AS-4-Discussions,Assignments

profileColin Horn
winsec_ppt08_l07.pptx

Security Strategies in Windows Platforms and Applications

Lesson 7

Microsoft Windows Incident Handling and Management, Security Life Cycle, and Windows Best Practices

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1

Learning Objectives

Apply best practices for handling a given Microsoft Windows system and application incident.

Include security concerns as early as possible in the software development process

Apply best practices to securing Microsoft Windows computers, networks, and applications.

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

2

Key Concepts

Windows incident handling tools

Acquiring and managing evidence

Incident response plan

Trends in software change management

Windows system and application security management

The application security life cycle

Application of network management tools and policies in securing environments

Security baseline analysis

Securing the changing Microsoft Windows environment and its applications

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

3

DISCOVER: CONCEPTS

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

4

Secure Software Development

Fewer defects

Fewer vulnerabilities

Proper training is crucial

Development

Testing

Security starts with requirements and design

Too many applications added delay security

Rework is always more expensive

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Secure software is software that supports and maintains the three basic tenets of information security: availability, integrity, and confidentiality. Software that is secure must minimize defects and vulnerabilities. Each vulnerability is a potential opportunity for an attacker to violate one or more security properties. The goal of secure software is for the software to operate as designed with no defects.

Secure software doesn’t just happen. Far too many software programs don’t include security features until after development. The most effective and efficient method of developing secure software is to consider security issues in the very beginning of a development effort —starting with the requirements and design phases. Including security from the very beginning is more cost effective since reworking software to address vulnerabilities is always more expensive than starting with a secure design.

One of the most critical success factors when developing secure applications is that all involved personnel receive solid training on creating secure applications. This training should include both developing secure applications and testing applications for security.

5

Secure Software Development Strategies

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Software Development Life Cycle – SDLC

Formal model for the process of creating software.

Security Development Lifecycle – SDL

Microsoft approach based on three core concepts

Education

Continuous improvement

Accountability

Building Security in Maturity Model – BSIMM

Result of secure development study

Software Security Framework – SSF

6

Software Development Life Cycle – SDLC

Security Development Lifecycle – SDL

Building Security in Maturity Model – BSIMM

Agile Development

The Software Security Framework (SSF)

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

7

Security Incidents

An incident is any event that:

Violates security policy

Poses an imminent threat to security policy

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Securing resources involves defining activities that are both appropriate and inappropriate, and ensure that you only allow appropriate activities. Any action that occurs within a computing environment is called an event. Any event that either violates security policy or poses an imminent threat to your security policy is called a security incident.

There are many types of security incidents, from minor to major incidents. An incident can be as simple as too many failed login attempts or as complex as coordinated attempts to compromise a database that contains confidential information. Examples of security incidents include but are not limited to:

Excessive bandwidth use caused by the compromise of a system

Commercial use of IT resources

Compromised computers

Copyright infringement

Digital harassment

IP spoofing

Intruder activity

Network attack or denial-of-service condition

Virus or Internet worm activity

8

Security Incidents (Continued)

Examples of Incidents

Virus or Internet worm activity

Internet protocol (IP) spoofing

Intruder activity

Network attack or denial of service (DoS) condition

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

9

Sample Incident Reporting Form

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

All evidence you present in a court of law must exist in the same condition as it did when you collected it. Evidence cannot change at all once you collect it; it must be in pristine condition.

You’ll be required to prove to the court that the evidence did not change during the investigation. You’ll have to provide your own evidence that all collected evidence exists without changes as it did when it was collected.

The documentation that provides details of every move and access of evidence is called the chain of custody. The chain starts when you collect any piece of evidence.

Since you don’t know if you’ll have to present evidence in court, you should collect all evidence during an incident investigation as if you will take it to court. If you carefully preserve the chain of custody and do not go to court, you just have well documented evidence. This type of information is great for analyzing incidents for the lessons learned step of incident response. On the other hand, if you are careless in the way you collect evidence and then end up going to court, your carelessness will likely result in having your evidence rejected by the court. Without the evidence you need to prove your case you may not be able to prevail. Always treat each investigation as if it will end up in court.

