3

4

5

6

7

Security issues

Network security

Malware infections

- PC management

service provides

Important information

the Web exposure

(Web/system vulnerability

exploits, mismanagement)

Third-party

management

Account theft

1

9

Group

A

B

C

D E

F

G

Information asset classification

H/W

Server WEB, WAS, AP, DB, Backup Server

Network Backbon, L4 Switch, router

Security equipment Firewall, VPN, IPS, DDoS Defense

PC Complaint, Work, library

S/W DBMS Oracle, Mysql 등

WEB Service By Web

Organization and personnel Budget

Third-party Management

IT includes the

security budget in the

budget enforcement

In the absence of

information security

management

Manager business

information, security,

privacy and so alone

Information system

for maintenance mode

is integrated or

individual management

10

11

Classification No Check List Level

Account

Management

U-1 root Restricting remote access to account Critical

U-2 Password complexity settings Critical

U-3 Set the account lockout threshold Critical

U-4 Password file protection Critical

File

And

Directory

Management

U-5 root set the directory permissions and the home, path Critical

U-6 Set the owner of the files and directories Critical

U-7 /etc/passwd file owner and permissions settings Critical

U-8 /etc/shadow file owner and permissions settings Critical

.... ... .....

Service

Management U-19 Finger Service disabled Critical

출처 : Critical Information Infrastructure vulnerability analysis/evaluation criteria (Ministry of Science, ICT and Future Planning)

12

13

Using the script

14

- Unix/Linux Operating system

- File type : .sh file

- Unix/Linux, Mac OS executable, Winodws Non-executable

15

- Windows Command

- File type : .bat file

- Use the Windows only

16

- Linux, Windows, Mac OS executable

- 3rd party software installation(free),

- File type : .py file

- Create/delete files, the software can be run

2

18

23 22 22

18 18

Set account lockout threshold Inetd.conf privilege set Connection IP and port restrictions Set file and directory permissions SUID, SGID settings file check

UNIX/LINUX Vulnerabilities

Vulnerability Count

19

19

18 18 18

16

HDD default

shared

Administrator

account name

change

Set the account

lockout threshold

NetBIOS bindings,

service-driven

Disable

anonymous

enumeration of

SAM accounts and

shares

Windows

Vulnerability Count

20

10

6 6 6

4

Apply anti-

Spoofing filtering

Session Timeout

setting

Patches Update Set the shutdown

of unused

interface

Password

complexity

settings

Network

Vulnerability count

21

13

10 10 9

7

Change Default

account security

equipment

account

management

Detection of

warning set

permission

settings

Session timeout

settings

Security equipment

Vulnerability count

22

12

6 5

4 3

password length

and complexity

Access, change,

or delete the

database audit

trail

Change default

account

passwords,

policies

Unauthorized

user other than

DBA system table

access

DB Admin

accounts and

groups

DBMS

Vulnerability count

23

25

17 17

12

8

Remove

unnecessary

services

Password policy

setting

Remove a shared

folder

CD, DVD, USB

turn off AutoPlay

Screen saver set

for 5 to 10

minutes and

restart the

password settings

PC vulnerability

Vulnerability count

24

15

13 12

11

6

Cross-Site

Scripting

Plaintext data

transfer

Information

leakage

Process validation

is missing

Administrator

page exposure

WEB Vulnerability

Vulnerability count

3

26

Set the account lockout threshold(1)

■ SunOS - SunOS 5.9 earlier- 1. vi use “/etc/default/login” file open 2. Insert or modify (Before) #RETRIES=2 (Fix) RETRIES=5

27

Set the account lockout threshold(2)

- SunOS 5.9 later versions- 1. vi use “/etc/default/login” file open 2. Insert or modify (Before) #RETRIES=2 (Fix) RETRIES=5 3. vi use “/etc/security/policy.conf” file open 4. Insert or modify (Before) #LOCK_AFTER_RETRIES=NO (Fix) LOCK_AFTER_RETRIES=YES

28

Set the account lockout threshold(3)

■ LINUX 1. vi use “/etc/pam.d/system-auth” file open 2. Insert or modify auth required /lib/security/pam_tally.so deny=5 unlock_time=120 no_magic_root account required /lib/security/pam_tally.so no_magic_root reset

Option Description

no_magic_root root password lock settings to not applicabl

deny=5 Enter failure password lock 5 times

unlock_time Account locked unlock (Unit : seconds)

reset If successful, a number of initialization failed access attempts

29

Set the account lockout threshold(4)

