Information Security

By: Muhammad Kamran

1
Operating System Security
 Operating System Security
• In this chapter we will cover following topics:

– Operating System Hardening

– Protecting against Malware
– Software Firewalls and Host Intrusion Detection
– Operating System Security Tools
• OS is one of the largest area to find weakness, because it
hosts the data , processes the applications.

• OS hardening is a technique to configure hosts to

decrease the number of openings.

• Use of anti-malware tools, to protect from the broad

variety of malicious code, which the system might be
exposed, particularly if it is Internet facing.

• Also use software firewalls and host-based intrusion

detection systems (HIDSes) in order to block unwanted
traffic and to alert us when undesirable network traffic is
arriving at, or originating from, our systems.
 Operating System Hardening
• Main goals of OS hardening is to reduce the number of available
avenues through which our operating system might be attacked. The
total of these areas is referred to as our attack surface.

• The larger the attack surface, the greater chance of attacks.

• Six ways to decrease the attack surface:

– Removing unnecessary software

– Removing or turning off unessential services
– Making alterations to common accounts
– Applying the principle of least privilege
– Applying software updates in a timely manner
– Making use of logging and auditing functions
 Remove All Unnecessary Software
• Each piece of software installed on our
operating system adds to our attack surface.

• Need to take a hard look at the software that

should be loaded on it, and take steps to ensure
that we are working with the bare minimum.

• E.g; Web Server

 Remove All Unessential Services
• Same as removing unwanted software, also need to remove or disable
unessential services.

• Many operating systems ship with a wide variety of services turned on in

order to share information over the network, locate other devices,
synchronize the time, allow files to be accessed and transferred, and
perform other tasks.

• Turning operating services off, in many cases, such services are not named
in a fashion that indicates their actual function.

• Such extraneous services is to determine the network ports on which the

system is actually listening for network connections. Many operating
systems have built-in utilities that will allow us to do this, such as netstat
on Microsoft operating systems, but we can also put Nmap to use for such
tasks.
• Nmap can allow us to discover the devices on our networks,
but it can also allow us to determine on which network ports
a given system is listening. If we run the following Nmap
command:
– Nmap <IP address>
 Alter Default Accounts
• In many operating systems, we can find the equivalent of a guest
account and an administrator account.

• Default accounts: may come equipped with excessively liberal

permissions to regulate the actions they are allowed to carry
out, which can cause a great deal of trouble when they are being
used by an informed attacker. We may also find that default
accounts are set with a particular password or no password at
all. If we allow such accounts to remain on the system with their
default settings, we may be leaving the proverbial doors that
protect access to our system wide open so that attackers can
simply stroll right in and make themselves at home.
• To mitigate such security risks are generally first decide whether the
accounts are needed at all, and disable or remove any we will not be
using.

• In the case of guest accounts, turn off the support accounts or

remove them entirely without causing problems for ourselves.

• In the case of administrative accounts, often with names such as

administrator, admin, or root.

• In most cases, however, such accounts can be renamed in order to

confused attackers who might attempt to make use of them.

• Lastly, we should not leave any account with a default password, no

matter what its status.
 Apply the Principle of Least Privilege
• Only allow a party the absolute minimum permission
needed for it to carry out its function.

• In almost any modern operating system, we can find

the tasks a particular user is allowed to carry out
separated into those that require administrative
privileges and those that do not.

• Give user, limited permission to read, write and

execute programs or scripts.
 Perform Updates
• New attacks are published on a regular basis,
apply regular updates and the security patches
released by the vendors that manufacture our
operating systems and applications.

• Best practice in such a situation is to download

the patches onto removable media and use this
media to patch the system before ever
connecting it to a network.
 Turn On Logging and Auditing
• Configure and turn on the appropriate logging and
auditing features for OS.

• Keep an accurate and complete record of the

important processes and activities.