10

Evidence

Most common types of evidence in computer incidents:

Real evidence–physical object

Documentary evidence–written evidence or file contents

Required to prove accusation

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

11

Collecting Evidence

Only original evidence is useful

Evidence that has not changed since the incident

Collection methods can change evidence

Handling methods can change evidence

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

All evidence you present in a court of law must exist in the same condition as it did when you collected it. Evidence cannot change at all once you collect it; it must be in pristine condition.

You’ll be required to prove to the court that the evidence did not change during the investigation. You’ll have to provide your own evidence that all collected evidence exists without changes as it did when it was collected.

The documentation that provides details of every move and access of evidence is called the chain of custody. The chain starts when you collect any piece of evidence.

Since you don’t know if you’ll have to present evidence in court, you should collect all evidence during an incident investigation as if you will take it to court. If you carefully preserve the chain of custody and do not go to court, you just have well documented evidence. This type of information is great for analyzing incidents for the lessons learned step of incident response. On the other hand, if you are careless in the way you collect evidence and then end up going to court, your carelessness will likely result in having your evidence rejected by the court. Without the evidence you need to prove your case you may not be able to prevail. Always treat each investigation as if it will end up in court.

12

Sample Chain of Custody Log

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

All evidence you present in a court of law must exist in the same condition as it did when you collected it. Evidence cannot change at all once you collect it; it must be in pristine condition.

You’ll be required to prove to the court that the evidence did not change during the investigation. You’ll have to provide your own evidence that all collected evidence exists without changes as it did when it was collected.

The documentation that provides details of every move and access of evidence is called the chain of custody. The chain starts when you collect any piece of evidence.

Since you don’t know if you’ll have to present evidence in court, you should collect all evidence during an incident investigation as if you will take it to court. If you carefully preserve the chain of custody and do not go to court, you just have well documented evidence. This type of information is great for analyzing incidents for the lessons learned step of incident response. On the other hand, if you are careless in the way you collect evidence and then end up going to court, your carelessness will likely result in having your evidence rejected by the court. Without the evidence you need to prove your case you may not be able to prevail. Always treat each investigation as if it will end up in court.

13

Best Practices

Early security controls

Most users were trusted

Firewalls were generally enough

Today’s security challenges

More sophisticated attackers

Internal and external attacks

Indirect attacks on resources

Best practices help address the ever changing security threats

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

14

Security Baseline Analysis

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

15

Valuable for showing known values

Valuable for showing compliance

Security Baseline Guidelines

Create initial baselines.

Use tools such as security configuration and analysis (SCA) and Microsoft baseline security analyzer (MBSA).

Schedule scans using batch files.

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

16

DISCOVER: PROCESS

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

17

Handling Evidence Process

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

The process of collecting evidence at the highest level is little more than a few simple rules:

Acquire all evidence without altering the evidence. Use read only mode in as many cases as possible. When collecting documentary evidence, hardware write blocker devices are generally more respected than software options.

Transport and store all evidence in environments that will maintain the state of the evidence. Fully document all evidence accesses. Create exact copies of the original evidence for later analysis. Ensure devices that require power to maintain data, such as personal digital assistant (PDAs), receive the necessary power (unless you create a static image of the device).

Use appropriate tools and utilities to analyze the copies of documentary evidence. Never analyze the primary copy of evidence.

18

Acquire

(Read Only)

Safely Copy and Store

(Maintain State)

Analyze

(Read Only)

SDLC

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Project initiation and planning

Functional requirements and definition

System design specification

Build (develop) and document

Acceptance testing

Implementation (transition to production)

Operations and maintenance

Disposal

8/14/2014

(c) ITT Educational Services, Inc.

19

Initiate

Define

Design

Build

Test

Roll out

Operate

Dispose

Microsoft Software Development Lifecycle

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

20

Training

Requirements

Design

Implementation

Verification

Release

Response

Agile Development Cycle

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Agile loosely describes a method of developing software that is based on small project iterations, or sprints, instead of long project schedules. Organizations that use Agile produce smaller deliverables more frequently and can evaluate a large project in terms of its individual pieces are they are completed. Sprints are generally one to four weeks in duration. That means there is some deliverable once or more each month. This focus on frequent delivery makes it possible to see and use pieces of a large software product as it matures over time.

