security by default
play

Security By Default A Comparative Security Evaluation of Default - PowerPoint PPT Presentation

Aug 31, 2023 •120 likes •286 views

Security By Default A Comparative Security Evaluation of Default Configurations Bernardus A. Jansen, BSc MSc System and Network Engineering Universiteit van Amsterdam July 3, 2018 B.A. Jansen, BSc (UvA) Security By Default July 3, 2018 1 /

  1. Security By Default A Comparative Security Evaluation of Default Configurations Bernardus A. Jansen, BSc MSc System and Network Engineering Universiteit van Amsterdam July 3, 2018 B.A. Jansen, BSc (UvA) Security By Default July 3, 2018 1 / 15

  2. Introduction Installing software from repositories is easy and accessible Software typically requires configuration in order to run B.A. Jansen, BSc (UvA) Security By Default July 3, 2018 2 / 15

  3. Introduction Software often ships with defaults to get up and running quickly Not always with security in mind B.A. Jansen, BSc (UvA) Security By Default July 3, 2018 3 / 15

  4. Research Questions Research Questions What role do distributors play in the quality of default configurations for Internet services? What is a suitable metric to describe the security posture of default configurations for Internet services? B.A. Jansen, BSc (UvA) Security By Default July 3, 2018 4 / 15

  5. Repositories B.A. Jansen, BSc (UvA) Security By Default July 3, 2018 5 / 15

  6. Methodology Install software from repositories on a range of platforms Attempt to interact with the services from a remote test host Vagrant and Ansible for automated deployment of virtual machines and software Shell scripts to conduct tests B.A. Jansen, BSc (UvA) Security By Default July 3, 2018 6 / 15

  7. Platforms & Software Platform Version MySQL Unbound Bind NTP MQTT Postfix Sendmail Ubuntu 18.04 10.1.29-6 1.6.7 9.11.3 4.2.8p10 1.4.15-2 3.3.0 8.15.2-10 16.04 10.0.34 1.5.8 9.10.3 4.2.8p4 1.4.8 3.1.0 8.15.2-3 14.04 5.5.59 1.4.22 9.9.5 4.2.6p5 0.15 2.11.0 8.14.4-4 Debian Stretch 10.1.26 1.6.0 9.10.3 4.2.8p10 1.4.10-3 3.1.8 8.15.2-8 Jessie 10.0.35 1.4.22 9.9.5 4.2.6p5 1.3.4-2 2.11.3 8.14.4-8 CentOS 7 5.5.56 1.6.6 9.9.4 4.2.6p5 1.4.15 2.10.1 8.14.7 6 5.1.73 1.4.20 9.8.2 4.2.6p5 N/A 2.6.6 8.14.4 Fedora 28 10.2.15 1.7.2 9.11.3 4.2.8p11 1.5 3.2.5 8.15.2 27 10.2.15 1.7.2 9.11.3 4.2.8p11 1.5 3.2.5 8.15.2 FreeBSD 11.1 5.5.60 1.7.3 9.12.1 4.2.8p11 1.4.14 2 3.3.1,1 8.15.2 10.4 5.5.60 1.7.3 9.12.1 4.2.8p11 1.4.14 2 3.3.1,1 8.15.2 B.A. Jansen, BSc (UvA) Security By Default July 3, 2018 7 / 15

  8. Methodology B.A. Jansen, BSc (UvA) Security By Default July 3, 2018 8 / 15

  9. Results Platform MySQL DNS: Bind DNS: Unbound NTP Ubuntu 18.04 Bound to localhost Open resolver Bound to localhost Queries blocked Ubuntu 16.04 Bound to localhost Open resolver Bound to localhost Queries blocked Ubuntu 14.04 Bound to localhost Open resolver Bound to localhost Queries blocked Debian Stretch Bound to localhost Open resolver Bound to localhost Queries blocked Debian Jessie Bound to localhost Open resolver Bound to localhost Queries blocked CentOS 7 User ACL Bound to localhost Bound to localhost Queries blocked CentOS 6 User ACL Bound to localhost Bound to localhost Queries blocked Fedora 28 User ACL Bound to localhost Bound to localhost Queries blocked Fedora 27 User ACL Bound to localhost Bound to localhost Queries blocked FreeBSD 11.1 User ACL Bound to localhost Bound to localhost Queries blocked FreeBSD 10.4 User ACL Bound to localhost Bound to localhost Queries blocked Table: Overview of test results, green for secure defaults, yellow for problematic choices, red for dangerous defaults B.A. Jansen, BSc (UvA) Security By Default July 3, 2018 9 / 15

