Security for Broadcast IT Systems

1
Security for Broadcast IT Systems

• William Dixon, V6 Security, Inc.
• PBS ACE Security Lead
• April 14, 2005

2
Agenda

• Changes in Broadcast IT environment
• Security Risk Assessment
• Threat Modeling
• Sources of Security Guidance
• Recommendations for Broadcast IT vendors
• Recommendations for PBS Stations
• Note Content Microsoft focused, but generally
  applicable

3
Changes in New Broadcast IT Environment

• Newer technology offers more functionality for
  same or less cost
• Digital media, electronic files
• Using general purpose computers
• Client-server models for computing
• Software-based integration of systems
• TCP/IP network component communication
• Internet connected
• Lights-out remote management operation
• Still use physical security for facility and
  equipment
• Still trust your people

4
Microsoft Recommended Practice for Security Risk
Assessment

• Microsoft Security Risk Management Process
  15oct04
• http//www.microsoft.com/technet/security/topics/p
  oliciesandprocedures/secrisk/default.mspx
• New MS Press Book Threat Modeling
• http//www.microsoft.com/mspress/books/6892.asp
• Threat Modeling for Developers
• http//msdn.microsoft.com/library/default.asp?url
  /library/en-us/secmod/html/secmod76.asp

5
Microsoft Recommended Practice Threat Modeling

• Analyze and document architecture
• Objects Assets, Applications, Data, People
• Document Security Profile
• Trust boundaries
• Data Flow communications
• Entry points
• Privileged operations

6
Document Security Profile

• Input Validation
• Authentication
• Authorization
• Configuration Management
• Sensitive Data
• Session Management
• Cryptography
• Parameter manipulation
• Exception management
• Auditing and Logging

7
Microsoft Recommended Practice Threat Modeling

• Identify rank threats with S.T.R.I.D.E.(S)
  analysis
• Spoofing
• Tampering
• Repudiation
• Information Disclosure
• Denial of Service
• Elevation of Privilege
• (S)ocial Engineering
• Example Denial of Service possible due to blank
  admin passwords

8
Microsoft Recommended Practice Threat Modeling

• Use attack trees to identify how top level attack
  goal is composed of more detailed goals
• Use attack patterns to help identify techniques
  for detailed goals

9
Attack Tree Example

• 5.3. Gain privileged access to ACME Web server
• AND 1. Identify ACME domain name
• 2. Identify ACME firewall IP address
• OR 1. Interrogate domain name server
• 2. Scan for firewall identification
• 3. Trace route through firewall to Web server
• 3. Determine ACME firewall access control (
  see attack pattern)
• OR 1. Search for specific default listening
  ports
• 2. Scan ports broadly for any listening port
• 4. Identify ACME Web server operating system
  and type
• OR 1. Scan OS services banners for OS
  identification
• 2. Probe TCP/IP stack for OS characteristic
  information
• 5. Exploit ACME Web server vulnerabilities
• OR 1. Access sensitive shared intranet
  resources directly
• 2. Access sensitive data from privileged
  account
• Source Moore et al. http//www.cert.org/archive/p
  df/01tn001.pdf

10
Attack Pattern Example

• Goal Identify firewall access controls
• Precondition Attacker knows firewall IP address
• Attack Techniques
• OR 1. Search for specific default listening ports
• 2. Scan ports broadly for any listening ports
• 3. Scan ports stealthily for listening ports
• OR 1. Randomize target of scan
• 2. Randomize source of scan
• 3. Scan without touching target host
• Postcondition Attacker knows firewall access
  controls
• Source Moore et al. http//www.cert.org/archive/p
  df/01tn001.pdf

11
Attack Pattern Example

• Attack goals Command or code execution
• Required conditions
• Weak input validation
• Code from the attacker has sufficient privileges
  on the server
• Attack techniques
• 1. Identify program on target system with an
  input validation vulnerability
• 2. Create code to inject and run using the
  security context of the target application.
• 3. Construct input value to insert code into the
  address space of the target application and force
  a stack corruption that causes application
  execution to jump to the injected code.
• Attack results Code from the attacker runs and
  performs malicious action
• Source http//msdn.microsoft.com/library/default.
  asp?url/library/en-us/secmod/html/secmod76.asp

