AS-4-Discussions,Assignments
Security Strategies in Windows Platforms and Applications
Lesson 7
Microsoft Windows Incident Handling and Management, Security Life Cycle, and Windows Best Practices
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objectives
Apply best practices for handling a given Microsoft Windows system and application incident.
Include security concerns as early as possible in the software development process
Apply best practices to securing Microsoft Windows computers, networks, and applications.
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2
Key Concepts
Windows incident handling tools
Acquiring and managing evidence
Incident response plan
Trends in software change management
Windows system and application security management
The application security life cycle
Application of network management tools and policies in securing environments
Security baseline analysis
Securing the changing Microsoft Windows environment and its applications
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3
DISCOVER: CONCEPTS
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
4
Secure Software Development
Fewer defects
Fewer vulnerabilities
Proper training is crucial
Development
Testing
Security starts with requirements and design
Too many applications added delay security
Rework is always more expensive
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Secure software is software that supports and maintains the three basic tenets of information security: availability, integrity, and confidentiality. Software that is secure must minimize defects and vulnerabilities. Each vulnerability is a potential opportunity for an attacker to violate one or more security properties. The goal of secure software is for the software to operate as designed with no defects.
Secure software doesn’t just happen. Far too many software programs don’t include security features until after development. The most effective and efficient method of developing secure software is to consider security issues in the very beginning of a development effort —starting with the requirements and design phases. Including security from the very beginning is more cost effective since reworking software to address vulnerabilities is always more expensive than starting with a secure design.
One of the most critical success factors when developing secure applications is that all involved personnel receive solid training on creating secure applications. This training should include both developing secure applications and testing applications for security.
5
Secure Software Development Strategies
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Software Development Life Cycle – SDLC
Formal model for the process of creating software.
Security Development Lifecycle – SDL
Microsoft approach based on three core concepts
Education
Continuous improvement
Accountability
Building Security in Maturity Model – BSIMM
Result of secure development study
Software Security Framework – SSF
6
Software Development Life Cycle – SDLC
Security Development Lifecycle – SDL
Building Security in Maturity Model – BSIMM
Agile Development
The Software Security Framework (SSF)
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7
Security Incidents
An incident is any event that:
Violates security policy
Poses an imminent threat to security policy
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Securing resources involves defining activities that are both appropriate and inappropriate, and ensure that you only allow appropriate activities. Any action that occurs within a computing environment is called an event. Any event that either violates security policy or poses an imminent threat to your security policy is called a security incident.
There are many types of security incidents, from minor to major incidents. An incident can be as simple as too many failed login attempts or as complex as coordinated attempts to compromise a database that contains confidential information. Examples of security incidents include but are not limited to:
Excessive bandwidth use caused by the compromise of a system
Commercial use of IT resources
Compromised computers
Copyright infringement
Digital harassment
IP spoofing
Intruder activity
Network attack or denial-of-service condition
Virus or Internet worm activity
8
Security Incidents (Continued)
Examples of Incidents
Virus or Internet worm activity
Internet protocol (IP) spoofing
Intruder activity
Network attack or denial of service (DoS) condition
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
9
Sample Incident Reporting Form
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
All evidence you present in a court of law must exist in the same condition as it did when you collected it. Evidence cannot change at all once you collect it; it must be in pristine condition.
You’ll be required to prove to the court that the evidence did not change during the investigation. You’ll have to provide your own evidence that all collected evidence exists without changes as it did when it was collected.
The documentation that provides details of every move and access of evidence is called the chain of custody. The chain starts when you collect any piece of evidence.
Since you don’t know if you’ll have to present evidence in court, you should collect all evidence during an incident investigation as if you will take it to court. If you carefully preserve the chain of custody and do not go to court, you just have well documented evidence. This type of information is great for analyzing incidents for the lessons learned step of incident response. On the other hand, if you are careless in the way you collect evidence and then end up going to court, your carelessness will likely result in having your evidence rejected by the court. Without the evidence you need to prove your case you may not be able to prevail. Always treat each investigation as if it will end up in court.
