Post on 07-Feb-2021
3
4
5
6
7
Security issues
Network security
Malware infections
- PC management
service provides
Important information
the Web exposure
(Web/system vulnerability
exploits, mismanagement)
Third-party
management
Account theft
1
9
Group
A
B
C
D E
F
G
Information asset classification
H/W
Server WEB, WAS, AP, DB, Backup Server
Network Backbon, L4 Switch, router
Security equipment Firewall, VPN, IPS, DDoS Defense
PC Complaint, Work, library
S/W DBMS Oracle, Mysql 등
WEB Service By Web
Organization and personnel Budget
Third-party Management
IT includes the
security budget in the
budget enforcement
In the absence of
information security
management
Manager business
information, security,
privacy and so alone
Information system
for maintenance mode
is integrated or
individual management
10
11
Classification No Check List Level
Account
Management
U-1 root Restricting remote access to account Critical
U-2 Password complexity settings Critical
U-3 Set the account lockout threshold Critical
U-4 Password file protection Critical
File
And
Directory
Management
U-5 root set the directory permissions and the home, path Critical
U-6 Set the owner of the files and directories Critical
U-7 /etc/passwd file owner and permissions settings Critical
U-8 /etc/shadow file owner and permissions settings Critical
.... ... .....
Service
Management U-19 Finger Service disabled Critical
출처 : Critical Information Infrastructure vulnerability analysis/evaluation criteria (Ministry of Science, ICT and Future Planning)
12
13
Using the script
14
- Unix/Linux Operating system
- File type : .sh file
- Unix/Linux, Mac OS executable, Winodws Non-executable
15
- Windows Command
- File type : .bat file
- Use the Windows only
16
- Linux, Windows, Mac OS executable
- 3rd party software installation(free),
- File type : .py file
- Create/delete files, the software can be run
2
18
23 22 22
18 18
Set account lockout threshold Inetd.conf privilege set Connection IP and port restrictions Set file and directory permissions SUID, SGID settings file check
UNIX/LINUX Vulnerabilities
Vulnerability Count
19
19
18 18 18
16
HDD default
shared
Administrator
account name
change
Set the account
lockout threshold
NetBIOS bindings,
service-driven
Disable
anonymous
enumeration of
SAM accounts and
shares
Windows
Vulnerability Count
20
10
6 6 6
4
Apply anti-
Spoofing filtering
Session Timeout
setting
Patches Update Set the shutdown
of unused
interface
Password
complexity
settings
Network
Vulnerability count
21
13
10 10 9
7
Change Default
account security
equipment
account
management
Detection of
warning set
permission
settings
Session timeout
settings
Security equipment
Vulnerability count
22
12
6 5
4 3
password length
and complexity
Access, change,
or delete the
database audit
trail
Change default
account
passwords,
policies
Unauthorized
user other than
DBA system table
access
DB Admin
accounts and
groups
DBMS
Vulnerability count
23
25
17 17
12
8
Remove
unnecessary
services
Password policy
setting
Remove a shared
folder
CD, DVD, USB
turn off AutoPlay
Screen saver set
for 5 to 10
minutes and
restart the
password settings
PC vulnerability
Vulnerability count
24
15
13 12
11
6
Cross-Site
Scripting
Plaintext data
transfer
Information
leakage
Process validation
is missing
Administrator
page exposure
WEB Vulnerability
Vulnerability count
3
26
Set the account lockout threshold(1)
■ SunOS - SunOS 5.9 earlier- 1. vi use “/etc/default/login” file open 2. Insert or modify (Before) #RETRIES=2 (Fix) RETRIES=5
27
Set the account lockout threshold(2)
- SunOS 5.9 later versions- 1. vi use “/etc/default/login” file open 2. Insert or modify (Before) #RETRIES=2 (Fix) RETRIES=5 3. vi use “/etc/security/policy.conf” file open 4. Insert or modify (Before) #LOCK_AFTER_RETRIES=NO (Fix) LOCK_AFTER_RETRIES=YES
28
Set the account lockout threshold(3)
■ LINUX 1. vi use “/etc/pam.d/system-auth” file open 2. Insert or modify auth required /lib/security/pam_tally.so deny=5 unlock_time=120 no_magic_root account required /lib/security/pam_tally.so no_magic_root reset
