James Jara Portfolio 2014 - InfoSec White Paper- Part 5

James Jara Arroyo – White Paper – Portfolio 2014
Case Study for my portfolio
InfoSecurity White Paper

INFOSECURITY WHITE PAPER / WWW.JAMESJARA.COM
Contact name James Jara
E-mail address Jamesjara@gmail.com
Phone number (506) 87944598
Website Www.jamesjara.com
Solution offering InfoSecurity White Paper
Project name or title Security
Company Anonymous
Case Study
Business situation
I found the system vulnerable with high risk, full escalation privileges into the servers..
Solution
Apply following document to each element of the network.
WWW.JAMESJARA.COM CONFIDENTIAL PAGE 2

Security Methodology
How to Secure a Company

Table of Contents
Step by Step Guide..................................................................................................3
Create a network and system administration policy........................................3
Create a Map/Vision of the IT architecture of the company............................3
Execute and testing phase for each IT element of the company.....................3
Creating a Network and System Admin Policy.........................................................4
What is a network and system admin Policy?..................................................4
Creating a Map/Vision of the IT architecture of the company.................................5
Describe all IT elements , with all information possible...................................5
Secure each IT element....................................................................................5
Security through obscurity...............................................................................5
Hardening OS system.................................................................5
Hardening Services....................................................................6
Securing SSH:............................................................................6
Securing postifix........................................................................6
Securing NFS..............................................................................7
Securing apache .......................................................................7
Securing php .............................................................................7
Updates, patch and upgrades..........................................................................8
Monitoring and logging services.......................................................................8
IDS services.....................................................................................................8
Disaster recovery policy...................................................................................8
Backup policy...................................................................................................8

Step by Step Guide
In this page will be only the steps and tasks with no information or definitions. This document has
attached a printed version as a checklist forms, these steps must be repeated each 4-6 months.
Create a network and system administration policy.
Write a public wiki with policies for your employers.
Create a legal version.
Create a Map/Vision of the IT architecture of the company.
1. Describe all IT elements , all information possible.
1. Usage and objective of the IT element.
2. Services provided by the IT element.
3. Versions and flags.
4. Policy only for this IT element.
5. User access , credentials and privileges.
6. Mode production/development.
2. Secure each it element
1. Apply security through obscurity , this means hardening or blackboxing.
1. Hardening OS system.
2. Hardening services.
3. Hardening Apache.
4. Hardening mysql.
5. Hardening other services.
2. Apply Updates , patch and upgrades to all possible, try to use only stable versions.
3. Install Monitoring and logging services.
4. Install IDS Services.
5. Disaster recovery policy
6. Backup policy.
Execute and testing phase for each IT element of the company.
• Penetration testing focused on information gathering.
• Penetration testing focused on common vulnerabilities.
• Penetration testing focused on brute forces techniques.

Creating a Network and System Admin policy
What is a network and system admin policy?
The objective of this document includes protection of information and property from theft, hacking or
corruption, while allowing the information and property to remain accessible and productive to its
intended users.
A state of computer "security" is the conceptual ideal, attained by the use of the three processes:
1. Prevention
2. Detection
3. Response
To easy understanding i'm adding definition from wikipedia, A network security policy is a generic
document that outlines rules for computer network access, determines how policies are enforced and
lays out some of the basic architecture of the company security/ network security environment.
Security policy should keep the malicious users out and also exert control over potential risky users
within your organization. The first step in creating a policy is to understand what information and
services are available (and to which users), what the potential is for damage and whether any
protection is already in place to prevent misuse.
In addition, the security policy should dictate a hierarchy of access permissions; that is, grant users
access only to what is necessary for the completion of their work.
Here are some examples: http://www.sans.org/security-resources/policies/network.php
The prevention stage is more about configuring and setting up walls against malicious users, on the
detection stage we have already running up, and we are only monitoring and logging information, we
have to setup a central server to control,monitoring,etc all the production servers from one place.

Creating a Map/Vision of the IT architecture of the
company
Describe all IT elements , with all information possible.
Create a document up to date with all elements of the IT architecture(you can use the attached excel
document for this).
1. Net
2. Usage
3. Objective
4. Services
5. Version and flags
6. Policy for this it element
7. User access , credentials and privileges
8. Mode production/development

