CompTIA CASP+ CAS-004 – Chapter 04 – Implementing Security for Systems, Applications, and Storage
- Chapter Introduction
In this chapter, we’re going to be looking at implementing security for systems, applications and storage. We’re going to start with security for host devices, cover topics like the trusted OS and endpoint security software, as well as host hardening and some of the protections that we have for bootloader mechanisms. Then we’ll look at mobile device security. Of course, mobile devices are heavily in use in today’s enterprise environments.
We need to make sure that these mobile devices are connecting in a secure fashion. So we’ll be going over various features in the mobile device operating systems that enable security, as well as wireless connectivity options and the security technologies that are in use there. Then we’ll be looking at software security controls. How do we go about ensuring that the applications that are in use in the enterprise are as secure as possible?
- Topic A: Security for Host Devices
In this first topic, we’re going to talk about security for host devices. Because securing a network can’t stop at controlling and monitoring network traffic. Network attacks are created with the end goal of attacking individual host. And so this topic, we’re going to just be covering various options that are available to protect host and then the issues that these options are designed to address. You.
- Trusted OS
We’ll start with a concept of the Trusted OS and how and when to use it. A Trusted Operating System is simply an operating system that provides a sufficient level of support for multilevel security as well as the evidence of meeting a particular set of government requirements. The goal of designating operating systems as Trusted was something that was first initiated by the Trusted Computer System Evaluation Criteria, or TCSEC.
This was developed by the National Computer Center Security Center for DoD purposes so that the Department of Defense could evaluate products it issues a series of or issued, you should say, a series of books known as the Rainbow Series that focus on computer systems and the networks in which they operate. Now, the Orange Book is a collection of criteria based on the Bell Lapidoula model. It’s used to greater rate the security that’s offered by a particular operating system, a computer system product.
The Orange book discusses topics like covert channel analysis, trusted facility management, and trusted recovery. TCSEC was replaced by the Common Criteria, or CC International Standard, which was a result of a cooperative effort. This uses evaluation levels, or EAL levels one through seven, to represent different levels of security testing and design in a system.
So the resulting rating would represent the potential that the system has to provide security. It assumes the customer is going to properly configure, of course, all the different security solutions. So the vendor has to provide documentation that allows the customer to fully achieve those ratings. The CC has seven assurance levels, which range from EAL One, which is the lowest where functionality testing take place through EAL seven highest, where thorough testing is performed and the design of the system is completely verified.
- Trusted OS Options
Some examples of trusted operating systems and the EAL levels they provide are Mac OS X Ten six, which is rated EAL three plus. The HP Unix eleven I version three is EAL four plus. Some Linux distributions rated up to EAL four plus. And then Microsoft Windows Seven is also EAL four plus. We do need to know the EALS, even though the common criteria is moving away from them and toward the use of something known as protection profiles for the exam. You’re going to want to know those. There are some additional options that are available.
Security Enhanced Linux, or Se Linux, is a kernel security module that when added to the Linux kernel, separates the enforcement of security decisions from the security policy itself and so it streamlines the amount of software involved with security policy enforcement. SELinux also enforces mandatory access control policies and those are used to combine user programs and system servers. It limits access to files and network resources. Se Linux doesn’t have a concept of the root super user, which is common in other distros, and so it doesn’t share the well known shortcomings of your traditional Linux security mechanisms. In high security scenarios where the sandboxing of the root account is beneficial, the Se Linux system should always be chosen over regular Linux. Se Android is an Se Linux version that runs on Android devices.
The Se Android 50 release moved to full enforcement of Se Linux, building on the more permissive release of four dot three and the partial enforcement of four. Four software runs on Se Android and only has minimal privileges needed to work correctly. So that helps to lessen the damage that malware can do. And it sometimes blocks applications or functions that employees need. So to manage that default behavior, you really need shell and root access to the Android devices. SSH Droid is an app that allows you to access Android devices from a computer using SSH.
And you can gain root access by using the ADB command Android Debug Bridge. That’s actually part of the software development kit for Android. Or you can just route the device to get full access. That’s certainly not an approach that’s for everyone because device vendors don’t support routing. And then we have trusted Solaris. That’s a set of security extensions incorporated into the Solaris Ten trusted OS. Solaris Ten is common criteria certified at the EAL Four level, has a number of enhancements in county accounting, excuse me, rolebased Access Control auditing, mandatory Access Control labeling, and the like. And that environment allows the security administrator role to extend the list of trusted directories, which is different from previous releases.