■ AIX 1. vi use “/etc/security/user” file open 2. Insert or modify (Before) loginretries = 0 (Fix) loginretries = 5

■ HP-UX 1. vi use “/tcb/files/auth/system/default” file open 2. Insert or modify (Before) u_maxtries# (Fix) u_maxtries#5 ※ HP-UX Server Trusted Mode change required

30

/etc/(x)inetd.conf permissions setting

■ SunOS, LINUX, AIX, HP-UX “/etc/inetd.conf” permissions setting (owner root, permissions 600) #chown root /etc/inetd.conf #chmod 600 /etc/inetd.conf

■ LINUX - xinetd “/etc/inetd.conf” permissions setting(owner root, permissions 600) #chown root /etc/xinetd.conf #chmod 600 /etc/xinetd.conf ※ "/etc/xinetd.d/" The same settings in subdirectories

31

Remove the hard-disk default share(1)

■ Window NT 1. Program > management tools > Server Manager > shared directory > share

32

Remove the hard-disk default share(2)

■ Window 2000, 2003, 2008 1. Start > Run > FSMGMT.MSC > share > Select the default shares > stop

sharing 2. ※ “net share shared name /delete” -> lift shared folders

33

Remove the hard-disk default share(3)

2. Start > Run> REGEDI registry value 0 modify (If you do not have the key value of the Insert) "HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\AutoShareServer” (Windows NT : AutoShareWks) ※ Firewalls and routers 135~139(TCP/UDP)Port Block, To improve the security level (Windows 2008 is exception)

34

Remove the hard-disk default share(4)

35

Administrator Account rename(1)

■ Window NT, 2000, 2003, 2008 1. Start> Program > Control Panel > Management tools > Local security policy > Local policies > Security options > 2. “Account: Administrator Account rename” is An analogy would be difficult to change the account name

36

Administrator Account rename(2)

37

Spoofing Apply anti-filtering (1)

■ CISCO 1. Global configuration mode connect 2. access-list number deny ip 127.0.0.0 0.255.255.255 any 3. access-list number deny ip 224.0.0.0 31.255.255.255 any 4. access-list number deny ip host 0.0.0.0 any 5. access-list number permit ip any any

38

Spoofing Apply anti-filtering(2)

■ Juniper 1. Configure Firewall Filters [edit firewall] firewall { filter filter-name { term term-name { accounting-profile name; from { source-address 127.0.0.0/24; source-address 224.0.0.0/4; source-address 0.0.0.0/0; } then { discard; } } } }

39

Spoofing Apply anti-filtering(3)

2. Apply Firewall Filters [edit interfaces interface-name unit logical-unit-number family inet] interfaces { interface-name { unit logical-unit-number { family inet { filter { input filter-name; output filter-name; } } } } }

40

Session Timeout setting(1)

■ SunOS 1. vi use “/etc/default/login” file open 2. Insert or modify TIMEOUT=600 (Unit : Seconds) export TMOUT

41

Session Timeout setting(2)

■ LINUX, AIX, HP-UX - sh(born shell), ksh(korn shell), bash(born again shell) in case - 1. vi use “/etc/profile(.profile)” file open 2. Insert or modify TIMEOUT=600 (Unit : Seconds) export TMOUT - csh in case - 1. vi use “/etc/csh.login” or, “/etc/csh.cshrc” file open 2. Insert or modify set autologout=10 (Unit : Min)

42

Default ID’s change

■ Configureation

43

Detection of warning signs over feature set

■ Configureation 24/7 Monitoring e-mail or sms Warning setting

44

Set the time and complexity for the password(1)

■ Oracle 1. PASSWORD_LIFE_TIME Changing the profile parameters 2. SQL> ALTER PROFILE LIMIT PASSWORD_LIFE_TIME xx 2. Changes the user associated with the profile values SQL> ALTER USER PROFILE 3. Change Password setting SQL> CREATE PROFILE grace_5 LIMIT FAILED_LOGIN_ATTEMPTS 3 (Password failed 3 times.) PASSWORD_LIFE_TIME 30 (It is possible to use the password only for 30 days) PASSWORD_REUSE_TIME 30 (Since reusable passwords with 30 day) PASSWORD_VERIFY_FUNCTION verify_function PASSWORD_GRACE_TIME 5 ; (Life at the end of the time shows a message for 5 days)