10
Evidence
Most common types of evidence in computer incidents:
Real evidence–physical object
Documentary evidence–written evidence or file contents
Required to prove accusation
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
11
Collecting Evidence
Only original evidence is useful
Evidence that has not changed since the incident
Collection methods can change evidence
Handling methods can change evidence
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
All evidence you present in a court of law must exist in the same condition as it did when you collected it. Evidence cannot change at all once you collect it; it must be in pristine condition.
You’ll be required to prove to the court that the evidence did not change during the investigation. You’ll have to provide your own evidence that all collected evidence exists without changes as it did when it was collected.
The documentation that provides details of every move and access of evidence is called the chain of custody. The chain starts when you collect any piece of evidence.
Since you don’t know if you’ll have to present evidence in court, you should collect all evidence during an incident investigation as if you will take it to court. If you carefully preserve the chain of custody and do not go to court, you just have well documented evidence. This type of information is great for analyzing incidents for the lessons learned step of incident response. On the other hand, if you are careless in the way you collect evidence and then end up going to court, your carelessness will likely result in having your evidence rejected by the court. Without the evidence you need to prove your case you may not be able to prevail. Always treat each investigation as if it will end up in court.
12
Sample Chain of Custody Log
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
All evidence you present in a court of law must exist in the same condition as it did when you collected it. Evidence cannot change at all once you collect it; it must be in pristine condition.
You’ll be required to prove to the court that the evidence did not change during the investigation. You’ll have to provide your own evidence that all collected evidence exists without changes as it did when it was collected.
The documentation that provides details of every move and access of evidence is called the chain of custody. The chain starts when you collect any piece of evidence.
Since you don’t know if you’ll have to present evidence in court, you should collect all evidence during an incident investigation as if you will take it to court. If you carefully preserve the chain of custody and do not go to court, you just have well documented evidence. This type of information is great for analyzing incidents for the lessons learned step of incident response. On the other hand, if you are careless in the way you collect evidence and then end up going to court, your carelessness will likely result in having your evidence rejected by the court. Without the evidence you need to prove your case you may not be able to prevail. Always treat each investigation as if it will end up in court.
13
Best Practices
Early security controls
Most users were trusted
Firewalls were generally enough
Today’s security challenges
More sophisticated attackers
Internal and external attacks
Indirect attacks on resources
Best practices help address the ever changing security threats
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
14
Security Baseline Analysis
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
15
Valuable for showing known values
Valuable for showing compliance
Security Baseline Guidelines
Create initial baselines.
Use tools such as security configuration and analysis (SCA) and Microsoft baseline security analyzer (MBSA).
Schedule scans using batch files.
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
16
DISCOVER: PROCESS
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
17
Handling Evidence Process
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The process of collecting evidence at the highest level is little more than a few simple rules:
Acquire all evidence without altering the evidence. Use read only mode in as many cases as possible. When collecting documentary evidence, hardware write blocker devices are generally more respected than software options.
Transport and store all evidence in environments that will maintain the state of the evidence. Fully document all evidence accesses. Create exact copies of the original evidence for later analysis. Ensure devices that require power to maintain data, such as personal digital assistant (PDAs), receive the necessary power (unless you create a static image of the device).
Use appropriate tools and utilities to analyze the copies of documentary evidence. Never analyze the primary copy of evidence.
18
Acquire
(Read Only)
Safely Copy and Store
(Maintain State)
Analyze
(Read Only)
SDLC
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Project initiation and planning
Functional requirements and definition
System design specification
Build (develop) and document
Acceptance testing
Implementation (transition to production)
Operations and maintenance
Disposal
8/14/2014
(c) ITT Educational Services, Inc.
19
Initiate
Define
Design
Build
Test
Roll out
Operate
Dispose
Microsoft Software Development Lifecycle
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
20
Training
Requirements
Design
Implementation
Verification
Release
Response
Agile Development Cycle
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Agile loosely describes a method of developing software that is based on small project iterations, or sprints, instead of long project schedules. Organizations that use Agile produce smaller deliverables more frequently and can evaluate a large project in terms of its individual pieces are they are completed. Sprints are generally one to four weeks in duration. That means there is some deliverable once or more each month. This focus on frequent delivery makes it possible to see and use pieces of a large software product as it matures over time.
