виждал съм как работят такива екипи в компании като Paypal, American Express, Bank Of America – например, веднага щом получат дадена система за сигурност, сървър, продукт използван в компанията за обработка на данни – те го проверяват из основи за дупки в сигурността – нещо, което извършено от външна компания ще ви струва много пари, а ако не го направите… рискувате информацията си. Вътрешния екип, ако го отгледате и се грижите за него добре, е изключително ценна придобивка. Ако искате да го направите, тази статия е за вас.

Обучение

Започваме от елементарните неща – всечи член на екипа трябва да придобие базови познания по ИТ сигурност, и това не може да стане с четене на книжки или ходене на курсове. Въпреки, че и в България вече се нароиха “специалисти” обучаващи в White Hat Hacking (дават и сертификати), в много случаи след като преминат тези курсове злощастните им посетители стават “penetration tester”-и, и “тестват” сигурността на компании като вашата… със същото съмнително качество, с което биха го направили техните учители.

Истината е, че сертификатите не значат абсолютно нищо в тази сфера. Ако отидете на, да речем, конференция “Defcon” или “BlackHat” и попитате някой от лекторите колко сертификата по ИТ сигурност притежава, ще му осигурите дневната доза смях. Все едно да питате някой шампион по бягане или вдигане на тежести, колко сертификати и какво образование притежава. Тук тези неща просто не важат – приемете го като факт. На някои сертифицирани “етични хакери” им е излязло име – “хартиени тигри” – не без причина. Те могат да ви замаят с хартийките си, но поставете ги в реална ситуация на атака – ще седят в храстите и ще се чудят откъде да започнат… тези хора са безполезни за вашата компания. Бягайте от тях. Това важи с особена сила когато наемате служители за позиция “ИТ сигурност”. Виждал съм доста обяви, съдържащи неща като “познание на тази защитна стена, тази операционна система, и този продукт”, но нито една не съдържа изискването “опит в преодоляване на системи за сигурност и защита на мрежи от външни атаки”. Такива хора трудно се намират – остава ви да обучите свои.

История и практика

И така, след лиричното отклонение – отново към целта – елементарните познания по ИТ сигурност. Като във всяка дисциплина, се изисква познаване на историята – на първите компютри, първите “хакове” на телефонни системи, първите стъпки на “социалните инженери” в САЩ, всички тези неща не се изучават в курсове и университети. Можете да закупите книгата “Тhe Best Of 2600″ (доста дебела книга) от Amazon.com – това е една прекрасна основа, която да дадете на екипа. Също така е и съществен мотивиращ фактор, моделиращ мисленето им – вече сами ще могат да поставят цели за обучението си, с правилната насока, идваща отвътре… ако успеят да хванат “нишката”.

След като усвоят историята идва ред на практиката. Изисква се малко пътуване във времето – отново, назад. Сайтът http://www.phrack.org/ е нещо, което всеки от екипа трябва да познава като буквар – като се започне от първия (исторически) брой и се стигне до последния. След като отделят няколко месеца за изучаването му (и практикуване на наученото), членовете на екипа ще имат вече и необходимите технически позания, за да направят следващата стъпка.

Тестова среда

Осигурете на екипа тестова среда – могат да работят и с виртуални сървъри, но е добре да имат поне 1, като минимум, с който да си играят на хардуерно ниво. Ще им трябва тестова безжична мрежа, тестова VOIP среда, тестова мрежа тотално изолирана от Интернет или от вътрешната мрежа, и втора мрежа свързана само с Интернет, но отново тотално изолирана от вътрешнофирмената среда. Един VMWare ЕSX сървър, стоящ върху 4 или 8-процесорна система и достатъчно голям дисков масив и външен сторидж, е добро минимално начало. Работните им станции, имайки предвид параметрите на съвременните компютри, би трябвало също да издържат по поне 2 едновременно работещи виртуални машини – това ще спести пари от сървъри и ще им даде повече контрол, без да зависят всички едновременно от една кутия. Създаването на тези тестови среди ще е само по себе си добра тренировка, както и поддържането им в работно състояние.