- Security Software
Endpoint security is accomplished by ensuring that every computing device on the network meets certain security standards. And so we’re going to discuss some of these, the software and devices that are used to provide endpoint security. That includes AV software and other types of software and devices that enhance security. So the first is antimalware. We’re not helpless against the fight against malware. It sometimes is a daunting task. But there are both programs and practices that help mitigate the damage that malware can cause. Antimalware software addresses problematic software like adware, spyware, viruses, worms, Trojans, other forms of destructive software. Most commercial applications today are going to combine the functions of antimalware, antivirus and antispyware into a single tool. And so that tool usually provides protection against malware viruses and spyware. An antivirus program on the other hand, just protects against viruses. An antispyware tool just protects against spyware. So we really need to take a look at the documentation of any tool that we’re considering to use just to understand the actual protection that it provides. This is also going to require some additional user education and just how to use the internet safely.
That’s definitely a part of the process of preventing malware. So what are we talking about? Well, things like keeping antimalware applications current, doing real time and scheduled scans, turning off auto run or autoplay disabling images and the previews of images and Outlook, telling users not to click on email links or attachments, showing them how to surf smart checking for SSL and as well as hardening the browser. Now mind you that a lot of applications already come with a number of these configurations in place, but it’s something that can be modified.
And as security professionals we need to make sure that we’re centrally managing these to limit the user’s ability to disable those protections. It’s somewhat assumed that if you’re taking this course you’re familiar with these concepts. But just to make sure antivirus software is there to identify viruses. Viruses are malware that attach themselves to other programs. It also can identify Trojans, which is malware that embeds itself in another functioning program and then executes when that program is installed. And worms which are sort of on their own and just replicate themselves. Antivirus software is going to identify them and then either delete them or at least quarantine them until they can be removed. And it’s all based on definition, the definitions that’s downloaded by the software. So these definitions need to be kept up to date and that really should be centrally managed. Then we have anti spyware, spyware tracks user activities.
Spyware can be used to gather personal information that could lead to identity theft. In some cases, spyware can even direct the computer to install software and change settings. As we said, most of these programs are now going to include spyware detection. So the anti malware programs that you have used should do both. That brings us to spam and spam filters spam is an annoyance to users. It’s an aggravation to email administrators who have to deal with all the extra space it takes up. But it goes beyond that because there’s the possibility that a spammer can be routing spam through your email server, making it appear as though your company is the spammer, and then you get blacklisted. Sending spam unsolicited email is illegal, so spammers will attempt to hide the source of the spam, and they’ll do that by trying to relay through corporate email servers.
It doesn’t only hide them, though, it also gets the company in trouble. And so we need to make sure that our email servers are protected from this spam. Filters are designed to prevent spam from being delivered to mailboxes. The issue with them is that often legitimate email is marked as spam, so the level of false positives is pretty high, and trying to find the right setting can be somewhat challenging. Users do need to be informed that there isn’t a perfect filter, so they should regularly be checking the quarantine for a legitimate email.
And you should be choosing an anti spam solution that provides the ability to notify users that messages have been quarantined and give them the option to release those messages. Patch management is another area that’s a really big deal and sometimes gets overlooked. Software patches are updates that are released by vendors, and they either fix functional issues or they close security loopholes and then OS applications, as well as firmware that’s running on network devices. So we need to consistently apply this across the enterprise, and in order to do that, we need to have a formal system that makes sure that all our systems have the latest updates. It also should provide testing in a non production environment, it’s impossible for a vendor to anticipate every single loophole the impact that a change may have on business critical systems on the network, so it’s a responsibility of the enterprise to test those patches. There are, in general, three different types. Hot fixes is going to be an update that solves a security issue, and those should be applied immediately, assuming that the issue is relevant to that particular system. Updates often solve a functionality issue rather than a security issue, and service packs are a collection of all the updates and hot fixes since the release of an operating system.
