- [Instructor] System administrators are responsible for the configuration of operating systems and information against a wide variety of threats, to meet an organization's security control requirements. the grim reality is that no matter how many controls we put in place, This is an extremely important responsibility there's still a possibility that we'll fall victim because attackers can often exploit security vulnerabilities to a security incident. to gain access to a vulnerable system As we explore the incident response process in this course, and then even potentially leverage that access we'll focus on using a standard set of practices endorsed by to compromise an entire network. the National Institute for Standards and Technology, NIST. Let's take a look at three important operating system security issues, If you'd like more information on this process, security settings, patch management, you can find a complete reference and trusted operating systems. in the NIST Computer Security Incident Handling Guide.
There are many different security settings It's published online as NIST Special Publication 800-61, in any operating system that you can customize to meet the security needs of your organization. and this guide is widely used as a standard reference You'll want to establish a security baseline throughout the cybersecurity field. for your organization that includes the settings important in your environment. Every organization should develop a cybersecurity One of these is limiting the access that users have incident response plan that outlines the policies, to administrative resources because this level of access procedures, and guidelines that the organization will follow can result in security compromises. when an incident takes place. Let's take a look at how to limit administrative access This process is extremely important on a Windows system. because it provides structure and organization Here I am on the desktop of a Windows system. in the heat of a crisis.
Windows manages many security settings I've been involved in many security incidents through group policy objects. over the course of my career. We want to ensure that users on endpoint devices And when I think back and evaluate them in hindsight, do not have administrative access to their computers. it's clear to me that all of the organizations We do that by opening up the Group Policy Management tool that handled incidents well had one thing in common. and then I'm going to navigate here to the Group Policy Objects folder and documented it in advance of the incident. and create a new GPO for this domain by right-clicking on this and choosing New. On the other hand, when I think about the incidents that didn't go very well, It's important to give GPOs descriptive names they typically occurred in organizations that didn't conduct prior planning. because you'll want to be able to remember what the GPO does when you come back In those organizations, I commonly heard the sentiment, and look at the object's name months or years later. "Well, we're good at crisis management, Let's call this one Limit Administrative Access "and a security incident isn't very likely.
to Local Systems. "We'll figure out the details if it happens." That seat-of-the-pants approach That's a pretty descriptive name to cybersecurity incident handling is a recipe for failure. and I'm pretty confident I'll understand what that means later on. I click OK to create the GPO and I now have an empty GPO. in the heat of a crisis. It's a shell that does nothing. Developing an incident response plan I need to make sure that this GPO in advance of an incident taking place limits administrative access, allows you to make decisions in the calm environment so I'm going to right-click on it and choose Edit, of the planning phase, and those decisions then help you exercise good judgment which launches the Group Policy Management Editor. in the heat of a security incident. I want to use this GPO to remove every user A formalized incident response plan from the administrator's local group on the system. should include several common elements.
This is a user configuration setting, First, it should begin with a statement of purpose. so I'm going to go here to User Configuration and then drill down into Preferences, What are the reasons that the organization is creating an incident response plan? Control Panel Settings, And what is the scope of that plan? then I'm going to right-click on Local Users and Groups here. What type of incidents does the plan cover? I'm going to tell Windows that I want to create For example, is the plan restricted to only cybersecurity incidents? a new local group. That's a little confusing terminology because I actually want to remove someone Second, the plan should describe clear strategies from an existing local group, but we'll tell Windows that in this window. and goals for the incident response effort. See here where the action says Update What are the highest priorities for first responders instead of these alternatives, Create, Replace, and Delete? and those handling an incident at a more strategic level? That means that I'm going to modify an existing group. If responders should prioritize containment over evidence preservation, The group that I want to modify make sure that's clear in the plan.
is the built-in administrator's group, so I'm going to choose that here. The plan should also describe the nature of the organization's approach to incident response. And the action I want to take Who bears responsibility for incident handling? is to remove the current user from the group. And what authority do they have? When I click Apply, that applies this policy Your incident response plan should also cover to all users in the domain, communication within the team, removing them from the local administrator's group with other groups within the organization, and giving them only normal user access. and with third parties. We'll talk more about the incident communication process I'm going to click OK and then just close out later in this course. of the Group Policy Management Editor And finally, the plan should include the approval and Group Policy Management. of senior management.