12
Microsoft Recommended Practice Threat Modeling

• Evaluate Risk with D.R.E.A.D.
• Damage Potential ( cost estimate)
• Reproducibility ( probability as 1-10)
• Exploitability ( probability as 1-10)
• Affected Users ( users as 1-10)
• Discoverability ( probability 1-10)
• Rank Risks Probability Damage Potential
• Risk Rating scheme High, Medium, Low

13
Document Threats

• Threat Description
• Attacker obtains authentication credentials by
  monitoring the network
• Threat target
• Web application user authentication process
• Risk rating
• High (based on DREAD ranking)
• Attack techniques
• Use of commonly available network monitoring
  software
• Countermeasures
• Use SSL, IPsec end-to-end, or VPN to provide
  stronger authentication, or encrypted channel
  through which weaker authentication methods are
  used (e.g. HTTP Basic, Digest)

14
Conduct Decision Support

• Define Functional Requirements
• Identify Control Solutions
• Review Solution Against Requirements
• Estimate Risk Reduction
• Estimate Solution Cost
• Select Risk Mitigation Strategy

15
Free Microsoft Security Training

• https//www.microsoftelearning.com/security/
• Free Security Courses - Updates for XP SP2 and
  Win2k3 SP1 soon.
• Login w/.NET Passport ID, provide email address
• Click on link provided in email
• 180-day subscription activated
• Clinic 2801 Microsoft Security Guidance
  Training I
• Clinic 2802 Microsoft Security Guidance
  Training II
• Clinic 2806 Microsoft Security Guidance
  Training for Developers
• Hands-On Lab 2811 Applying Microsoft Security
  Guidance Training
• Choose Content tab. Watch each section, or
  download offline player and course for offline
  viewing

16
Microsoft Security Guidance

• Microsoft.com/security - guidance for Home, Small
  Business, IT Pro, Developer
• Technet Security Centers for many products
• http//www.microsoft.com/technet/Security/prodtech
  /default.mspx
• Microsoft Security Guides for Win2k, XP and
  Server 2003
• Expect problems if applying high security
  templates
• Enterprise client template should not cause too
  many problems
• Threats and Countermeasures Guide
• Details on threats and each security setting

17
Microsoft Security Guidance

• KB 885409 Security configuration guidance
  support - 9nov04
• Discusses problems with particular settings that
  break applications or Windows services
• If you use 3rd party templates, contact them for
  support
• KB 891597 How to apply more restrictive security
  settings on a Windows Server 2003-based cluster
  server 18feb05
• Provides discussion new security template
  tested for clusters

18
FCC Security Guidance

• FCC Media Security And Reliability Council
• http//www.mediasecurity.org/msrcmeetings/index.ht
  ml
• Note Communications Infrastructure Security,
  Access and Restoration Committee
• Best Practice Recommendations
• FCC Network Reliability and Interop Council
• http//www.nric.org/fg/index.html
• Note Homeland Security Cybersecurity focus group
• Best Practice Recommendations

19
IT Best Practices NIST

• US Government Natl Institute of Standards
  Technology (NIST)
• Cybersecurity RD Act directed NIST to develop
  checklists and Security Technical Implementation
  Guides (STIG)
• Operates Computer Security Resource Center (CSRC)
• http//csrc.nist.gov/itsec/
• NOTE Windows XP Security Guide 800-68 published
  Jun04
• Important because it is a collaboration of NIST,
  Microsoft, CIS, DISA and NSA

20
Recent NIST CSRC Guides DISA

• Application Security Checklist DISA 2/17/05
• Desktop Application STIG DISA 2/14/05
• Desktop Application Security Checklist v1r1.7
  DISA 2/17/05
• Macintosh OS-X STIG v1r1 DISA 11/24/04
• UNIX Security Checklist DISA 2/17/05
• Web Server Security Checklist Version 4, Release
  1.4 DISA 2/17/05
• Windows 2000 Security Checklist DISA 2/17/05
• Windows NT Security Checklist DISA 2/17/05
• Windows XP Security Checklist DISA 2/17/05
• Windows 2003 Addendum Version 4, Release 0.0
  DISA 2/17/05

