IT HEALTHCHECK TOP TIPS WHITEPAPER

Transcription

1 WHITEPAPER PREPARED BY MTI TECHNOLOGY LTD w: mti.com t: f:

2 MTI Technology have been specifying and conducting IT Healthcheck s across numerous sectors including commercial, public and financial for several years and over that time have built up a profile of the most common problems uncovered. The Top 5 problem areas ranked in order of occurrence are: 1. Patching 2. Password Policy & Implementation 3. Services Security 4. Server Build Hardening 5. Access Control For those involved in managing large and often complex networks this is probably no surprise. However, as anyone who has been a Systems Administrator knows, finding the time to impliemnt good security practices is a never ending and often losing battle. To give a head start on where to focus time and resources in prepration for your next annual IT Healthcheck, we include the following top tips surrounding the five greatest problem areas: 1.0 PATCHING POLICY By far the greatest weakness observed in ITHCs is the lack of consistent patching regimes, which result in systems being severely exposed to compromise. In cases where we have discovered a solid Operating System (OS) patching regime to be in place, we have often found differences in the way that UNIX and Windows systems are patched; usually one is solid, the other is poor. More often, the MS Windows estate is better patched than the UNIX. In addition, we're often able to compromise environments by exploiting vulnerabilities in un-patched third party applications installed on top of the Operating System, such as antivirus, databases and backup software. To address the above issues we recommend the following; a. Implement a robust patching policy that applies patches to all hosts, whether they are UNIX, Microsoft or another vendor, in a timely manner. The policy must apply to ALL Operating Systems and ALL application software that run on the hosts, so for example, Adobe Acrobat Reader, BackupExec, Apache etc. b. Ensure automated patch management solutions are deployed (carefully) such as WSUS, RHEL or commercial products such as Lumension Patchlink, which verify that patches have been installed correctly. c. System Administrators should run patch assessment tools on a regular basis, such as Microsoft's MBSA and Nessus professional feed to assess the level of patching and to check that patches have indeed stuck. For example, in a review conducted in January 2010 the patch MS was missing and no others, for some reason the patch did not install but no checks were conducted to determine whether the patches had installed correctly. d. Ensure that the version of key service daemons are checked and updated to the latest secure level. Many environments using SSH to secure administrative access (a good practice) are running old vulnerable versions of the daemon, which could potentially expose the user credentials and data exchanged. WHITEPAPER PAGE 2 of 5

3 e. All products and services procured need to include security features and upgrades within the contract price, not chargeable extras. This is to ensure that applications and managed services supplied to the council will be maintained to the latest security standards (e.g. ISO 27001, PCI DSS, OWASP) and systems will be patched against latest Operating System and application layer flaws. This can be achieved through use of a pro-forma Security Service Level Agreement (SSLA). f. Vendor mailing lists and popular vulnerability update lists, such as BugTraq, should be subscribed to for all software in use within the domain. Often when a new vulnerability is disclosed a vendor will release an update to their mailing lists with instructions on how to apply the patch. If these mailing lists are not used then vulnerabilities can remain unpatched for an extraordinarily long time, simply because no one knew there was a newer version available. 2.0 PASSWORD POLICY & IMPLEMENTATION MTI have compromised Active Directory Domain Controllers and other key systems in every internal assessment conducted to date. One way such compromises are achieved is through weak password policy settings and the adoption of poor password practices. Such breaches allow for compromise of critical information assets, and must be defended against. a. Where possible on Windows environments disable the LAN Manager (LM) Hash of user passwords, as this will hinder most password cracking attempts. If using legacy pre-windows 2000 hosts this will need to be reviewed first. b. You should review and apply the recommended GCSx CoCo password policy on all applications and Operating Systems. Enable the password complexity requirements setting in the Windows AD password policy and change all Windows AD passwords to ensure that no weak legacy passwords remain. c. Where possible Service Accounts are configured with unique passwords and changed at least every three four months d. Consider introducing a password policy that requires a minimum of eight alpha-numeric characters and contains at least one digit and ideally one non-standard character; password to be changed a minimum of every ninety days and not reused within ten password changes. For Domain Administrator accounts consider changing the password every 60 days. e. Ensure that users do not run in the context of an administrator as part of their day to day work. In particular Domain Administrators should never logon on a day-to-day basis with their domain admin accounts, and should instead use the runas functionality within Windows to elevate their rights when required. f. Consider using a technology which manages secure password complexity and expiry. g. Remove all default passwords - particularly on databases and networking equipment. h. Ensure Administrator passwords are strong and complex; we have regularly discovered domain administrator passwords such as "Password1", which is among known common password choices; Note how this password would meet basic complexity filters (i.e. greater than eight characters, one upper case letter and one digit) yet it is still a trivially guessed password. i. Run password cracking software against password files on a regular basis to assess user compliance with the corporate password policy. WHITEPAPER PAGE 3 of 5