- Additional Host-Based Software Options
There are some additional hostbased software options. Some of these we’ve mentioned at some point. So Hostbased IDs or IPS, we talked about those as a network device, but a hostbased would be a system responsible for detecting unauthorized access or attacks against a particular system. This is required if protection is needed for a single device. Data loss prevention is going to account for data leakage. They’re used to prevent data leakage, which is when sensitive data is disclosed to unauthorized personnel. Whether that’s purposely or inadvertently, the value of a DLP system lies in the level of precision that it can use to locate and prevent this leakage.
DLP often does reside on endpoints. It’s considered an example of endpoint security software. One place that’s pretty common these days for DLP to reside is on the email systems to scan outbound email against certain policies to try to determine if data leakage is occurring. Then we have the host based firewall. Host based firewall resides on a single host, and it’s designed to protect that host only. Most of your operating systems today are going to come with host based firewalls. In addition to that, there are commercial host based firewalls that are designed to pay particular attention to a certain type of traffic or protect a particular application on a Linux based system.
The most common host based firewall is IP Tables, which replaces the previous program package called IP chains. It has the ability to accept or drop packets. You create firewall rules just like you can an access list on a router and that defines the type of traffic can define the type of traffic based on source address, destination address, and the application layer protocol on a Microsoft computer. You use the Windows Firewall with advanced security to create rules, and those rules again, can be based on IPS port numbers, specific programs. There are also a number of builtin rule types that can simply be enabled. The Windows based Firewall can also be enabled in an enterprise environment and completely configured through central management software known as Group policy.
- Demo – Configuring a Host-Based Firewall
In this demonstration, we’re going to look at the configuration of a hostbased firewall. So I’m going to go in here in Windows Ten and we’re going to click on the Settings app. In Windows Ten, the Settings app is the location for just about everything. They’re kind of moving everything from Control Panel into to here. So if I go into the Update and Security section of the Windows Settings app, then I’m going to have access to the firewall under Windows Security. Mine is running an older here under Windows Security. We run. Open the windows. Defender Security Center.
And this is primarily why I was looking at it here. I mean, any host based firewall is going to be similar. Some are third party, some are built in. Windows has had a built in firewall for quite some time in Windows Ten. Just recently they’ve changed the name of it for whatever reason, and they’ve put it into the security section in the Settings app. So I was just going to open up this Windows Defender Security Center and discuss all of the capabilities that it has. So notice we’ve got some built in antivirus, anti threat protection, all right? We’ve got some account protection that’s built into this potentially dynamic lock, for instance, but that is available. And then you get the firewall network protection. And this is where we’re going to focus. But you can see it’s a central location for a number of different security related features. So your users, who are likely that the vast majority are using either Windows Seven or Windows Ten, and more and more seem to be going to ten as of late. So the vast majority of them are going to have this capability. So a couple of things.
The Windows Firewall distinguishes between the domain network, the private network and the public network. Public and private are chosen. When I connect to a network, or in my case, when I just ignore the screen and just click Enter real quick, then it sees it as public. I’m not on a public network, but Windows has identified it as a public network because that’s the choice I made the first time I ever connected to it. If I want to go in and change, I can go and change it to a private network. If I belong to a domain and I log into the network where that domain resides, then domain network will automatically be chosen. And this is important because it is a profile.
So this is my public network that I’m connected to. I want the firewall on when I’m connected to this public network. And then this is uncommon, but you can block all incoming connections overriding the list of allowed apps. All right, we can also just go down here and say we want to allow an app through the firewall and it’s going to open up essentially like a wizard that’s going to walk me through the process of saying I want this program to be allowed. Now you can also do that from the program itself by just running the program, and you’ll be prompted to do that. Now this is actually going to take me over to Control Panel. So you still kind of have a mix of different things. So within Control Panel, then I’d have to hit Change Settings, and when I hit Change Settings and I’ll just click Allow another app and then it’s going to take me through the process. Typically, I would just hit browse. I would go find the executable, and then we would be done with it.
I would hit Network Types and say, these are the types of networks that I want to allow traffic on for that program. Let me just go back here. This is also now referred to as the Windows Defender Firewall and Control Panel, and I’m going to minimize that for right now. Firewall notification settings. Advanced Settings restore the firewall to its default. If you click on Advanced Settings, you’re going to get prompted with the User Account Control. And then basically it’s just going to open up the same place that I was just looking at. So we’re just going to get Control Panel. It was already open, so it didn’t do anything. But that will take you to Control Panel.