45

Set the time and complexity for the password(2)

■ MSSQL 1. 패스워드 변경 주기가 60일 이내로 설정되지 않은 경우 패스워드 변경 주기 설정 MSSQL에서 ‘암호 만료 강제 적용’을 체크함으로써 주기적으로 변경이 가능하며, 변경기간은 OS의 ‘암호정책’에서 적용 받으므로 ‘암호 정책 > 최대 암호 사용 기간’ 설정도 같이 변경해야 함 2. 암호 만료 강제 적용 [보안]> [로그인]> [각 로그인 계정]> [속성]> 암호 만료 강제 적용: 설정(체크) 확인

46

Set the time and complexity for the password(3)

47

Set the time and complexity for the password(4)

■ MySQL The password settings are available in the following ways mysql> use mysql mysql> update user set password=password(‘new password’) where user=’user name’; mysql> flush privileges; or, mysql> set password for ‘user name’@’%’=password(‘new password’) mysql> flush privileges;

48

DB access, change, or delete the record audit history(1)

■ Oracle The database audit trail policy and establishing a backup policy ■ MSSQL The database audit trail policy and establishing a backup policy ∎ MSSQL 2000 DB access security audit settings [SQL SERVER]> [Preferences]> [Security]Tap> [Audit-level] to ‘all’ select

49

DB access, change, or delete the record audit history(2)

50

DB access, change, or delete the record audit history(3)

∎ MSSQL 2005/2008 / 2012 [MSSQL2005]> [Right mouse click]> [Property]> [Security tab]> [Login auditing] Options > ’ All successful logins failed login and’ Select

51

Remove unnecessary services(1)

■ Windows XP, Windows 7 1. Control Panel > Management tools > Service > Select the appropriate service > Property (Start> Run> “services.msc” Input> > Select the appropriate service > Property) 2. Unnecessary services -> Stop Startup type -> Disabled

52

Remove unnecessary services(2)

53

Remove unnecessary services(3)

54

Service List

Unnecessary services list Minimal services for Windows operating

- Alerter - Clipbook - ComputerBrowser - DHCP Client - FTP Publishing Service - InternetConnectionSharingService - IndexingService - InfaredMonitorService - Messenger - NetLogon - Network DDE - Network DDE DSDM - NetMeetingRemoteDesktopSharingService - Print spooler - RemoteRegistryService - RoutingandRemoteAccessService - SimpleTCP/IPService - SMTPService - TaskSchedulerService - TCPIP NetBIOS Helper - TerminalService

- Logical Logging Manager - NetworkConnections - NTLMSecuritySupportProvider - PlugandPlay - Server - Workstation - RemoveableStrage - SecurityAccountsManager - WindowsManagementInstrumentation - WindowsManagem nt Instrumentation driver extensions - WMDMPMSPService - ApplicationManagement

Remove unnecessary services(4)

55

Password policy settings(1)

■ Windows XP, Windows 7 1. Control Panel > Management tools > Local security policy > Security

settings > Account policies > Password policy 2. “Minimum password length properties”을 “8 characters” setting

56

Password policy settings(2)

3. CMD command using • Windows xp, 7 : Start > Run > “cmd.exe” > “net accounts /MINPWLEN:8”

57

Cross-site scripting(1)

■ How to set up security 1. HTML or JAVA Script TAG restriction, Need Filtering 2. Title, comments, queries, etc, form and Parameter value Filtering

3. Filtering logic implementation -> trim, replace functions to Server ※ Filtering measures target the input value • The script was defined : , , , , , • Special characters : , ", ', &, %, %00(null)

58

Cross-site scripting(2)

∎ ASP

59

Cross-site scripting(3)

∎ PHP … Omission … if($use_html == 1) // If you want to use parts of the HTML tag allowed $memo = str_replace("

60

∎ JSP

Cross-site scripting(4)

61

Send plain text data

■ Recommended 1. Password, Privacy, Account information for SSL 2. Cookie, Password, Privacy information with client save restriction

62

KISA Cybersecurity guide

Link http://www.kisa.or.kr/public/laws/laws3.jsp

63

Critical Information Infrastructure vulnerability analysis/evaluation How detailed guide

Link http://www.moi.go.kr/frt/bbs/type001/commonSelectBoardArticle.do?bbsId=BBSMSTR_000000000012&nttId=41297