  10. Results Platform MQTT Postfix Sendmail Ubuntu 18.04 Public read and write Relay access denied Bound to localhost Ubuntu 16.04 Public read and write Relay access denied Bound to localhost Ubuntu 14.04 Public read and write Relay access denied Bound to localhost Debian Stretch Public read and write Relay access denied Bound to localhost Debian Jessie Public read and write Relay access denied Bound to localhost CentOS 7 Public read and write Bound to localhost Bound to localhost CentOS 6 N/A Bound to localhost Bound to localhost Fedora 28 Public read and write Bound to localhost Bound to localhost Fedora 27 Public read and write Bound to localhost Bound to localhost FreeBSD 11.1 Public read and write Relay access denied Relay access denied FreeBSD 10.4 Public read and write Relay access denied Relay access denied Table: Overview of test results, (dark)green for secure defaults, yellow for problematic choices, red for dangerous defaults B.A. Jansen, BSc (UvA) Security By Default July 3, 2018 10 / 15

  11. Results Notable differences between platforms: FreeBSD/CentOS/Fedora - Debian/Ubuntu Different security policies NTP secure by default nowadays Upstream default configuration may be ignored entirely B.A. Jansen, BSc (UvA) Security By Default July 3, 2018 11 / 15

  12. Conclusion Research Question What is a suitable metric to describe the security posture of default configurations for Internet services? Security posture can be expressed in the number of defence layers On-host tests or configuration required to determine number of layers B.A. Jansen, BSc (UvA) Security By Default July 3, 2018 12 / 15

  13. Conclusion Research Question What role do distributors play in the quality of default configurations for Internet services? Distributors have security policies Enforcing different levels of security Default security is influenced by no-setting defaults B.A. Jansen, BSc (UvA) Security By Default July 3, 2018 13 / 15

  14. Future Work Test more platforms and software Embedded devices Tutorial configurations Test Docker images Old installations Old defaults may persist in current installations B.A. Jansen, BSc (UvA) Security By Default July 3, 2018 14 / 15

  15. Recap Installing the same software on different platforms can have different results As a developer, sane no-setting defaults is the most secure NTP, Unbound Distributor has final say and responsibility for enforcing sane defaults B.A. Jansen, BSc (UvA) Security By Default July 3, 2018 15 / 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Whats New with Zoom: Security Updates and Meeting Management New Default Settings for PCC

Whats New with Zoom: Security Updates and Meeting Management New Default Settings for PCC

Whats New with Zoom: Security Updates and Meeting Management New Default Settings for PCC How to Update Your Zoom to the Newest Version New Security Button in Meeting Additional Recommended Settings More Optional: Use

368 views • 17 slides
SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary

SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary

SELinux Don Porter CSE 506 MAC vs. DAC By default, Unix/Linux provides Discretionary Access Control The user (subject) has discretion to set security policies (or not) Example: I may chmod o+a the file containing 506

640 views • 27 slides
Secure by default Anti-exploit techniques and hardenings in SUSE products Johannes Segitz SUSE

Secure by default Anti-exploit techniques and hardenings in SUSE products Johannes Segitz SUSE

Secure by default Anti-exploit techniques and hardenings in SUSE products Johannes Segitz SUSE Security Team 2019-04-02/04 1 of 46 Who am I? Johannes Segitz, security engineer (Nuremberg, Germany) Code review Product pentesting 2 of

1.49k views • 122 slides
Credit Default Swaps Pamela Heijmans Matthew Hays Adoito Haroon Credit Default Swaps

Credit Default Swaps Pamela Heijmans Matthew Hays Adoito Haroon Credit Default Swaps

Credit Default Swaps Pamela Heijmans Matthew Hays Adoito Haroon Credit Default Swaps Definition A credit default swap (CDS) is a kind of insurance against credit risk Privately negotiated bilateral contract Reference Obligation,

1.11k views • 42 slides
Sovereign Debt and Default Costas Arkolakis Teaching fellow: Federico Esposito Economics 407,

Sovereign Debt and Default Costas Arkolakis Teaching fellow: Federico Esposito Economics 407,

Sovereign Debt and Default Costas Arkolakis Teaching fellow: Federico Esposito Economics 407, Yale February 2014 Outline Sovereign debt and default A brief history of default episodes A Simple Model of Default Managing Sovereign

682 views • 54 slides
Loss Given Default as a Function of the Default Rate Moody's Risk Practitioner Conference