След като построят тестовата среда, ще им трябват сценарии за атака – за това, могат да се обърнат към множество сайтове за wargaming. Един пример – http://www.de-ice.net/ . Още един пример: за да се научи някой да пробива уязвимости в уеб сървъри, може да използва приложения написани специално за целта – като WebGoat на проекта OWASP (www.owasp.org). Изпълнението на задачите поставени от тези сайтове изисква истинска екипна работа от хората ви.

Оттук насетне, ролите се разделят (почти)

На този етап всеки в екипа поема нещата в свои ръце, специализирайки в атакуване на системи от неговата област. Ако досега са четяли една и съща книга, един и същи “исторически” сайт, сега е време да се развият като индивидуални “ловци” – да намерят потенциални, приличащи на работните “възли”, опорни точки и слаби точки които могат да атакуват, и да го правят докато не се научат да пробиват. 7-8 месеца са напълно достатъчни за целта, поне за познанията, необходими им след приключване на периода за постоянна атака на работната мрежа. Социалния инженер започва да изготвя стратегии за “пускане на въдица” в своята компания, от рода на фалшиви е-мейли водещи към фалшиви сайтове с измамни полета за потребителско име и парола, обаждания по телефона измъкващи конфиденциална информация, всичко това ще му е вече познато от горните два източника, той ще може да изготви план въз основа на вече наученото и да се движи напред. В тестовата среда ще пуска имитации на корпоративния интранет, ще използва написани от програмиста “вируси” за заразяване на тестови системи. Същото важи за програмиста, мрежаря, *nix специалиста, и този който ще пробива уеб приложения – изпълнявайки своите задачи по атака на тестовата мрежа, те си помагат един на друг и напредват заедно към целта. Работейки заедно, всеки ще попие от другите знания, които ще обогатят неговата роля и ще го направят по-продуктивен.

Ако наистина създавате екип, а не разчитате на един човек – ще видите невероятна динамика между тях – едно е да работиш с някой върху таблица в Excel, съвсем друго е да планираш атака срещу потенциално уязвима система… това ще е нещо което ще ги задържи заедно и ще ги движи напред – ако имате шанса да ги наблюдавате как работят, ще искате всеки в компанията да работи с такъв хъс!

Продължаваща мотивация

За да ги стимулирате допълнително (а стимул няма да е излишен – когато си объркан, не знаеш накъде да поемеш с атаката, винаги е добре да имаш пред себе си цел) можете да им предложите бонус за всяка успешна и документирана атака. Така ще ги доближите и до “черните” им събратя, които получават понякога до 5000 долара! за малка успешна атака и открадната информация – вие едва ли ще искате да им плащате по толкова, но идеята е същата – материалният стимул работи за врага, ще сработи и за вас.

След завършване на едногодишния период на обучение можете да промените схемата – ще се плащат бонуси за успешни атаки вече срещу работната среда, а не тестовата – както и за “заловени” “хакери” – прекъснати атаки, проследени източници, блокирани бъдещи атаки благодарение на уловени опити – само месечната заплата не е достатъчна да накара някой да търси игла в купа сено по цял ден. Но ако плащате за всяка намерена игла… нещата се променят. Ще видите реално отразени атаки, и ще виждате мрежата си все по-защитена и по-защитена с всеки изминал ден. А това е нещо, което определено си заслужава да бъде видяно!

Ok… our next steps? Source code audit. A quick browse through the source code revealed a home-grown CMS, where NONE of the variables were protected, and a few files were infected with a known chinese web worm. Clean the worm? Not so fast security-boy! The CMS apparently was written in such a way, that if you try to strip out JS functionality, the whole system breaks up. If you try to clean the JS file, the whole system breaks up. In the end, I ended up manully modifying the core code of the CMS just to prevent future infections and clean it up. Not nice… not your regular virus/worm infection.