PREVENTION
Secure each IT element.
Now, we have a table with all IT elements, its time to perform security actions to each IT element.
1. Apply security through obscurity , this means hardening or black boxing.
2. Hardening OS system.
3. Hardening services.
4. Hardening Apache.
5. Hardening mysql.
6. Hardening other services.
7. Apply Updates , patch and upgrades to all possible, try to use only stable versions.
8. Install Monitoring and logging services.
9. Install IDS Services.
10. Disaster recovery policy
11. Backup policy.
Security through obscurity
Hardening is the action to hidden all flags , to avoid the possibility of the attacker can get versions and
software used by the company.
Notice: is not required to follow all items one by one , just the necessary.
Hardening SO system
• Encrypt Data Communication: scp, ssh, rsyn, sftp , ssl , etc.
• Remove insecure services:
> yum erase inetd xinetd ypserv tftp-server telnet-server rsh-serve.
• Uninstall unnecessary programs:
> yum erase inetd xinetd ypserv tftp-server telnet-server rsh-serve.
• Keep Linux Kernel and Software Up to Date: yum update
• Use of SELinux
• Add user with lapse time usage:
> chage -M 60 -m 7 -W 7 userName
• Locking User Accounts After Login Failures: faillog
• How Do I Verify No Accounts Have Empty Passwords?
> awk -F: '($2 == "") {print}' /etc/shadow
• Disable Unwanted Services:
> chkconfig --list | grep '3:on'
> chkconfig serviceName off
• Find Listening Network Ports and associated programs:
> netstat -tulpn
> nmap -sT -i localhost
• Configure Iptables.
• Use of OpenLDAP or Kerberos
• Removing Unnecessary Software Packages (RPMs)
• Reviewing Inittab and Boot Scripts
• Locking ip After Too Many Login Failures
• Displaying Login Banners

PREVENTION
• # cat /etc/motd
This system is classified...
Use of this system constitutes consent to official monitoring.
For SSH you can edit the Banner parameter in the /etc/ssh/sshd_config
For local console logins you can edit the /etc/issue
Hardening Services
Securing SSH:
• Disable login root
• PermitRootLogin no
• Use ssh protocol version 2
• Protocol 2
• prevent SSH from setting up TCP port and X11 forwarding if you don't need it:
• AllowTcpForwarding no
• X11Forwarding no
• StrictModes directive is enabled which checks file permissions and ownership of some
important files in the user's home directory like ~/.ssh, ~/.ssh/authorized_keys etc. If any checks
fail, the user won't be able to login.
• StrictModes yes
• host-based authentications are disabled. These methods should be avoided as primary
authentication.
• IgnoreRhosts yes
• HostbasedAuthentication no
• RhostsRSAAuthentication no
• Disable sftp if is not needed:
#Subsystem sftp /usr/lib/misc/sftp-server
lSecuring postfix
• Check if postfix is local
# alternatives --set mta /usr/sbin/sendmail.postfix
The following parameters in /etc/postfix/main.cf should be set to ensure that Postfix accepts
only local emails for delivery:
mydestination = $myhostname, localhost.$mydomain, localhost inet_interfaces = localhost
• To verify whether Postfix is still listening for incoming network request, you can run one of the
following commands from another node:
# nmap -sT -p 25 <remode_node>
# telnet <remote_node> 25
Securing NFS
Securing Apache
Mod security:
yum install mod_security

PREVENTION
/etc/init.d/httpd restart
vi /etc/httpd/conf.d/mod_security.conf
<IfModule mod_security.c>
SecFilterEngine On
SecAuditEngine RelevantOnly
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding On
SecFilterForceByteRange 1 255
SecFilterCheckCookieFormat On
SecAuditLog logs/audit_log
SecFilterScanPOST ON
SecFilterDefaultAction "deny,log,status:406"
# SecFilter 111
# Prevent path traversal (..) attacks
SecFilter "../"
# Weaker XSS protection but allows common HTML tags
SecFilter "<( |n)*script"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|n)+>"
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
# Require HTTP_USER_AGENT and HTTP_HOST headers
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^GET$" chain
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|
^multipart/form-data)"
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"
</IfModule>
httpd.conf
• hide servers flags
ServerSignature Off
• hide server flags on headers
ServerTokens Prod
• Handle errors
ErrorDocument 404 errors/404.html
ErrorDocument 500 errors/500.html
• Secure the path
<Directory /opt/apache2/htdocs">

PREVENTION
<LimitExcept GET POST>
deny from all
</LimitExcept>
Options -FollowSymLinks -Includes -Indexes -MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Securing php
• Disable allow_url_fopen in php.ini for security reasons
allow_url_fopen = Off
• Disable allow_url_include in php.ini for security reasons
allow_url_include = Off
• Disable Functions:
curl_exec - perform a cURL session
curl_multi_exec - run the sub-connections of the current cURL handle
dl - loads a PHP extensat runtime
exec - execute an external command
fsockopen - open internet or unix domain socket connection
parse_ini_file - parse a configuration file
passthru - execute an external program and display raw output
popen - opens process file pointer
proc_open - execute a command and open file pointers for Input/Output
proc_close - close a process opened by proc_open and return the exit code process
shell_exec - execute command via shell and return the complete output as a string
show_source - show the source of a file
symlink - creates a symbolic link
system - execute an external program and display the output
• Disable display_errors in php.ini for security reasons
display_errors = Off
log_errors = On
• Disable expose_php in php.ini for security reasons
expose_php = Off
• Disable Magic Quotes in php.ini for security reasons
magic_quotes_gpc = Off
• Set open_basedir in php.ini for security reasons
open_basedir = "/var/www/html/:/usr/local/php/"
• Lower post_max_size ini php.ini for security reasons
post_max_size = 256K
• Disable register globals in php.ini for security reasons
register_globals = Off
• Enable save_mode in php.ini for security reasons
safe_mode = On