Loss Given Default as a Function of the Default Rate Moody's Risk Practitioner Conference

Loss Given Default as a Function of the Default Rate Moody's Risk Practitioner Conference Chicago, October 17, 2012 Jon Frye Senior Economist Federal Reserve Bank of Chicago Any views expressed are the author's and do not necessarily

571 views • 31 slides
Debt and Default Costas Arkolakis teaching fellow: Federico Esposito Economics 407, Yale

Debt and Default Costas Arkolakis teaching fellow: Federico Esposito Economics 407, Yale

Debt and Default Costas Arkolakis teaching fellow: Federico Esposito Economics 407, Yale February 2014 Outline Sovereign debt and default A brief history of default episodes A Simple Model of Default Managing Sovereign Debt

775 views • 51 slides
ICTP_011_03142012 Page 1 of 6 ProductivI.T.y tip 82_(PowerPoint): Create a Default Presentation

ICTP_011_03142012 Page 1 of 6 ProductivI.T.y tip 82_(PowerPoint): Create a Default Presentation

ICTP_011_03142012 Page 1 of 6 ProductivI.T.y tip 82_(PowerPoint): Create a Default Presentation Template_03142012 Create a Default Presentation Template Before you start making any changes, you should make a copy of the original default

206 views • 6 slides
Using Game Theory To Solve Network Security A brief survey by Willie Cohen Network Security

Using Game Theory To Solve Network Security A brief survey by Willie Cohen Network Security

Using Game Theory To Solve Network Security A brief survey by Willie Cohen Network Security Overview By default networks are very insecure Connected to the open internet There are a number of well known methods for securing a

659 views • 21 slides
Web Sever Security APACHE; MYSQL; NIKTO B Y : Y : M E G E G A N C U N C U T L E R E R A N

Web Sever Security APACHE; MYSQL; NIKTO B Y : Y : M E G E G A N C U N C U T L E R E R A N

Web Sever Security APACHE; MYSQL; NIKTO B Y : Y : M E G E G A N C U N C U T L E R E R A N A N D R I T I T I K A M A M O O R J A N A N I Introduction Topics Covered Security Checking using Nikto Dangers of Default

262 views • 22 slides
A Default Logic Patch for Default Logic { ECSQARU09 Verona, Italy July 1-3, 2009 }

A Default Logic Patch for Default Logic { ECSQARU09 Verona, Italy July 1-3, 2009 }

A Default Logic Patch for Default Logic { ECSQARU09 Verona, Italy July 1-3, 2009 } Ph. Besnard 1 egoire 2 E. Gr S. Ramon 2 1 IRIT CNRS UMR 5505 Toulouse, France 2 Universit e dArtois CRIL CNRS UMR 8188 Lens, France A

670 views • 47 slides
Corporate Yield Spreads: Default Risk or Liquidity? New Evidence from the Credit Default Swap

Corporate Yield Spreads: Default Risk or Liquidity? New Evidence from the Credit Default Swap

Corporate Yield Spreads: Default Risk or Liquidity? New Evidence from the Credit Default Swap Market Professor Francis Longstaff UCLA/Anderson School Introduction How are corporate bonds priced in the market? In theory, corporate

781 views • 28 slides
Security Structures Beyond GOs Municipal Analysts Group of NY luncheon Amy Laskey, Managing

Security Structures Beyond GOs Municipal Analysts Group of NY luncheon Amy Laskey, Managing

Security Structures Beyond GOs Municipal Analysts Group of NY luncheon Amy Laskey, Managing Director September 8, 2017 Agenda Explain the relationship between the Issuer Default Rating (IDR) and security ratings Discuss the limited

235 views • 21 slides
Hedging Default Risks of CDOs in Markovian Hedging Default Risks of CDOs in Markovian Contagion

Hedging Default Risks of CDOs in Markovian Hedging Default Risks of CDOs in Markovian Contagion

Hedging Default Risks of CDOs in Markovian Hedging Default Risks of CDOs in Markovian Contagion Models Contagion Models Second Princeton Credit Risk Conference 24 May 2008 Jean-Paul LAURENT ISFA Actuarial School, University of Lyon,

573 views • 44 slides
Product Presentation in PDF As we have been doing, start with a default slide and get rid of

Product Presentation in PDF As we have been doing, start with a default slide and get rid of

Product Presentation in PDF As we have been doing, start with a default slide and get rid of default items to make the slide blank. We are going to change the slide to a regular paper size (11 x 8.5 inches). Select File-Page Setup. Then change

71 views • 5 slides
Five Secrets to Building a Security Culture WWW.ISECOM.ORG Secret #1 You are NOT designed by

Five Secrets to Building a Security Culture WWW.ISECOM.ORG Secret #1 You are NOT designed by

Five Secrets to Building a Security Culture WWW.ISECOM.ORG Secret #1 You are NOT designed by default to be security aware. You are not aware or in control of your thoughts. You are a bag of hormones and disease making wants and needs.