Option Description
no_magic_root root password lock settings to not applicabl
deny=5 Enter failure password lock 5 times
unlock_time Account locked unlock (Unit : seconds)
reset If successful, a number of initialization failed access attempts
29
Set the account lockout threshold(4)
■ AIX 1. vi use “/etc/security/user” file open 2. Insert or modify (Before) loginretries = 0 (Fix) loginretries = 5
■ HP-UX 1. vi use “/tcb/files/auth/system/default” file open 2. Insert or modify (Before) u_maxtries# (Fix) u_maxtries#5 ※ HP-UX Server Trusted Mode change required
30
/etc/(x)inetd.conf permissions setting
■ SunOS, LINUX, AIX, HP-UX “/etc/inetd.conf” permissions setting (owner root, permissions 600) #chown root /etc/inetd.conf #chmod 600 /etc/inetd.conf
■ LINUX - xinetd “/etc/inetd.conf” permissions setting(owner root, permissions 600) #chown root /etc/xinetd.conf #chmod 600 /etc/xinetd.conf ※ "/etc/xinetd.d/" The same settings in subdirectories
31
Remove the hard-disk default share(1)
■ Window NT 1. Program > management tools > Server Manager > shared directory > share
32
Remove the hard-disk default share(2)
■ Window 2000, 2003, 2008 1. Start > Run > FSMGMT.MSC > share > Select the default shares > stop
sharing 2. ※ “net share shared name /delete” -> lift shared folders
33
Remove the hard-disk default share(3)
2. Start > Run> REGEDI registry value 0 modify (If you do not have the key value of the Insert) "HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\AutoShareServer” (Windows NT : AutoShareWks) ※ Firewalls and routers 135~139(TCP/UDP)Port Block, To improve the security level (Windows 2008 is exception)
34
Remove the hard-disk default share(4)
35
Administrator Account rename(1)
■ Window NT, 2000, 2003, 2008 1. Start> Program > Control Panel > Management tools > Local security policy > Local policies > Security options > 2. “Account: Administrator Account rename” is An analogy would be difficult to change the account name
36
Administrator Account rename(2)
37
Spoofing Apply anti-filtering (1)
■ CISCO 1. Global configuration mode connect 2. access-list number deny ip 127.0.0.0 0.255.255.255 any 3. access-list number deny ip 224.0.0.0 31.255.255.255 any 4. access-list number deny ip host 0.0.0.0 any 5. access-list number permit ip any any
38
Spoofing Apply anti-filtering(2)
■ Juniper 1. Configure Firewall Filters [edit firewall] firewall { filter filter-name { term term-name { accounting-profile name; from { source-address 127.0.0.0/24; source-address 224.0.0.0/4; source-address 0.0.0.0/0; } then { discard; } } } }
39
Spoofing Apply anti-filtering(3)
2. Apply Firewall Filters [edit interfaces interface-name unit logical-unit-number family inet] interfaces { interface-name { unit logical-unit-number { family inet { filter { input filter-name; output filter-name; } } } } }
40
Session Timeout setting(1)
■ SunOS 1. vi use “/etc/default/login” file open 2. Insert or modify TIMEOUT=600 (Unit : Seconds) export TMOUT
41
Session Timeout setting(2)
■ LINUX, AIX, HP-UX - sh(born shell), ksh(korn shell), bash(born again shell) in case - 1. vi use “/etc/profile(.profile)” file open 2. Insert or modify TIMEOUT=600 (Unit : Seconds) export TMOUT - csh in case - 1. vi use “/etc/csh.login” or, “/etc/csh.cshrc” file open 2. Insert or modify set autologout=10 (Unit : Min)
42
Default ID’s change
■ Configureation
43
Detection of warning signs over feature set
■ Configureation 24/7 Monitoring e-mail or sms Warning setting
44
Set the time and complexity for the password(1)
■ Oracle 1. PASSWORD_LIFE_TIME Changing the profile parameters 2. SQL> ALTER PROFILE LIMIT PASSWORD_LIFE_TIME xx 2. Changes the user associated with the profile values SQL> ALTER USER PROFILE 3. Change Password setting SQL> CREATE PROFILE grace_5 LIMIT FAILED_LOGIN_ATTEMPTS 3 (Password failed 3 times.) PASSWORD_LIFE_TIME 30 (It is possible to use the password only for 30 days) PASSWORD_REUSE_TIME 30 (Since reusable passwords with 30 day) PASSWORD_VERIFY_FUNCTION verify_function PASSWORD_GRACE_TIME 5 ; (Life at the end of the time shows a message for 5 days)