8/14/2014

(c) ITT Educational Services, Inc.

21

Securing Computers From Future Threats

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

The process of securing computers from future threats never stops. It consists of five distinct steps that you will visit continually as you monitor your environment and respond to new threats.

Here are the five steps in the process of keeping your environment secure from current and future threats:

Harden computers – Ensure all of your computers are as secure as possible based on current known threats. If you computers are not secure now you cannot keep them secure in the future.

Monitor operation – Monitor how your environment operates and compare actual activity to expected activity. This process will help you identify unusual behavior.

Learn about new threats – Always pursue an understanding of new and emerging threats to help you better prepare for future threats.

Test for new vulnerabilities – Frequently test your environment for any new vulnerabilities that existing controls may not address.

Assess controls – Use audits, vulnerability assessments, and penetration tests to see how well your existing controls are performing and protecting your infrastructure. If you find that you need new controls or modifications to existing controls, continue to the first step and harden your computers again using new or modified controls.

22

Harden computers

Monitor operation

Learn about new threats

Test for new vulnerabilities

Assess controls

DISCOVER: ROLES

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

23

Key Roles in Handling Incidents

Management

Computer Security Incident Response Team (CSIRT)

Team and Incident Lead

Information Technology Liaison

Legal and Public Relations Representative

End Users

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

24

Key Roles in Software Change Management

Management

Software developers

Development administrators

Software testers

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Multiple roles are necessary to properly control the software development process. Here are the most important roles to ensure proper software change management:

Management–all activities to control any software changes needs full management support. You need this support for all funding and the authority to enforce change requirements.

Software developers–Developers are the main implementers of any software change management procedures. They are the ones that make it all work.

Development administrators–the administrators ensure the software change process flows smoothly and helps changed software move from one environment to another, such as releasing software changes to testing.

Software testers–Testers are crucial to the process of ensuring software quality by finding any defects. Formal testing procedures make software testing more effective and efficient.

25

Key Roles in Securing the IT Infrastructure

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

26

Management

Software developers

Network administrators

Security administrators

Users

DISCOVER: CONTEXT

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

27

Case Study–Apple iTunes

July 2010–Apple iTunes accounts hacked

Rogue application (App) developers hacked user accounts

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

In July 2010 Apple reported that some of its iTunes accounts were hacked. The problem first appeared to be related to a single account and a single iPhone application (App) but it soon became clear the scope was larger.

At least one rogue App developer hacked an unknown number of other iTunes user accounts and used those accounts to purchase Apps and music. The proceeds of each purchase was forwarded to the App or music license owner. The purpose of the attack was to artificially increase the sales numbers and revenue of multiple Apps.

In many cases the attackers would purchase several low cost Apps and one high cost App.

Apple investigated the attack and recommended that users change their iTunes passwords and remove payment card information from iTunes.

28

Case Study–Apple iTunes (Continued)

Charged App and music purchases to users

Generally purchased several low cost and one high cost items

Apple recommended

Change password

Remove payment card information

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

29

DISCOVER: RATIONALE

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

30

Importance of Evidence

Shows what happened

Helps to prove facts in court

Indicates severity and scope of impact

Necessary to decide on a course of action

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Evidence is important to any investigation because it shows what happened during an incident. Any decision made about what happened without evidence is just a guess.

Any time you present the detail of an incident in a court of law you can only submit evidence. Evidence is the only way you can claim a sequence of events in court. Also, the evidence the court allows must be original evidence. If you have broken the chain of custody or modified the evidence you cannot use it in the court.

The evidence of an incident can show how bad the incident is. Evidence can show the extent of the incident’s impact and how many other components or computers are affected. Evidence is important to the computer security incident response team (CSIRT) during the containment and recovery phases because it tells the team how bad the incident was.

Finally, even if your incident does not end up in court you need evidence of what happened to decide what to do next. The evidence that shows how an incident transpired can provide valuable information on how to modify controls to keep it from happening again.