A quick remote check on his computer revealed trojans too – so who knows where the infection originated from. A complete reinstall was suggested, as well as thorough follow-up on the videos on this site in order to prevent the same thing from happening agian.

Update: his site is restored in Google and Firefox rankings after the clean-up, just 24 hours later.

From what my testing shows, it’s amazing in performance and will serve more than well almost everybody.

Stay tuned!

And if you care exploiting… yourself? http://www.skullsecurity.org/blog/?p=285

Do you own an IIS&WebDAV *combination*? Disable WebDAV.  Microsoft will probably be here with a patch in 1/2/n weeks.

Thank you all who attended the “Security in Web Applications” session – I hope it was at least slightly useful and entertaining!

See you on WebTech 2010!

The presentation and documents you might need to understand it (40 minutes… was NOT enough ) – http://www.securityguy.org/webtech_2009.tar.gz

Short version HERE

There are databases of criminals containing their faces, but these databases have the same weakness too – the other part of the information, the textual one – name, date of birth, place of birth, etc, are matched against other textual information, and no face info is matched in the way fingerprints are.

I don’t know if that make it clear… so I’ll try to explain better. When a fingerprint is stored in a database, it’s not an image that is stored, but sort of unique curve positions and forms, in a dotted format, much like GIS if you’re familiar with it. Dot positions are much smaller in size when stored, and much easier to compare/match.

So, when a criminal record is matched against a fresh fingerprint gathered at a crime scene, these dots are matched… to see if the fingerprint belongs to any already stored record.

Let’s try to correlate this to the face you have – and the pictures you got on your IDs. There is no practical way to match your photo to a database to see if you’re a criminal, terrorist, etc. So what do they do? They match the textual info found on your passport when you cross the border… and if you happen to keep the photo but change that info – you get “free out of jail card”… and pass the border.

Some countries, like Dubai, have implemented biometric checks on their borders for known criminals – retinal scan, actually, which is much better than the ones used in the States, for example. But… they’re expensive, hard to implement, you have to actually find the criminal and take his retinal reading in order to input in the database… not really practical, unless you dig money out of the ground.

And here comes my idea… use facial recognition to build the same dot maps used for fingerprints, to match a suspect against his photo, not against a textual data in a database. A person can switch his name in his passport, but could he change his face? Not likely… unless he’s got enough money and painkillers to go through a surgical operation every 6 months  in order to travel freely.

Amazing work by F-Secure! http://www.f-secure.com/weblog/archives/00001607.html

From their website:

You may also remember that Microsoft patched MS08-078 around the same time. Multiple versions of Internet Explorer were affected on multiple versions of the Windows OS and exploit code was circulating at the time. Exploit Shield 0.5 was able to proactively protect against those exploits.

Exploit Shield is designed to shield Web browsers between the development of an exploit and the release of the vendor’s patch.

To sum up, Exploit Shield provides:

•  Zero Day Defense: Protects unpatched machines.
•  Patch-Equivalent Protection: Vulnerability “shield” updates.
•  Proactive Measures: Heuristic detection techniques.
•  Protects Against All Websites: Regardless if untrusted or trusted and malicious or hacked.
•  Automatic Feedback: detected exploit attempts are automatically reported to F-Secure.

Look no further. You can do it with the built-in tools you have in your Active Directory environment.
First, download the Group Policy Management Console here. Install it.

To prevent users from using usb drives, you will need USB block ADM file (768).

To prevent users from writing to usb drives, you will need USB write protect ADM (519).

An additional step that needs to be performed before the above tip will work has to do with modifying the file access permissions for 2 files. You need to remove the SYSTEM access permissions from the usbstor.sys and usbstor.inf files.

You can do so by right clicking these files > Properties, then going to the Security tab. There you need to remove the line for the SYSTEM account.