45
Set the time and complexity for the password(2)
■ MSSQL 1. 패스워드 변경 주기가 60일 이내로 설정되지 않은 경우 패스워드 변경 주기 설정 MSSQL에서 ‘암호 만료 강제 적용’을 체크함으로써 주기적으로 변경이 가능하며, 변경기간은 OS의 ‘암호정책’에서 적용 받으므로 ‘암호 정책 > 최대 암호 사용 기간’ 설정도 같이 변경해야 함 2. 암호 만료 강제 적용 [보안]> [로그인]> [각 로그인 계정]> [속성]> 암호 만료 강제 적용: 설정(체크) 확인
46
Set the time and complexity for the password(3)
47
Set the time and complexity for the password(4)
■ MySQL The password settings are available in the following ways mysql> use mysql mysql> update user set password=password(‘new password’) where user=’user name’; mysql> flush privileges; or, mysql> set password for ‘user name’@’%’=password(‘new password’) mysql> flush privileges;
48
DB access, change, or delete the record audit history(1)
■ Oracle The database audit trail policy and establishing a backup policy ■ MSSQL The database audit trail policy and establishing a backup policy ∎ MSSQL 2000 DB access security audit settings [SQL SERVER]> [Preferences]> [Security]Tap> [Audit-level] to ‘all’ select
49
DB access, change, or delete the record audit history(2)
50
DB access, change, or delete the record audit history(3)
∎ MSSQL 2005/2008 / 2012 [MSSQL2005]> [Right mouse click]> [Property]> [Security tab]> [Login auditing] Options > ’ All successful logins failed login and’ Select
51
Remove unnecessary services(1)
■ Windows XP, Windows 7 1. Control Panel > Management tools > Service > Select the appropriate service > Property (Start> Run> “services.msc” Input> > Select the appropriate service > Property) 2. Unnecessary services -> Stop Startup type -> Disabled
52
Remove unnecessary services(2)
53
Remove unnecessary services(3)
54
Service List
Unnecessary services list Minimal services for Windows operating
- Alerter - Clipbook - ComputerBrowser - DHCP Client - FTP Publishing Service - InternetConnectionSharingService - IndexingService - InfaredMonitorService - Messenger - NetLogon - Network DDE - Network DDE DSDM - NetMeetingRemoteDesktopSharingService - Print spooler - RemoteRegistryService - RoutingandRemoteAccessService - SimpleTCP/IPService - SMTPService - TaskSchedulerService - TCPIP NetBIOS Helper - TerminalService
- Logical Logging Manager - NetworkConnections - NTLMSecuritySupportProvider - PlugandPlay - Server - Workstation - RemoveableStrage - SecurityAccountsManager - WindowsManagementInstrumentation - WindowsManagem nt Instrumentation driver extensions - WMDMPMSPService - ApplicationManagement
Remove unnecessary services(4)
55
Password policy settings(1)
■ Windows XP, Windows 7 1. Control Panel > Management tools > Local security policy > Security
settings > Account policies > Password policy 2. “Minimum password length properties”을 “8 characters” setting
56
Password policy settings(2)
3. CMD command using • Windows xp, 7 : Start > Run > “cmd.exe” > “net accounts /MINPWLEN:8”
57
Cross-site scripting(1)
■ How to set up security 1. HTML or JAVA Script TAG restriction, Need Filtering 2. Title, comments, queries, etc, form and Parameter value Filtering
3. Filtering logic implementation -> trim, replace functions to Server ※ Filtering measures target the input value • The script was defined : , , , , , • Special characters : , ", ', &, %, %00(null)
58
Cross-site scripting(2)
∎ ASP
59
Cross-site scripting(3)
∎ PHP … Omission … if($use_html == 1) // If you want to use parts of the HTML tag allowed $memo = str_replace("
60
∎ JSP
Cross-site scripting(4)
61
Send plain text data
■ Recommended 1. Password, Privacy, Account information for SSL 2. Cookie, Password, Privacy information with client save restriction
62
KISA Cybersecurity guide
Link http://www.kisa.or.kr/public/laws/laws3.jsp
63
Critical Information Infrastructure vulnerability analysis/evaluation How detailed guide
Link http://www.moi.go.kr/frt/bbs/type001/commonSelectBoardArticle.do?bbsId=BBSMSTR_000000000012&nttId=41297