4 3.0 SERVICES SECURITY MTI often compromise hosts by exploiting weaknesses in default and insecure services, which allow enumeration of user identities, files and passwords. a. Lockdown and disable all unnecessary services on servers, workstations and networking devices. b. Do not use clear text protocols for administration of services across the network such as Telnet, HTTP, r* services. c. Disable services and command sets which allow username enumeration, (e.g. Null shares, finger, VRFY and EXPN.) d. Change default SNMP community strings to complex password values. 4.0 SERVER BUILD HARDENING Commonly we observe a variance in the way that neighbouring systems of the same type have been secured. Hosts offering similar functionality can be configured in completely different ways dependent on the age of the system and who personally commissioned the server, (i.e. another member of the council s team or a 3 rd party.) Consequently some hosts have been well locked-down and configured by one individual, whereas a neighbouring host configured by someone else lacks the same application of care and attention. Where systems have been commissioned without hardening into a live environment, we recognise that applying the lockdown measures after go-live can prove tricky as they can break the application (in some instances) and result in disruption to the business. Common flaws discovered include: Default inbuilt passwords Enumeration of shares and file access allowed without requiring authentication Installation of insecure demo applications and unnecessary application components Default Administration pages and services are available Weak file permissions set Unsafe stored procedures in databases, either enabled by default or enabled by administrators (a good example is the MSSQL xp_cmdshell stored procedure, which allows remote command access to the Windows Operating System) Identical local users accounts used as part of the build process and propagated to every new server by virtue of being included in the build image. To address these issues we recommend organisations; a. Create server build standards and build images per system type. b. Ensure all new key business systems are built to these standards prior to going into production. In this manner one can start with a locked down system and adjust the configuration until the application starts to function. Much better to do it this way before the system is in live use. c. Apply these standards (where practical) to existing systems working in order of most critical systems. WHITEPAPER PAGE 4 of 5

5 5.0 ACCESS CONTROL The extent and speed in which an attack can be executed is directly proportional to the number of hosts and services visible to an attacker. Thus a significant improvement in security can be achieved through limiting visibility of hosts and services to only those that are absolutely essential. a. Apply network segmentation such that access to restricted networks and key business servers is appropriately filtered, on a least privileged basis. b. Where possible restrict access to specific source and destination IP addresses and services. c. Wherever practical avoid the use of the term "permit ANY ANY" in Access Control Lists. d. Avoid the use of large IP subnets in access rules where practical. e. Regularly review the relevancy of access rules against current business needs and prune out any that are no longer appropriate. Head Office Riverview House Weyside Park Catteshall Lane Godalming GU7 1XE f Tel: Fax: Web: About MTI MTI is a leading provider of data centre storage, virtualisation and security solutions, servicing both public and private cloud environments. With offices in the UK, Germany and France it services over 3000 customers across the world. MTI work with their customers to focus on their data ensuring it is secure and always available whether in a public or private cloud. MTI engage with clients at every level addressing the many issues faced with securing data, delivering a full consultancy service, ranging from Data Protection Act issues through to ISO Compliance, and are qualified to conduct CHECK and CREST level penetration and application testing services. MTI can also help clients achieve PCI DSS compliance through our team of PCI Qualified Security Assessors (QSA). WHITEPAPER PAGE 5 of 5