So Microsoft’s in their terminology now, Control Panel is advanced and the Settings app is not. But what you really want to do to get to Advanced Settings is click on Advanced Settings here and that will open up the Windows Firewall with advanced security on the local machine. Okay, here we can create and manage inbound and outbound rules. Give it a second there. Okay, so I’ve got a lot of different rules. What the world is this? And you might go in and see rules and wonder. I’m not really sure exactly what all that is. A lot of these are just going to be programs. As you install programs and then you allow traffic to that particular program, then rules get created.
You do have the ability to go in at any time and create a brand new rule. If you create a brand new rule, we can go by source, we can go by program, we can go by a port number, or we can use the predefined rules and they’ve got a whole list of predefined rules that exist. So but if you say, had a customized application or something that you needed to allow, then we would probably just go port. Say it’s TCP port and it’s port 2048. I’m just making it up. It’s a custom application, so it’s above, it’s not one of the well known ports. We want to allow it. We want to block it. We want to allow it if it’s secured via IPsec, and then we can say we only want this to apply to this particular network profile custom business application and do something to be somewhat descriptive. And you can throw in a description as well. Over here I’m going to have filtering capabilities.
So filter by the private profile, filter by enabled, filter by different groups, et cetera. And so you can see that kind of stuff. We’ve also got outbound rules. These would be programs that are allowed out. All right, connection Security rules is where your IPsec is going to show up. And then monitoring is also for IPsec. Well, it’s IPsec and the firewall. So here you can see the logging settings and you can control them. On the host based firewall, you can click the link to view active firewall rules, view security associations. That’s just going to take you down here anyway.
That’s the Windows Defender firewall with advanced security. You got lots of third party firewalls out there, but this one really is pretty capable. Host based firewalls are good because they protect that particular system. A network firewall in and of itself is not really sufficient in this day and age. We want local AV, we want local just antimalware in general. And we want a local firewall in order to really achieve a defense, indepth approach to security.
- Auditing
Computers, their operating systems, as well as the firewalls that might be present on them, are going to generate system information that’s stored in log files. It’s pretty important that we monitor network events, system events, application events, user events, et cetera. And to do so, that is auditing. We’re logging security related information into local or remote logs, and we can use that to determine if a security breach has occurred or has even been attempted. We need to keep in mind, though, that auditing activity can impact the performance of the system that’s being monitored.
So it’s important that we find a balance between auditing important events and activities and those that are less important, not auditing, those that make sure device performance is maintained at an acceptable level. There are a number of different guidelines that we should follow. The first is to develop audit log management plans. That means we need a mechanism to control the log size, the process of backing up those logs, and then periodic review plans to ensure that our auditing processes are as efficient as they need to be.
We need to make sure that deleting log files is a two step process, a two person control process, so that we don’t have one user, one administrative user, trying to perform the act of scrubbing that they’re basically deleting incriminating data from those logs. Any high privileged accounts, including all root users, administrative level accounts, should be monitored. And we need to make sure that we have an audit trail of everything. That includes who processed the transaction, when the transaction occurred, where it occurred, et cetera. So if you can, you want to implement these at a central level. Again, using Microsoft as an example, you have group policy that can implement audit policies centrally, and it disallows somebody from changing that on a local computer.
- Demo – Configuring Audit Policies
In this demonstration, we’re going to look at configuring audit policies for tracking events related to security. And we do this in the Windows networks by using Group Policy. So we’ll go start run GP, edit MSC, and this is again the local policy. But you can do the same things in a Group Policy object. And the difference is the Group Policy object would then affect multiple computers. So it’s more efficient in a domain environment. Now, this is going to be inside the computer settings. So the settings here, if you do it in a GPO in Active Directory, are going to be in effect for computer accounts, not user accounts. You’ll find it under computer config Windows settings, security settings. Account Policies is where we found password policies. Local Policies is where we find audit policies. All right, now we’ve hit a couple of those. Just expand this out here and you see the different kinds of events that are capable of being monitored in Windows. Now, I’m on a client machine.
It’s a machine that’s not a member of a domain. So none of this is turned on by default. You will find some differences there on servers. Servers, they do have certain things being monitored by default and domain controllers have quite a few of these events being monitored by default. All right? So when you go to the event logs of those systems, you will be able to see that information. Let’s just talk about what these are. Account log on events and log on events are very similar, but they are slightly different. Account log on is the validation of an account, the authentication of account against a security database. So if you do that on a workstation, it’s just when local accounts are used, not very helpful. So typically we see that done on domain controllers because it is registering when somebody has authenticated against that domain controller.