21
IT Best Practices NSA

• OS Security guides for Windows 2000, Windows XP
• None for Windows Server 2003 Use Microsofts
• The "High" security settings in Microsoft's
  "Windows Server 2003 Security Guide" track
  closely with the security level historically
  represented in the NSA guidelines. It is our
  belief that this guide establishes the latest
  best practices for securing the product and
  recommend that traditional customers of our
  security recommendations use the Microsoft guide
  when securing Windows Server 2003
• Microsoft .NET Framework Security Guide (Oct 04)
• Microsoft Office XP/2003 Executable Content
  Security Risks and Countermeasures Guide (Oct 04)
• Apple Mac OS Security Configuration Guide
• Linux Security Configuration Guide
• Solaris Security Configuration Guide
• Online at
• http//www.nsa.gov/snac/index.cfm?MenuIDscg10.3.1

22
Call to Action for Broadcast IT Vendors

• Use current, commercially supported platforms
• Red Hat Enterprise Linux 3.0
• Windows XP Pro or Embedded version
• Windows Server 2003 or Embedded version
• Plan on testing patch updates within 7 days of
  patch availability
• Plan to test on beta or release candidates of
  service packs
• Write applications as a background
  process/service, not a user application

23
Call to Action for Broadcast IT Vendors

• Review improve security of products
• Analyze security attack surface, threat model
  for your product
• Document security profile for customers
• Practice secure design implementation
• Writing Secure Code 2nd Edition, Michael Howard,
  David LeBlanc
• Require authentication for all network access
• Strong protection for passwords in network
  traffic
• Evaluate/adopt a baseline security for standard
  product release
• Apply OS hardening, minimize services
• Use system security vulnerability assessment
  tools (e.g. MBSA)
• Use secure remote administration connections
• Admin level access protected to higher degree
• Every packet signed encrypted
• 2-factor auth capable protocols where possible
• Use SSL/TLS, SSH, PPTP/L2TP/IPsec VPN, Windows
  Terminal Services
• Change embedded passwords during
  installation/setup, at least per site

24
Call to Action for PBS Member Stations

• Understand that internal systems might be
  infected via TCP/IP network connections
• Must secure internal, external clients and
  servers
• Secure external communications
• IPsec or VPN tunnel for all access into secure
  area
• Use strong passwords !
• Protect passwords from theft !
• Prevent laptops from directly connecting inside
  secure area
• Very careful trained configuration and change
  control of core security devices (e.g. firewall,
  VPN server)
• Request security information from vendors
• Try Microsoft Security Risk Management Process
• Designate someone to learn security
  administration
• Train users operators for security awareness

25
Backup Details
26
Windows Client Security Summary

• Member of an Active Directory domain - for better
  management through Group Policy
• User not administrator if possible, uses strong
  password
• Automatic updates enabled - either through
  Windows Update, Update Services or Systems
  Management Server (SMS)
• Anti-virus - set for autoupdate of definitions
  daily and periodic full scans
• Anti-spyware - set for autoupdate of definitions
  and periodic full scans
• Windows Firewall on - exceptions disabled by
  default
• Enterprise client security template applied for
  hardening (update with new XP SP2 settings)
• Additional settings administrative template
  settings should be developed
• Software restriction policies should be
  configured
• NTFS and Encrypting File System used to protect
  confidential data after theft
• Centralized monitoring with MACS, MOM, SMS,
  Systems Center or 3rd party
• System backup - Automatic System Restore enabled
  in XP, full disk remote backup, remote backups
  daily for user data
• Domain startup script run to check status of
  these daily or weekly
• http//www.microsoft.com/technet/security/prodtech
  /windowsxp/secwinxp/default.mspx

27
Additional Microsoft Security Help

• Technet IT Pro Security Community Page
• http//www.microsoft.com/technet/community/en-us/s
  ecurity/default.mspx
• Lots of news groups
• MS IT Security Papers
• http//www.microsoft.com/technet/itsolutions/msit/
  default.mspxEDBAAA
• PSS Support Webcasts
• TCP/IP port and process auditing Tuesday,
  December 14, 2004
• TechNet Support WebCast How to isolate servers
  and applications, March 22 2005 10am Pacific
• See http//support.microsoft.com/pwebcasts

28
Windows Server SP1 Released

• Top reasons to use SP1
• Reduced attack surface higher default security
  for RPCs and DCOM
• New Security Configuration Wizard (SCW)-
  whitepapers coming soon
• More secure new installations by Post-Setup
  Security Update to block incoming traffic while
  and until latest patches are installed
• Windows Firewall replaces Internet Connection
  Firewall
• Group policy for Windows Firewall added in Active
  Directory
• RRAS VPN Server Quarantine capabilities, see
  http//www.microsoft.com/vpn
• IIS 6.0 auditing for XML configuration metabase
• Additional IE hardening
• http//www.microsoft.com/technet/prodtechnol/windo
  wsserver2003/servicepack/default.mspx

