IT HEALTHCHECK TOP TIPS WHITEPAPER



Similar documents
Protecting Your Organisation from Targeted Cyber Intrusion

Five Steps to Improve Internal Network Security. Chattanooga ISSA

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

Internal Penetration Test

Penetration Testing Report Client: Business Solutions June 15 th 2015

NetBrain Security Guidance

Where every interaction matters.

Five Steps to Improve Internal Network Security. Chattanooga Information security Professionals

Building A Secure Microsoft Exchange Continuity Appliance

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Cyber Essentials. Test Specification

Cyber Essentials Questionnaire

Penetration Test Report

4. Getting started: Performing an audit

March

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

Server Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

FortiOS Handbook - Hardening your FortiGate VERSION 5.2.3

GFI White Paper PCI-DSS compliance and GFI Software products

A Decision Maker s Guide to Securing an IT Infrastructure

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Windows Remote Access

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities

SAST, DAST and Vulnerability Assessments, = 4

Windows Operating Systems. Basic Security

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Exploiting Transparent User Identification Systems

Security Advice for Instances in the HP Cloud

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Penetration Testing Getting the Most out of Your Assessment. Chris Wilkinson Crowe Horwath LLP September 22, 2010

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

Achieving PCI-Compliance through Cyberoam

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

How to complete the Secure Internet Site Declaration (SISD) form

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

IBM. Vulnerability scanning and best practices

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Secure Web Applications. The front line defense

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

The Risks that Pen Tests don t Find. OWASP 13 April The OWASP Foundation

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

SonicWALL PCI 1.1 Implementation Guide

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

Penetration Test Report

A Rackspace White Paper Spring 2010

Cyber Essentials PLUS. Common Test Specification

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Nixu SNS Security White Paper May 2007 Version 1.2

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

You Can Survive a PCI-DSS Assessment

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

Penetration Testing - a way for improving our cyber security

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Web Application Security

Compliance series Guide to meeting requirements of the UK Government Cyber Essentials Scheme

Using Nessus In Web Application Vulnerability Assessments

Did you know your security solution can help with PCI compliance too?

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Locking down a Hitachi ID Suite server

Global Partner Management Notice

Web Application Security

Pentests: Exposing real world attacks

How To Protect A Web Application From Attack From A Trusted Environment

How To Secure Your System From Cyber Attacks

Using a VPN with Niagara Systems. v0.3 6, July 2013

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

Penetration testing & Ethical Hacking. Security Week 2014

Industrial Security for Process Automation

Cyber Essentials Scheme

1. Why is the customer having the penetration test performed against their environment?

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

FREQUENTLY ASKED QUESTIONS

Top 20 Critical Security Controls

Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for Open Systems

Half Bridge mode }These options are all found under Misc Configuration

74% 96 Action Items. Compliance

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

Transcription:

WHITEPAPER PREPARED BY MTI TECHNOLOGY LTD w: mti.com t: 01483 520200 f: 01483 520222

MTI Technology have been specifying and conducting IT Healthcheck s across numerous sectors including commercial, public and financial for several years and over that time have built up a profile of the most common problems uncovered. The Top 5 problem areas ranked in order of occurrence are: 1. Patching 2. Password Policy & Implementation 3. Services Security 4. Server Build Hardening 5. Access Control For those involved in managing large and often complex networks this is probably no surprise. However, as anyone who has been a Systems Administrator knows, finding the time to impliemnt good security practices is a never ending and often losing battle. To give a head start on where to focus time and resources in prepration for your next annual IT Healthcheck, we include the following top tips surrounding the five greatest problem areas: 1.0 PATCHING POLICY By far the greatest weakness observed in ITHCs is the lack of consistent patching regimes, which result in systems being severely exposed to compromise. In cases where we have discovered a solid Operating System (OS) patching regime to be in place, we have often found differences in the way that UNIX and Windows systems are patched; usually one is solid, the other is poor. More often, the MS Windows estate is better patched than the UNIX. In addition, we're often able to compromise environments by exploiting vulnerabilities in un-patched third party applications installed on top of the Operating System, such as antivirus, databases and backup software. To address the above issues we recommend the following; a. Implement a robust patching policy that applies patches to all hosts, whether they are UNIX, Microsoft or another vendor, in a timely manner. The policy must apply to ALL Operating Systems and ALL application software that run on the hosts, so for example, Adobe Acrobat Reader, BackupExec, Apache etc. b. Ensure automated patch management solutions are deployed (carefully) such as WSUS, RHEL or commercial products such as Lumension Patchlink, which verify that patches have been installed correctly. c. System Administrators should run patch assessment tools on a regular basis, such as Microsoft's MBSA and Nessus professional feed to assess the level of patching and to check that patches have indeed stuck. For example, in a review conducted in January 2010 the patch MS09-001 was missing and no others, for some reason the patch did not install but no checks were conducted to determine whether the patches had installed correctly. d. Ensure that the version of key service daemons are checked and updated to the latest secure level. Many environments using SSH to secure administrative access (a good practice) are running old vulnerable versions of the daemon, which could potentially expose the user credentials and data exchanged. WHITEPAPER PAGE 2 of 5