Now, log on events, those track interactive logons and network logons. So not necessarily authenticating against an account that’s stored on that computer, but just connecting to that computer. So both of these are very beneficial. And then any of these, you would open them up and say, yes, I would like to track this. I want to track success and or failure. Part of the audit policy is deciding exactly what we want to track, right? And finding a good balance between that. Account management is the management of accounts creating, managing, deleting users, groups, computers. So typically that’s a domain controller event that would be logged, directory service access.
I can target particular containers in Active Directory and say, I want to track when anybody makes changes to this or particular objects, I want to track when somebody makes changes to that object. Same thing with object access. The difference is this is Directory services objects, ad objects. This one is files, folders, registry keys. In both of those cases, though, you have to turn on the policy first and then you have to actually go to that resource and add an entry into the System Access Control list. The system access control list. Unlike the discretionary access control list doesn’t control access privileges. It controls auditing settings. So you’re saying I don’t want to audit object access to every object on the system?
No, I want to target it for this one. But it’s a two step process. It’s the policy first and then going and adding the entry into that location. So let’s actually do this. I’ll just grab any random folder. It doesn’t matter. I have NTFS partitions. So we’ll just go like this. Go to properties. We would go to Security and then Advanced. And on the advanced security settings, you have an auditing tab. You have to have administrative privileges to do this. And then this is that system Access Control list where you’re basically saying, I want to add an audit entry, and it could be for everybody. So when anybody in the Authenticated Users Group, for instance, successfully modifies something in this folder, then I want an entry created in the security logs. Okay? And again, that’s just an example. But that is the second step that you would have to do for object access. Auditing policy change is, again, administrative access changes to this policy. For instance, privilege use the exercise of a user, right? User rights are listed here. Things like log on locally, change the system time, do a backup, restore from a backup, force a remote shutdown, log in with remote desktop.
Those are all user rights. So if you wanted to track some of those, some of them are administrative actions, although a standard user may have been given the privileges to do that. Process tracking is in relation to programs and then System Events is anything against the system as a whole would fall under System Events. Where do you see these? Well, let’s see if I can switch over here. We would see these in the security logs. I’m just switching over to a different machine. This one’s probably locked me out by this time, but let’s see that’ll. Wake it up. Okay, indeed. So we’ll go to administrative tools and then Event Viewer. This is your graphical way of checking these. Now, the audit policies have to be set, but if they are set, then I can go into the security log and I should see a number of related events. Okay, because as I said, domain controllers and whatnot are going to have domain controllers and servers are going to have things logged by default.
That’s taken a second to open up. So let me go here and we’re going to show you the other way so I can say get event log in. PowerShell log name is Security. And then I just want to see the newest 25 events. Okay, let’s do this. Let’s do run as administrator. That’s going to work. And that would be the command line way of looking at that. You could look for just success, just failure, if you want. And that shows up here as well. So it shows me accounts that were logged on.
I’m seeing some different accounts here and if you’ll notice, you’ve got a number of events, probably for the same account, because you’ve got a service name and you’ve got the PC that was started and here’s the account name that was used. These are real accounts. It’s about 741 in the morning, so some of them are probably starting work and we’ve got some login events. There are, but the point was, you have to go into the security logs to actually see what isn’t being audited. So just creating audit policies doesn’t really do much if I’m not going to go in and evaluate the results. So both of those steps are going to be important for us.
- Endpoint Detection Response
Endpoint detection and response. EDR is a proactive endpoint security approach that’s designed to supplement existing defenses. It’s a fairly advanced approach. It shifts security from reactive threat approach to one that can detect and prevent threats before they actually happen. So more of a proactive approach to it. And it focuses primarily on three elements for threat prevention that’s automation adaptability and then continuous monitoring.
Some examples of this are the carbon black CB response cyber Reasons total enterprise Protection semantic endpoint protection RSA’s net witness endpoint. Another one is called FireEye Endpoint security. The advantage of these systems is that they’ve provide continuous monitoring. The disadvantage is the software’s use of resources and so that can have a negative effect on the performance of the system.