8/14/2014
(c) ITT Educational Services, Inc.
21
Securing Computers From Future Threats
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The process of securing computers from future threats never stops. It consists of five distinct steps that you will visit continually as you monitor your environment and respond to new threats.
Here are the five steps in the process of keeping your environment secure from current and future threats:
Harden computers – Ensure all of your computers are as secure as possible based on current known threats. If you computers are not secure now you cannot keep them secure in the future.
Monitor operation – Monitor how your environment operates and compare actual activity to expected activity. This process will help you identify unusual behavior.
Learn about new threats – Always pursue an understanding of new and emerging threats to help you better prepare for future threats.
Test for new vulnerabilities – Frequently test your environment for any new vulnerabilities that existing controls may not address.
Assess controls – Use audits, vulnerability assessments, and penetration tests to see how well your existing controls are performing and protecting your infrastructure. If you find that you need new controls or modifications to existing controls, continue to the first step and harden your computers again using new or modified controls.
22
Harden computers
Monitor operation
Learn about new threats
Test for new vulnerabilities
Assess controls
DISCOVER: ROLES
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
23
Key Roles in Handling Incidents
Management
Computer Security Incident Response Team (CSIRT)
Team and Incident Lead
Information Technology Liaison
Legal and Public Relations Representative
End Users
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
24
Key Roles in Software Change Management
Management
Software developers
Development administrators
Software testers
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Multiple roles are necessary to properly control the software development process. Here are the most important roles to ensure proper software change management:
Management–all activities to control any software changes needs full management support. You need this support for all funding and the authority to enforce change requirements.
Software developers–Developers are the main implementers of any software change management procedures. They are the ones that make it all work.
Development administrators–the administrators ensure the software change process flows smoothly and helps changed software move from one environment to another, such as releasing software changes to testing.
Software testers–Testers are crucial to the process of ensuring software quality by finding any defects. Formal testing procedures make software testing more effective and efficient.
25
Key Roles in Securing the IT Infrastructure
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
26
Management
Software developers
Network administrators
Security administrators
Users
DISCOVER: CONTEXT
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
27
Case Study–Apple iTunes
July 2010–Apple iTunes accounts hacked
Rogue application (App) developers hacked user accounts
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
In July 2010 Apple reported that some of its iTunes accounts were hacked. The problem first appeared to be related to a single account and a single iPhone application (App) but it soon became clear the scope was larger.
At least one rogue App developer hacked an unknown number of other iTunes user accounts and used those accounts to purchase Apps and music. The proceeds of each purchase was forwarded to the App or music license owner. The purpose of the attack was to artificially increase the sales numbers and revenue of multiple Apps.
In many cases the attackers would purchase several low cost Apps and one high cost App.
Apple investigated the attack and recommended that users change their iTunes passwords and remove payment card information from iTunes.
28
Case Study–Apple iTunes (Continued)
Charged App and music purchases to users
Generally purchased several low cost and one high cost items
Apple recommended
Change password
Remove payment card information
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
29
DISCOVER: RATIONALE
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
30
Importance of Evidence
Shows what happened
Helps to prove facts in court
Indicates severity and scope of impact
Necessary to decide on a course of action
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Evidence is important to any investigation because it shows what happened during an incident. Any decision made about what happened without evidence is just a guess.
Any time you present the detail of an incident in a court of law you can only submit evidence. Evidence is the only way you can claim a sequence of events in court. Also, the evidence the court allows must be original evidence. If you have broken the chain of custody or modified the evidence you cannot use it in the court.
The evidence of an incident can show how bad the incident is. Evidence can show the extent of the incident’s impact and how many other components or computers are affected. Evidence is important to the computer security incident response team (CSIRT) during the containment and recovery phases because it tells the team how bad the incident was.
Finally, even if your incident does not end up in court you need evidence of what happened to decide what to do next. The evidence that shows how an incident transpired can provide valuable information on how to modify controls to keep it from happening again.