e. All products and services procured need to include security features and upgrades within the contract price, not chargeable extras. This is to ensure that applications and managed services supplied to the council will be maintained to the latest security standards (e.g. ISO 27001, PCI DSS, OWASP) and systems will be patched against latest Operating System and application layer flaws. This can be achieved through use of a pro-forma Security Service Level Agreement (SSLA). f. Vendor mailing lists and popular vulnerability update lists, such as BugTraq, should be subscribed to for all software in use within the domain. Often when a new vulnerability is disclosed a vendor will release an update to their mailing lists with instructions on how to apply the patch. If these mailing lists are not used then vulnerabilities can remain unpatched for an extraordinarily long time, simply because no one knew there was a newer version available. 2.0 PASSWORD POLICY & IMPLEMENTATION MTI have compromised Active Directory Domain Controllers and other key systems in every internal assessment conducted to date. One way such compromises are achieved is through weak password policy settings and the adoption of poor password practices. Such breaches allow for compromise of critical information assets, and must be defended against. a. Where possible on Windows environments disable the LAN Manager (LM) Hash of user passwords, as this will hinder most password cracking attempts. If using legacy pre-windows 2000 hosts this will need to be reviewed first. b. You should review and apply the recommended GCSx CoCo password policy on all applications and Operating Systems. Enable the password complexity requirements setting in the Windows AD password policy and change all Windows AD passwords to ensure that no weak legacy passwords remain. c. Where possible Service Accounts are configured with unique passwords and changed at least every three four months d. Consider introducing a password policy that requires a minimum of eight alpha-numeric characters and contains at least one digit and ideally one non-standard character; password to be changed a minimum of every ninety days and not reused within ten password changes. For Domain Administrator accounts consider changing the password every 60 days. e. Ensure that users do not run in the context of an administrator as part of their day to day work. In particular Domain Administrators should never logon on a day-to-day basis with their domain admin accounts, and should instead use the runas functionality within Windows to elevate their rights when required. f. Consider using a technology which manages secure password complexity and expiry. g. Remove all default passwords - particularly on databases and networking equipment. h. Ensure Administrator passwords are strong and complex; we have regularly discovered domain administrator passwords such as "Password1", which is among known common password choices; Note how this password would meet basic complexity filters (i.e. greater than eight characters, one upper case letter and one digit) yet it is still a trivially guessed password. i. Run password cracking software against password files on a regular basis to assess user compliance with the corporate password policy. WHITEPAPER PAGE 3 of 5

3.0 SERVICES SECURITY MTI often compromise hosts by exploiting weaknesses in default and insecure services, which allow enumeration of user identities, files and passwords. a. Lockdown and disable all unnecessary services on servers, workstations and networking devices. b. Do not use clear text protocols for administration of services across the network such as Telnet, HTTP, r* services. c. Disable services and command sets which allow username enumeration, (e.g. Null shares, finger, email VRFY and EXPN.) d. Change default SNMP community strings to complex password values. 4.0 SERVER BUILD HARDENING Commonly we observe a variance in the way that neighbouring systems of the same type have been secured. Hosts offering similar functionality can be configured in completely different ways dependent on the age of the system and who personally commissioned the server, (i.e. another member of the council s team or a 3 rd party.) Consequently some hosts have been well locked-down and configured by one individual, whereas a neighbouring host configured by someone else lacks the same application of care and attention. Where systems have been commissioned without hardening into a live environment, we recognise that applying the lockdown measures after go-live can prove tricky as they can break the application (in some instances) and result in disruption to the business. Common flaws discovered include: Default inbuilt passwords Enumeration of shares and file access allowed without requiring authentication Installation of insecure demo applications and unnecessary application components Default Administration pages and services are available Weak file permissions set Unsafe stored procedures in databases, either enabled by default or enabled by administrators (a good example is the MSSQL xp_cmdshell stored procedure, which allows remote command access to the Windows Operating System) Identical local users accounts used as part of the build process and propagated to every new server by virtue of being included in the build image. To address these issues we recommend organisations; a. Create server build standards and build images per system type. b. Ensure all new key business systems are built to these standards prior to going into production. In this manner one can start with a locked down system and adjust the configuration until the application starts to function. Much better to do it this way before the system is in live use. c. Apply these standards (where practical) to existing systems working in order of most critical systems. WHITEPAPER PAGE 4 of 5

5.0 ACCESS CONTROL The extent and speed in which an attack can be executed is directly proportional to the number of hosts and services visible to an attacker. Thus a significant improvement in security can be achieved through limiting visibility of hosts and services to only those that are absolutely essential. a. Apply network segmentation such that access to restricted networks and key business servers is appropriately filtered, on a least privileged basis. b. Where possible restrict access to specific source and destination IP addresses and services. c. Wherever practical avoid the use of the term "permit ANY ANY" in Access Control Lists. d. Avoid the use of large IP subnets in access rules where practical. e. Regularly review the relevancy of access rules against current business needs and prune out any that are no longer appropriate. Head Office Riverview House Weyside Park Catteshall Lane Godalming GU7 1XE f Tel: 01483 500200 Fax: 01483 500222 Web: www.mti.com About MTI MTI is a leading provider of data centre storage, virtualisation and security solutions, servicing both public and private cloud environments. With offices in the UK, Germany and France it services over 3000 customers across the world. MTI work with their customers to focus on their data ensuring it is secure and always available whether in a public or private cloud. MTI engage with clients at every level addressing the many issues faced with securing data, delivering a full consultancy service, ranging from Data Protection Act issues through to ISO 27001 Compliance, and are qualified to conduct CHECK and CREST level penetration and application testing services. MTI can also help clients achieve PCI DSS compliance through our team of PCI Qualified Security Assessors (QSA). WHITEPAPER PAGE 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information