Patch third-party applications

Operating System Security
CHAPTER 12
2808ICT INFORMATION MANAGEMENT
1
Bigger Picture
Security Technologies
Cryptographic Tools
(Chapter 2)
Access Control
(Chapter 4)
User Authentication
(Chapter 3)
Security Planning
(Chapter 15)
Risk Assessment
(Chapter 14)
Software Security
(Chapter 11)
Web Security
Operating System
Security
(Chapter 12)
Computer Security Overview (Chapter 1)
Week 1
Week 2
Week 3
Week 6
Week 4
Week 5
Week 3
Week 2
Week 1
Security Management Security Domains
2
Learning Objectives
At the end of this lecture, you should be able to:
 List the top 4 security strategies
 Describe the steps required for operating system hardening
 Explain the concept of the Bell-LaPadula model
 Identify security maintenance tasks
3
Strategies
 The 2017 Australian Signals Directorate (ASD): Over 85% of the targeted
cyber intrusions investigated by ASD could be mitigated by four strategies:
 White-list approved applications
 Patch third-party applications (Flash, browsers, MS Office, Java)
 Restrict administrative privileges
 Patch operating systems
https://ift.tt/2wqF6kF
mitigationstrategies.htm
4
Operating System Security Layers
Operating System (OS) Configuration
 Default OS configuration maximises ease of use and
functionality, rather than security
 Configuration needs differ according to the needs of different
organisations
5
Operating Systems Security
1. Install and patch the operating system
6
Initial Setup and Patching
Ideally new
systems
should be
constructed
on a
protected
network
Initial
installation
should install
the minimum
necessary for
the desired
system
Overall boot
process must
also be
secured
Take care with
installing thirdparty device
drivers
Critical that the
system be kept
up to date, with
all critical
security related
patches installed
Patch on a test
system before
deploying in
production
7
Operating Systems Security
1. Install and patch the operating system
2. Harden and configure the operating system to adequately address the
identified security needs of the system by:
 Removing unnecessary services, applications, and protocols
8
If fewer software packages
are available to run, then
the risk is reduced
System planning process
should identify what is
actually required for a
given system
When performing the initial
installation the supplied
defaults should not be used
If additional packages are
needed later they can be
installed when they are
required
Remove
Unnecessary
Services,
Applications,
Protocols
9
Operating Systems Security
1. Install and patch the operating system
2. Harden and configure the operating system to adequately address the
identified security needs of the system by:
 Removing unnecessary services, applications, and protocols
 Configuring users, groups, and permissions
 Configuring resource controls
10
Bell-LaPadula (BLP) Model
 Formal model for access control
 Subjects and objects are assigned a security class (security level)
 top secret > secret > confidential > restricted > unclassified
 strategic > sensitive > confidential > public
 A subject has a security clearance
 An object has a security classification
11
BLP Model Properties
 No read up
 Subject can only read an object of equal or lower security level
 Referred to as the simple security property (ss-property)
 No write down
 Subject can only write into an object of equal or greater security level
 Referred to as the *-property
12
13
14
15
16
17
Operating Systems Security
1. Install and patch the operating system
2. Harden and configure the operating system to adequately address the
identified security needs of the system by:
 Removing unnecessary services, applications, and protocols
 Configuring users, groups, and permissions
 Configuring resource controls
3. Install and configure additional security controls, such as anti-virus, hostbased firewalls, and intrusion detection system (IDS)
18
 Anti-virus software
 Host-based firewalls
 IDS or IPS software
Install
Additional
Security
Controls
19
 Application white-listing:
 only applications specified explicitly on a list are allowed to run
 suitable for environments where set of required applications is
reasonably fixed
Further security possible by installing and configuring additional security tools:
Operating Systems Security
1. Install and patch the operating system
2. Harden and configure the operating system to adequately address the
identified security needs of the system by:
 Removing unnecessary services, applications, and protocols
 Configuring users, groups, and permissions
 Configuring resource controls
3. Install and configure additional security controls, such as anti-virus, hostbased firewalls, and intrusion detection system (IDS)
4. Test the security of the basic operating system to ensure that the steps
taken adequately address its security needs and to identify outstanding
vulnerabilities
20
Security Maintenance
 Monitoring and analyzing log files
 Performing regular backups
 Recovering from security compromises
 Regularly testing system security
 Patching and updating all critical software,
 Monitoring and revising configuration as needed
21
Summary
 Top four security strategies
 Operating system security
 Bell-LaPadula model
 Security maintenance
22