PREVENTION
Backup policy
• System administrators should establish and follow a procedure to carry out regular system
backups.
• Backups must be verified at least monthly, either through automated verification, through
customer restores, or through trial restores.
• Systems administrators must maintain documented restoration procedures for systems and the
data on those systems.

RESPONSE
Disaster recovery policy
To Do.

DETECTION
Monitoring and logging services
• Logging: LogAnalizer + rsyslog : log analysis software, sends the logs from each server to a
central log server machine, has a useful administration web panel, the logs used the
datamining(apache) should not be used by this software, is more intended to server logs.
• Monitoring: icinga : https://www.icinga.org/nagios/feature-comparison/ : monitoring all the
company servers from one place.
To begin, Icinga offers two interfaces - “Icinga Classic” and “Icinga New Web“. For a fair
comparison, we have put Icinga in both its variants against the open source ‘Nagios Core’.
See the many differences between Icinga and Nagios in not only the core and web interfaces, but also
in their reporting capabilities, support and development style below.
I'm preferring Icinga based on the facilities to the web users.
Icinga Classic Icinga New Web Nagios Core
GENERAL
License GPLv2 GPLv2 GPLv2
Monitor unlimited hosts
Distributed monitoring
Distributed systems
Agent based & agentless
monitoring
INSTALLATION / CONFIGURATION
Web based configuration Via addon Via addon Via addon
Virtual appliance
CORE
Databases supported
MySQL
PostgreSQL
Oracle
MySQL
PostgreSQL
Oracle
MySQL
SNMP & Syslog monitoring Via addon Via addon Via addon
Triggers & multi-channel alerts
IPv6 capabilities
WEB USER INTERFACE
Dynamic, shareable dashboards
Dynamic table / data grid view
(sort, filter monitoring data)
Underlying infrastructure
CGI/C
HTML/CSS/JS
AJAX/ExtJs
PHP5/Agavi
HTML/CSS
CGI/C
HTML/CSS
Live search

Log file search & Logging (eg.
Commands)
Compound commands
(Send one command to multiple
hosts/services simultaneously)
Acknowledgements with expiry
time
Dynamic drill down maps
Internal authentication by HTTP Basic
LDAP
Active Directory
HTTP Basic
HTTP Basic
Control access to objects by Contact group
Contact group
Host group
Service group
Custom variable
Contact group
HTTP / REST interface
Mobile version for iPhone &
Android
Via 3rd party apps
HTML 5 in-house
version (Icinga
Mobile)
Via 3rd party apps
Via 3rd party apps
Multilingual interface 20+ languages
Support "Display Name" use Configurable
REPORTING
SLA reports Via addon Via addon
Scheduled report distribution Via addon Via addon
Multi-format reports Via addon Via addon
Export data CSV, JSON, XML XML via REST API -
Performance graphing Via addon Via addon Via addon
Business process monitoring Via addon Via addon Via addon
DOCS / SUPPORT
Multilingual documentation
Community support channels Mailing lists
Forums
IRC
Mailing lists
Forums
IRC
Mailing lists
Forums
DEVELOPMENT
Global authentication &
authorization architecture
Public and detailed roadmap
GIT repository
GIT development tracker
integration
Extensions coding simplified by -
Doctrine
JSON
-

REST API
IDS services
• Snort + snorby: network intrusion prevention and detection system (IDS/IPS).

Executing and testing phase
• Manual Mode
• OpenVAS
If we found a security hole in manual mode, the proper way to report this is:
Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)
• Product and version that contains the bug
• version, security updates, or other updates for the product you have installed
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue on a fresh install
• Proof-of-concept or exploit code
• Impact of the issue, including how an attacker could exploit the issue

IT ELEMENT INFO
Date: ____________________
Pentester: ________________
Element: _________________
1. Net
2. Usage
3. Objective
4. Services
5. Version and flags
6. Policy for this it element
7. User access , credentials and privileges
8. Mode production/development

James Jara Portfolio 2014 - InfoSec White Paper- Part 5

More Related Content

James Jara Portfolio 2014 - InfoSec White Paper- Part 5