• Log significant events such as the exercise of

administrative privileges, users logging in to and out
of the system, or failing to log in, changes made to
the operating system.
Threats to System Security (Malware)

Viru Wor Backdoor

s m
A program that replicates by A self‐replicating virus An unauthorized mean
copying itself to other that does not alter files of accessing the system
programs, system boot sectors,
but resides in and bypassing the
or documents, and alters or
damages the computer files and computer memory and security mechanisms
applications replicates itself

Rootki Troja Logic Bomb

t n

A set of programs or A program that seems A program that releases

utilities that allows to be legitimate but a virus or a worm
someone to maintain acts maliciously, when
root‐level access to executed
the system
 Source: IEEE Spectrum https://spectrum.ieee.org/the-real-story-of-stuxnet#toggle-gdpr
Stuxnet Case Study
 Protecting against Malware
• Variety of malware present on the networks, systems,
and storage devices.

• Attackers can disable systems, steal data, conduct social

engineering attacks, blackmail users, gather intelligence,
and perform a number of other attacks.

• E.g; Stuxnet, sabotage of SCADA (Supervisory Control and

Data Acquisition) systems, largely targeted at portions of
the equipment running in the nuclear program in Iran.
 Anti-Malware Tools
• Most anti-malware applications detect threats in the same way the
IDSes: either by matching against a signature or by detecting
anomalous activities taking place.

• These tools generally detect malware in one of two main ways:

– traffic indicative,
– malware in real time,
– or by performing scans of the files and processes already in place on the
system.

• When malware is found:

– responses by the anti-malware tool may include killing any associated
processes and deleting the files, killing the processes and quarantining
the files.
 Executable Space Protection
• Executable space protection is a hardware- and software-based
technology, a security feature that prevents malicious software
from exploiting vulnerabilities in a computer's memory.

• In short, ESP prevents certain portions of the memory used by

the OS and applications from being used to execute code.

• useful for preventing "buffer overflow" attacks.

• Many operating systems also use Address Space Layout

Randomization (ASLR) rearranges the memory layout of a
program each time it runs
 Software Firewalls
• Contains a subset of the features we might find on a large firewall
appliance but are often capable of very similar packet filtering and
stateful packet inspection.

• We often find the rule sets of such applications expressed in terms

of the particular applications and ports allowed to send and receive
traffic on the various network interfaces that exist on the host.

• Such software's can range from common OS, to large versions

intended for use on corporate networks that include centralized
monitoring and the capability for considerably more complex rules
and management options
 Host Intrusion Detection
• HIDSes are used to analyze the activities on or directed at
the network interface of a particular host.

• A potential flaw with centrally managed HIDSes is that, in

order for the software to report an attack to the
management mechanism in real time, the information
needs to be communicated over the network.

• If the host in question is being actively attacked via the

same network we would report over, we may not be able
to do this.
 Operating System Security Tools
• Scanners to examine how our hosts interact with
the rest of the devices on the network.

• Vulnerability assessment tools to help point out

particular areas where we might find applications
or services that may be open to attack.

• Privilege escalation tools to gain unauthorized

access on our systems, and various exploit.
 Scanners
• Look for open ports and versions of services
that are running, examine banners displayed
by services for information, examine the
information our systems display over the
network.
 Vulnerability Assessment Tools
• Aimed specifically at the task of finding and reporting network
services on hosts that have known vulnerabilities.

• Tenable’s Nessus, is a tool to conduct a port scan on a target,

then attempt to determine what services and versions of
service are running on any ports it finds open. Nessus will then
report back with a specific list of vulnerabilities that we might
find on a given device.

• Also includes some other functionality, including the ability to

add custom features to the tool through the Nessus Attack
Scripting Language (NASL).
Rapid7’s Metasploit
 Exploit Frameworks

• Exploits are commonly used by attackers to

gain access to systems or gain additional
privileges on them when they already have
access.

• Network mapping tools and sniffers.