The second operating security issue You might need that authority when taking unpopular actions during incident response. that we'll discuss is patch management. Applying patches to operating systems is critical If you can point to the plan and show an irate administrator because it ensures that systems are not vulnerable that the policy requiring disconnection of a system to security exploits discovered by attackers. was signed by the CEO, that goes a long way. Each time an operating system vendor discovers a new vulnerability, As you develop your plan, you should consult NIST SP 800-61 they create a patch that corrects the issue. Promptly apply patches ensures to help guide your decisions. a clean and tidy operating system. You also might find it helpful to look at some plans developed by other organizations. In Windows, the Windows Update mechanism is the simplest way to apply security patches For example, this plan developed to systems as soon as they are released. by Carnegie Mellon University provides a detailed look Let's return to our Windows system at how incident response works within their organization.
and take a look at how to enable Windows Update. I'm going to go ahead and open the Control Panel, And this incident response plan template then I'm going to choose System and Security, for the State of Oregon shows how you might adapt a template and click on Windows Update. to the specific needs of an individual agency. You can see here information about recent updates. I'm going to go ahead and click the Check for Updates button Of course, you won't be able to simply take someone else's plan and apply it to your organization, which causes this system to reach out to Microsoft servers to determine but it's always helpful to have a starting point. whether there are patches available for security or other fixes. Many cybersecurity professionals have put countless hours And, as you can see here, this computer is currently up-to-date. in developing strong incident response plans, There aren't any critical patches that need to be applied. and there's no need to reinvent the wheel.
Even though the system now has all of the available updates, let's go ahead and configure it to automatically apply updates in the future. I'm going to click on Change Settings here and then look at where it says Important updates. Now notice there's this red X and it says never check for updates, not recommended. This system is currently configured not to reach out for security updates. If I pull this down here, I can look and see there are other choices available to me. The recommended choice is install updates automatically where the computer will periodically reach out to Microsoft servers, check for updates, and then automatically install them on the system to make sure that it is up-to-date with current security standards. That's the best choice and I'm going to choose that here. I go ahead and click OK and Windows goes ahead and just does one more check for updates to see if there's anything available right now, tells me I'm OK, and notice now it says you're set to automatically install updates. I can rest easy knowing that Windows will reach out and update my system when new patches are available. Now let's look at applying updates on a Linux system. There are several different ways to update Linux systems that vary depending on the distribution that you're using. I have an SSH session open here to a Linux system running in Amazon Web Services. As you can see, on the login banner, the system is telling me that there are updates available. There are 11 packages needed for security out of 27 available updates. And conveniently, it even tells me the command that I need to enter to apply the updates. The Sudo command tells the system that I need to use root administrator privileges and I want to run the YUM Package Manager and tell it to apply updates. Let's go ahead and do that. I'm going to type in sudo yum update and hit enter. The system goes through and checks what updates are available. Here's the list of all the packages that it wants to install and update. And then down here it tells me it wants to install one package and upgrade 26 packages and that will take about 52 megabytes of download and it's asking me for permission to do that. I came here to apply updates, so I'm going say yes, and the Linux system is going to go ahead and apply all these updates. It shows me that it's downloaded those 27 updates and it's now going through the updating and cleanup process. We're almost done here, as we've gone through 53 different steps to apply these updates and we'll soon see that this system is fully patched. And then the update completes. That's how we apply patches to a Linux system. The final concept we'll discuss in this video is the trusted operating system. This is a formal term used to describe operating systems that have gone through an accreditation process by government agencies known as the Common Criteria. The process for accreditation as a trusted operating system is very rigorous and very few operating systems go through this process because it, frankly, doesn't matter very much outside of very secure defense applications.
- Building a security team
- Conducting a gap analysis
- Improving personnel security
- File permissions and data encryption
- Cloud computing and virtualization
- Host-based network security controls
- Securing mobile devices
- Choosing encryption algorithms
- Physical and network security
- Biometrics and multifactor authentication
- Development methodologies