Third Defensive Layer: Form the Protective Circle

You have done your best to plan, and your servers and workstations are patched to the best of your ability. If an attacker were to make it through to your platform, despite your best efforts, you need to ensure that your most valuable assets are protected. When a herd of elephants is threatened, the adults form a protective circle around the young calves. They put their most valuable assets inside the circle and will defend these assets with their lives.

Traveling back from the African savannah into realm of IT security, your data is your organization's most valuable asset and you have a multitude of defenses at your disposal. The two most prominent methods have already been written about in this book. Account security and encryption were covered in Chapter 1, “Windows Operating System – Password Attacks,” and Chapter 2, “Active Directory – Escalation of Privilege,” as defenses against password attacks and escalation of privilege. Both of these attacks are viable attack methods in multi-tier attacks.

Account Security

Because an account has many components, account security is a multifaceted discipline. It must encompass all parts of a user's digital identity. This identity is comprised of an individual's name, role, and group membership, and all of the permissions that accompany the role and group, among other credentials and information. All of these pieces are secured with a password, making password security the cornerstone of account security. A second practice that will be explained below deals with the assignment of privileges, specifically avoiding assigning too many privileges unnecessarily or localizing privileges in few select accounts. Finally, the practice of using anonymous accounts, something that is often overlooked will be discussed.

Much has been written about the importance of password security; however, IT personnel and end-users alike tend to gravitate toward simple, easy to remember passwords that are potentially easily cracked. This probably stems from the massive number of passwords that individuals are required to remember. While we can have sympathy, we cannot relax password security. Microsoft's “Password must meet complexity requirements” Group Policy Object (GPO), shown in Figure 7.4, enforces a minimum password length – six characters is the minimum recommended length – and that passwords contain at least three of the following four character groups:

• English uppercase characters (A through Z)
• English lowercase characters (a through z)
• Numerals (0 through 9)
• Nonalphabetic characters (such as !, $, #, %)^[L]

^Lhttp://support.microsoft.com/kb/821425, Accessed on December 4, 2009.

FIGURE 7.4. Enforcing Password Complexity Through GPOs

While the password complexity GPO enforces a minimum password length of six characters, the default setting for the “Minimum password length” GPO is eight characters. If both policies are enabled, the “Minimum password length” GPO will override the six character minimum.

alt1 Tip

GPOs should be used to enforce security policies as much as possible to ensure that security policies are applied equally and universally across your organization.

A key defense against Privilege Escalation is to ensure that individual user accounts are not assigned any more permissions than they absolutely need to perform their day-to-day work. This is called the Principle of Least Privilege, and it takes many forms in other areas. One very recognizable form in information security is the “Need to Know” basis, in that people are only given information that they “need to know.” It sounds simplistic to state that people cannot be held responsible for keeping information confidential that they have not been given, but it happens to be true. The same also holds true in IT security. A privilege escalation attack will not succeed if the accounts being compromised have no permissions beyond the basic permissions to perform their work. An attacker will have to work extra hard to find an account that has elevated privileges, and the harder that an attacker has to work, the greater his or her chances are that he or she will be discovered and stopped.

Another principle that should be employed for account security is the Separation of Duties. When applied, this control prevents one individual from holding too much power. By separating duties, you remove absolute control over a given activity. The example where two keys held by different officers are required to launch a missile is appropriate; no single individual can launch the missile. This reduces the opportunity for fraud and error.

Finally, there is the use of anonymous access. This is not merely the provision of “guest” level access. It can take several forms. A prevalent example is where accounts with administrator privileges are shared among network administrators for use when installing applications or performing routine maintenance. Another is where accounts are created to run services and then are used to perform other tasks. One danger in using “anonymized” accounts is that any activity that is performed using one of these accounts becomes “unauditable.” Another danger is that these accounts are commonly assigned elevated permissions and, if compromised, present an attacker with the “keys to the kingdom” and the ability to perform untraceable work. Accounts for administrators should be tied to named users, and service accounts need to be used exclusively by services. Furthermore, service accounts should only possess the permissions necessary for running the service; not all service accounts need to be in the Domain Admins group to perform their respective functions.

Data Protection

One of the defensive layers described in Chapter 2, “Active Directory – Escalation of Privilege,” focused on securing the data in place, that is while in storage, not in transit. Data encryption is a primary tool to accomplish this and fortunately, there is no shortage of products on the market to help. Particular editions of Windows offer the ability to encrypt individual files or even the entire disk.

In spite of its name, Encrypting File System (EFS) is not a file system format, such as New Technology File System (NTFS). EFS permits the encryption, decryption, and modification of individual files that reside in NTFS. It was introduced in Windows 2000 and has been offered in every version of Windows since then, although it is not fully supported on Windows Vista Starter, Home Basic, and Home Premium. On those versions, you can decrypt and modify encrypted files but cannot encrypt them. The details on working with encrypted files using EFS can be found in Chapter 2, “Active Directory – Escalation of Privilege.”

As the name suggests, BitLocker Drive Encryption is used to encrypt the contents of a hard disk. At the time of writing, it is only available in Windows Vista Enterprise and Ultimate and Windows Server 2008 and Windows 7 Ultimate, and not in Vista Home Basic, Home Premium or Business, or in Windows 7 Home Premium or Professional. If you are running one of the editions that offers BitLocker, you will be able to access it from the System and Security applet in Control Panel, as shown in Figure 7.5.

FIGURE 7.5. Encrypting Your Hard Disk Using BitLocker

Please refer to Chapter 2, “Active Directory – Escalation of Privilege,” for details on enabling and managing BitLocker Drive Encryption.

Summary

As you can see, this chapter is not so much about presenting new information on attack methods. The methods described in this chapter have been described in the preceding chapters or at least resemble the other attack methods. The difference is that this is the one chapter where all of the attack methods are brought to bear against a single target.

From a defensive standpoint, multi-tier attacks require that you use most of what you have in your IT security bag of tricks. Just as attackers have a multitude of options and avenues of attacks, as an IT security professional, you have a multitude available to you, as well. The key is in identifying the assets you need to protect, the risk involved in having those assets compromised, and the options you have at your disposal to protect the assets. Your options are not limited to technology (hardware and software); physical security for your facilities, security training for IT personnel, end-user IT security awareness programs, and carefully documented (and enforced) processes and procedures are critical defense mechanisms that every organization should have. The security of your technology will only be as effective as the people who install, manage, and use it.

Endnotes

1. www.isaca.org/Template.cfm?Section=Glossary3&Template=/CustomSource/Glossary.cfm&char=S&TermSelected=1422, Accessed on December 2, 2009.

2. Koerner, Brian, “Secure Application Development a Growing Concern,” Certification Magazine, April, 2008 www.certmag.com/read.php?in=3401.

3. Duhart McNair, Patricia, Controlling Risk www.acm.org/ubiquity/views/p_mcnair_1.html, Accessed on December 3, 2009.