31

Emerging Trends and Continued Security Q&A

How long does a secure system stay secure?

What event should trigger re-evaluating your security?

Which computer platforms are the safest?

Why is adaptive security important?

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

How long does a secure system stay secure?

No system is ever totally secure. Once you achieve an acceptable level of security for any system it does not stay secure forever. Any software, hardware, or configuration changes may introduce new vulnerabilities. Also, the passage of time provides attackers with the ability to discover new vulnerabilities already in your environment. The amount of time your systems remain secure depends on many factors. The frequency of exposure to multiple users, presence of high value data, proximity to the Internet, and the level of user security awareness are some factors that can affect a system’s overall security outlook. Never assume your systems stay secure. Always look for vulnerabilities.

What event should trigger re-evaluating your security?

In the best situation, the passing of time should initiate a process of re-evaluating your security controls. You should assess your security on a regular basis. Organizations that are very conscious of security may initiate assessments on a quarterly basis. Some organizations are more aggressive and some are less aggressive. In addition to periodic assessments you should re-evaluate your security control effectiveness any time you identify an incident. Your assessment may be scoped to address the incident but should have a larger scope after several incidents are identified. You should also conduct security evaluations any time legislation or regulations require it for compliance.

Which computer platforms are the safest?

No computer hardware or operating system is inherently more secure than any other. Some operating systems tend to be in the news more than others, but all computers are vulnerable to attacks in some ways. The most secure environments do not depend on the vendor that created them, but the degree to which the organization has deployed the best security controls.

Why is adaptive security important?

It is crucial that you stay informed on current and emerging trends that affect information system security. Attackers know the latest vulnerabilities and so should you. The sophisticated attacker is always developing new exploits to bypass your security controls. Every new hardware and software release is a potential source of new vulnerabilities. As platforms change and are upgraded, the changing collection of vulnerabilities means new opportunities for attacks. It is up to you to be aware of the newest vulnerabilities and the controls to protect your systems. The threat landscape changes daily. Your defenses should change as well.

32

Summary

Windows incident handling tools

Acquiring and managing evidence

Incident response plan

Trends in software change management

Windows system and application security management

The application security life cycle

Application of network management tools and policies in securing environments

Security baseline analysis

Securing the changing Microsoft Windows environment and its applications

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

33

Virtual Labs

Protecting Digital Evidence, Documentation, and the Chain of Custody

Hardening Windows Server Security Using Microsoft Baseline Security Analyzer

Page ‹#›

Security Strategies in Windows Platforms and Applications

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Use the following script to introduce the first lab:

“In this lesson, you examined best practices and procedures for responding to security incidents. You began by discussing what constitutes a security incident, the types of evidence you can gather from an incident, and the general process for responding to an incident. You learned about the responsibilities of a Computer Security Incident Response Team (CSIRT), both before and after an incident occurs. You also learned about incident response plans and why every organization needs a plan in place to respond to incidents efficiently.

In the lab for this lesson, Protecting Digital Evidence, Documentation, and the Chain of Custody, you will first use the Windows Event Viewer utility to search for failed logon attempts which could indicate a possible intrusion by an unauthorized user. You will also generate your own errors by attacking the Windows Server 2012 machine and then review the Internet Information Services (IIS) logs to find those errors. Finally, you will document your findings and recommend remediation steps.”

Use the following script to introduce the second lab:

“In this lesson, you learned about best practices for managing changes to Windows and its applications. The lesson began by comparing security challenges from the early days of computing to today’s IT environments. You learned why secure software development is highly important today and the roles involved in change management. You also explored techniques and technologies for securing computers from future threats, many of which require a security baseline. Without a baseline for comparison, you won’t always be able to recognize unusual network traffic patterns or intruder activity.

In the lab for this lesson, Hardening Windows Server Security Using Microsoft Baseline Security Analyzer, you will first use the Windows Event Viewer utility to search for failed logon attempts which could indicate a possible intrusion by an unauthorized user. You will also generate your own errors by attacking the Windows Server 2012 machine and then review the Internet Information Services (IIS) logs to find those errors. Finally, you will document your findings and recommend remediation steps.”

34