29
Technet webcast for Security Configuration Wizard
available

• Join this session as we walk you through the
  Wizard end-to-end, focusing on role-based server
  configuration, security configuration template
  design and development, and security
  configuration deployment. We will demonstrate the
  technologies as well as go in depth on
  customization of SCW and how to customize the
  database to support non-Microsoft applications
• http//msevents.microsoft.com/cui/WebCastEventDeta
  ils.aspx?EventID1032268013EventCategory5cultur
  een-USCountryCodeUS

30
Active Directory Security Links

• AD Security Center
• http//www.microsoft.com/technet/security/prodtech
  /ActiveDirectory.mspx
• Best Practice Guides for Securing Active
  Directory
• Windows Server 2003 Best Practice Guide for
  Securing Windows Server Active Directory
  Installations http//www.microsoft.com/windowsserv
  er2003/techinfo/overview/adsecurity.mspx (Jan 8
  2004)
• Windows 2000 Best Practice Guide for Securing
  Active Directory Installations and Day-to-Day
  Operations http//www.microsoft.com/technet/prodt
  echnol/windows2000serv/technologies/activedirector
  y/maintain/bpguide/default.mspx (Feb 28 2004)
• Securing DNS Zone transfers in Windows Server
  2003
• http//www.microsoft.com/resources/documentation/W
  indowsServ/2003/all/deployguide/en-us/Default.asp?
  url/resources/documentation/WindowsServ/2003/all/
  deployguide/en-us/dnsbd_dns_wzwd.asp
• Active Directory in Segmented Networks
• http//www.microsoft.com/downloads/details.aspx?Fa
  milyIDc2ef3846-43f0-4caf-9767-a9166368434eDispla
  yLangen
• Provides detail for how to use Ipsec to secure
  all traffic between AD servers
• TCP/IP Exploits and Countermeasures
• http//www.microsoft.com/technet/security/prodtech
  /windows2000/secmod150.mspx

31
Windows tools for investigating problems with
hardening

• Full System Backup with ASR Diskette/CD
• Many changes can not be undone by SCE or SCW
  rollback, such as registry and file ACLs
• System Restore could try checkpoint prior to
  hardening. Not sure if it can undo everything
• Backup Windows event logs to baseline behaviors
  prior to hardening. Make logs bigger.
• Network Sniffers
• Windows Netmon light version in Win2k or Win2k3
  as optional install networking component. Full
  version in Systems Management Server
• Ethereal open source http//www.ethereal.com/
• Dependency Walker (depends.exe, XP or Win2k3
  Resource Kit)
• Portqry.exe v2.0 port scanning tool - see KB
  832919
• Port Reporter installs as service to monitor
  app port usage - see KB 837243
• If Windows Firewall or IPsec filters are blocking
  UDP ports, watch out for false port open
  messages from remote port scanning tools. Some
  scan tools expect ICMP destination port
  unreachable packet in response. Sniff to confirm
  what tool reports
• Group Policy Resultant Set of Policy (RSoP) MMC
  snapin shows where setting is being defined
• Set auditing for failure on registry keys look
  for errors in Security Log
• Tlist.exe process viewer (DDK debugging tools)
• File Monitor (sysinternals.com)
• Registry Monitor (sysinternals.com)
• Process Explorer (sysinternals.com)

32
Developer References

• Creating a simple Win32 service in C
• http//msdn.microsoft.com/library/default.asp?url
  /library/en-us/dndllpro/html/msdn_ntservic.asp
• MSDN About Services development help
• http//msdn.microsoft.com/library/default.asp?url
  /library/en-us/dllproc/base/about_services.asp
• Example of installing an application as a
  service
• http//msdn.microsoft.com/library/default.asp?url
  /library/en-us/exchserv/html/example_0001.asp
• Microsoft Security Risk Management Process
  15oct04
• http//www.microsoft.com/technet/security/topics/p
  oliciesandprocedures/secrisk/default.mspx
• New MS Press Book Threat Modeling
• http//www.microsoft.com/mspress/books/6892.asp
• Threat Modeling for Developers
• http//msdn.microsoft.com/library/default.asp?url
  /library/en-us/secmod/html/secmod76.asp