31
Emerging Trends and Continued Security Q&A
How long does a secure system stay secure?
What event should trigger re-evaluating your security?
Which computer platforms are the safest?
Why is adaptive security important?
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
How long does a secure system stay secure?
No system is ever totally secure. Once you achieve an acceptable level of security for any system it does not stay secure forever. Any software, hardware, or configuration changes may introduce new vulnerabilities. Also, the passage of time provides attackers with the ability to discover new vulnerabilities already in your environment. The amount of time your systems remain secure depends on many factors. The frequency of exposure to multiple users, presence of high value data, proximity to the Internet, and the level of user security awareness are some factors that can affect a system’s overall security outlook. Never assume your systems stay secure. Always look for vulnerabilities.
What event should trigger re-evaluating your security?
In the best situation, the passing of time should initiate a process of re-evaluating your security controls. You should assess your security on a regular basis. Organizations that are very conscious of security may initiate assessments on a quarterly basis. Some organizations are more aggressive and some are less aggressive. In addition to periodic assessments you should re-evaluate your security control effectiveness any time you identify an incident. Your assessment may be scoped to address the incident but should have a larger scope after several incidents are identified. You should also conduct security evaluations any time legislation or regulations require it for compliance.
Which computer platforms are the safest?
No computer hardware or operating system is inherently more secure than any other. Some operating systems tend to be in the news more than others, but all computers are vulnerable to attacks in some ways. The most secure environments do not depend on the vendor that created them, but the degree to which the organization has deployed the best security controls.
Why is adaptive security important?
It is crucial that you stay informed on current and emerging trends that affect information system security. Attackers know the latest vulnerabilities and so should you. The sophisticated attacker is always developing new exploits to bypass your security controls. Every new hardware and software release is a potential source of new vulnerabilities. As platforms change and are upgraded, the changing collection of vulnerabilities means new opportunities for attacks. It is up to you to be aware of the newest vulnerabilities and the controls to protect your systems. The threat landscape changes daily. Your defenses should change as well.
32
Summary
Windows incident handling tools
Acquiring and managing evidence
Incident response plan
Trends in software change management
Windows system and application security management
The application security life cycle
Application of network management tools and policies in securing environments
Security baseline analysis
Securing the changing Microsoft Windows environment and its applications
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
33
Virtual Labs
Protecting Digital Evidence, Documentation, and the Chain of Custody
Hardening Windows Server Security Using Microsoft Baseline Security Analyzer
Page ‹#›
Security Strategies in Windows Platforms and Applications
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Use the following script to introduce the first lab:
“In this lesson, you examined best practices and procedures for responding to security incidents. You began by discussing what constitutes a security incident, the types of evidence you can gather from an incident, and the general process for responding to an incident. You learned about the responsibilities of a Computer Security Incident Response Team (CSIRT), both before and after an incident occurs. You also learned about incident response plans and why every organization needs a plan in place to respond to incidents efficiently.
In the lab for this lesson, Protecting Digital Evidence, Documentation, and the Chain of Custody, you will first use the Windows Event Viewer utility to search for failed logon attempts which could indicate a possible intrusion by an unauthorized user. You will also generate your own errors by attacking the Windows Server 2012 machine and then review the Internet Information Services (IIS) logs to find those errors. Finally, you will document your findings and recommend remediation steps.”
Use the following script to introduce the second lab:
“In this lesson, you learned about best practices for managing changes to Windows and its applications. The lesson began by comparing security challenges from the early days of computing to today’s IT environments. You learned why secure software development is highly important today and the roles involved in change management. You also explored techniques and technologies for securing computers from future threats, many of which require a security baseline. Without a baseline for comparison, you won’t always be able to recognize unusual network traffic patterns or intruder activity.
In the lab for this lesson, Hardening Windows Server Security Using Microsoft Baseline Security Analyzer, you will first use the Windows Event Viewer utility to search for failed logon attempts which could indicate a possible intrusion by an unauthorized user. You will also generate your own errors by attacking the Windows Server 2012 machine and then review the Internet Information Services (IIS) logs to find those errors. Finally, you will document your findings and recommend remediation steps.”
34