259 views • 9 slides
Book Chapters and Loans Joe Natale udoc@lib.uconn.edu What are we talking about today? Rapid ILL

Book Chapters and Loans Joe Natale udoc@lib.uconn.edu What are we talking about today? Rapid ILL

Rapid ILL and RapidR Book Chapters and Loans Joe Natale udoc@lib.uconn.edu What are we talking about today? Rapid ILL - Articles - Book Chapters - Loans (RapidR Pilot) ILLiad - Rapid Manager - Direct ILL RapidR Pilot - Boston Library

841 views • 45 slides
An Application Conflict Detection and Resolution Method for Smart Homes Miki Yagita 1st year

An Application Conflict Detection and Resolution Method for Smart Homes Miki Yagita 1st year

An Application Conflict Detection and Resolution Method for Smart Homes Miki Yagita 1st year masters course @ The University of Tokyo, Japan Supervisers: Assoc. Prof. Fuyuki Ishikawa, Prof. Shinichi Honiden 1 IoT - Internet of Things A

522 views • 25 slides
Zero Knowledge Accumulators and Set Operations Esha Ghosh 1 Olya Ohrimenko 2 Dimitrios

Zero Knowledge Accumulators and Set Operations Esha Ghosh 1 Olya Ohrimenko 2 Dimitrios

Zero Knowledge Accumulators and Set Operations Esha Ghosh 1 Olya Ohrimenko 2 Dimitrios Papadopoulos 3 Roberto Tamassia 1 Nikos Triandopoulos 4 1 Brown University 2 Microsoft Research 3 University of Maryland 4 Stevens Institute of Technology

614 views • 39 slides
to improve Identity Federation Scalability Daniela Phn and Wolfgang Hommel Agenda

to improve Identity Federation Scalability Daniela Phn and Wolfgang Hommel Agenda

Automated User Information Conversion to improve Identity Federation Scalability Daniela Phn and Wolfgang Hommel Agenda Introduction and Motivation Generic Conversion Rule Repository Functionality Workflows Architecture

244 views • 20 slides
Debt Restructuring: Evidence and Comments on Recent Developments Prepared for the substantive

Debt Restructuring: Evidence and Comments on Recent Developments Prepared for the substantive

Debt Restructuring: Evidence and Comments on Recent Developments Prepared for the substantive informal session at the United Nations, Debt crisis prevention and resolution, Dec 9 th , 2014 New York . Andrew Powell* Research Department, IDB

479 views • 28 slides
MINI OPENDRIVE 1 MINI MINI OPENDRIVE EXP OPENDRIVE EXP Experience, eXpertise, Performance The

MINI OPENDRIVE 1 MINI MINI OPENDRIVE EXP OPENDRIVE EXP Experience, eXpertise, Performance The

MINI OPENDRIVE 1 MINI MINI OPENDRIVE EXP OPENDRIVE EXP Experience, eXpertise, Performance The Innovative technology in the Motion Control 2 Mini OPENDR DRIVE E EXP XP servo drive and FOC inverter Intelligent, compact and dynamic 74

125 views • 8 slides
Transcription Terminator Efficiency Calculator (TTEC) SUSTC-Shenzhen-B Outline 1 Background

Transcription Terminator Efficiency Calculator (TTEC) SUSTC-Shenzhen-B Outline 1 Background

Transcription Terminator Efficiency Calculator (TTEC) SUSTC-Shenzhen-B Outline 1 Background & Motivation 2 Terminator Efficiency Calculator Algorithm Database Experiment 3 Human Practice Background & Motivation RBS CDS

486 views • 29 slides
eInvoicing is Coming: Get Ready! Department of Education and Skills and eInvoicing Ireland Event

eInvoicing is Coming: Get Ready! Department of Education and Skills and eInvoicing Ireland Event

eInvoicing is Coming: Get Ready! Department of Education and Skills and eInvoicing Ireland Event Declan McCormack, eInvoicing Programme Manager Office of Government Procurement 11 June 2018 Agenda Introduction to eInvoicing background

284 views • 24 slides

More recommend