Note: Under some circumstances, the SYSTEM should have write access to these files during Service Pack installation. For example, when the SP is installed via GPO or SMS, the installation runs under the SYSTEM Account.

Service Pack needs to replace the files to a new version and without proper write access to the file, installation will fail… Therefore, before each SP deployment we need to allow access to the SYSTEM account for these files.

Adding .ADM files to the Administrative Templates in a GPO

In order to add additional .ADM files to the existing Administrative Templates section in GPO please follow the next steps:

1. Open the Group Policy Management Console (or GPMC) from the Administrative Tools folder in the Stat menu, or by typing gpmc.msc in the Run command.Note: GPMC is not a built-in part of Windows 2000/XP/2003, and needs to be separately installed, yet remember it can only be used effectively on Windows Server 2003-based Active Directory.
   If you do not have GPMC or cannot install it then you’ll need to edit the GPO via the regular means, i.e. from Active Directory Users and Computers management tool (dsa.msc).
2. Right-click an existing GPO (or create an new GPO, then right-click on it) and select Edit.
3. Expand either the Computer settings or Users settings sections of the GPO. Go to the appropriate Administrative Templates section and right-click it. Select Add/Remove Templates.
4. In the Add/Remove Templates window click Add.
5. Browse to the location of the required .ADM file and click Open.
6. In the Add/Remove Templates window notice that the new .ADM file is listed, then click Close.
   Now re-open the Administrative Templates section and browse to the new settings location.

Disabling GPO settings filtering

Many custom Administrative Templates require you to remove the requirement to show policy settings that can be fully managed in the GPO editor. To do so follow the next steps:

1. After completing the above procedure, browse to the newly added Administrative Template section.
   Note that the section is indeed listed, however in the right-pane is empty.
2. Right-click an empty spot in the right pane and select View > Filtering.
3. In the Filtering window click to un-mark the “Only show policy settings that can be fully managed” option. Then click Ok.
   Notice how the available options are now displayed in the right pane.

You can now configure these options as you please.

Replicating the added .ADM files across the domain

When adding new .ADM files to any GPO you actually place new features in the Administrative Templates section for that GPO. These settings should be accessible from any DC, and should apply to any computer that is affected by that GPO.

However, if the .ADM files were added, for example, when sitting on DC1, how do you make sure they are also replicated to DC2, DC3 and so on?

Well, luckily for us, in most cases there are no additional configuration steps involved. When adding the new .ADM file it is automatically uploaded to the following location on the DC that was used to edit the GPO (usually – the PDC Emulator,

%SystemRoot%\SYSVOL\sysvol\domain name\Policies\{GPO GUID}\Adm

Because all of the SYSVOL folder is shared and automatically replicated all over the domain, the uploaded .ADM file will automatically replicated to all the GPO instances on all DCs in the domain.

However this might cause a problem when using too many templates and too many GPOs, especially on slow WAN links.

In Windows Server 2003, the size of the Administrative Templates has grown when compared to the same .ADM files in Windows 2000. As a result, the entire set of Administrative Templates has grown to almost 1.75MB. When you multiply this size by each Policy that SYSVOL contains, you can see that much space is devoted to these templates.

For example, for a large corporation with 1200 GPOs in place, the entire SYSVOL folder (where the GPOs are located on each DC) can take up more than 1GB of hard disk space. Replicating such a folder over the WAN (especially when promoting a new DC) can be very problematic.

Removing .ADM files from an existing GPO

Whenever you do not need the added feature anymore you can simply reverse the process and instead of adding new .ADM files – removing them.

Before removing an Administrative Template, make sure you modify its policy settings and wait for Group Policy to refresh on all the computers that were supposed to be effected by the GPO. This is because removing an Administrative Template that was previously installed does not change or remove any Registry settings that the GPO deployed when Group Policy was last processed.

UPDATE: http://www.intelliadmin.com/blog/2007/01/disable-usb-flash-drives.html is one good resource on locking the drives, too. Just run the exe’s from the bottom of the post and you should be fine.