Skip to main content

OS Hardening Techniques

Operating System (OS) hardening is the process of securing an operating system by reducing its attack surface. This is done by configuring the OS to be more secure and less vulnerable to attacks.

The Google Cybersecurity lays out a scenario where you are tasked with hardening a linux system. The scenario is as follows:

OS Hardening - Activity Instructions

Activity Overview​

In this activity, you will take on the role of a cybersecurity analyst working for a company that hosts the cooking website, yummyrecipesforme.com. Visitors to the website experience a security issue when loading the main webpage. Your job is to investigate, identify, document, and recommend a solution to the security problem.

When investigating the security event, you will review a tcpdump log. You will need to identify the network protocols used to establish the connection between the user and the website. Network protocols are the communication rules and standards networked devices use to transmit data. Unfortunately, malicious actors can also use network protocols to invade and attack private networks. Knowing how to identify the protocols commonly used in attacks will help you protect your organization’s network against these types of security events.

To complete the assignment, you will also need to document what occurred during the security incident. Then, you will recommend one security measure to implement to prevent similar security problems in the future.

Scenario​

Review the scenario below. Then complete the step-by-step instructions.

You are a cybersecurity analyst for yummyrecipesforme.com, a website that sells recipes and cookbooks. A former employee has decided to lure users to a fake website with malware.

The baker executed a brute force attack to gain access to the web host. They repeatedly entered several known default passwords for the administrative account until they correctly guessed the right one. After they obtained the login credentials, they were able to access the admin panel and change the website’s source code. They embedded a javascript function in the source code that prompted visitors to download and run a file upon visiting the website. After embedding the malware, the baker changed the password to the administrative account. When customers download the file, they are redirected to a fake version of the website that contains the malware.

Several hours after the attack, multiple customers emailed yummyrecipesforme’s helpdesk. They complained that the company’s website had prompted them to download a file to access free recipes. The customers claimed that, after running the file, the address of the website changed and their personal computers began running more slowly.

In response to this incident, the website owner tries to log in to the admin panel but is unable to, so they reach out to the website hosting provider. You and other cybersecurity analysts are tasked with investigating this security event.

To address the incident, you create a sandbox environment to observe the suspicious website behavior. You run the network protocol analyzer tcpdump, then type in the URL for the website, yummyrecipesforme.com. As soon as the website loads, you are prompted to download an executable file to update your browser. You accept the download and allow the file to run. You then observe that your browser redirects you to a different URL, greatrecipesforme.com, which contains the malware.

The logs show the following process:

  1. The browser initiates a DNS request: It requests the IP address of the yummyrecipesforme.com URL from the DNS server.

  2. The DNS replies with the correct IP address.

  3. The browser initiates an HTTP request: It requests the yummyrecipesforme.com webpage using the IP address sent by the DNS server.

  4. The browser initiates the download of the malware.

  5. The browser initiates a DNS request for greatrecipesforme.com.

  6. The DNS server responds with the IP address for greatrecipesforme.com.

  7. The browser initiates an HTTP request to the IP address for greatrecipesforme.com.

A senior analyst confirms that the website was compromised. The analyst checks the source code for the website. They notice that javascript code had been added to prompt website visitors to download an executable file. Analysis of the downloaded file found a script that redirects the visitors’ browsers from yummyrecipesforme.com to greatrecipesforme.com.

The cybersecurity team reports that the web server was impacted by a brute force attack. The disgruntled baker was able to guess the password easily because the admin password was still set to the default password. Additionally, there were no controls in place to prevent a brute force attack.

Your job is to document the incident in detail, including identifying the network protocols used to establish the connection between the user and the website. You should also recommend a security action to take to prevent brute force attacks in the future.

Step-By-Step Instructions​

We will use this template for our responses:

1. Get the Template​

Security incident report​

Section 1: Identify the network protocol involved in the incident
Section 2: Document the incident
Section 3: Recommend one remediation for brute force attacks

2. Get the Resources​

Resources provided by Google Cybersecurity include a TCPDUMP log file and a guide to read the log file.

I won't be able to provide the resources here, but you can find them in the Google Cybersecurity course.

3. Identify the network protocol involved in the incident​

As one of the cybersecurity analysts in this scenario, you are tasked with writing an incident report for this security event. Using the tcpdump log file, determine which network protocol is identified in the packet captures during the investigation. You will use what you learned about the four layers of the TCP/IP model and which protocols happen at each layer.

4. Document the incident​

Summarize the incident in the second section of the report. Provide as many details and facts as possible in your documentation. When writing the documentation, be sure to:

  • Avoid using strong emotional language (good, terrible, awful, etc.).

  • Include as many facts about the issue as you can, including where the incident occurred, how it happened, whether anyone witnessed it, how it was discovered, etc.

  • Indicate your sources for information and evidence.

Writing accurate and detailed documentation for cybersecurity incidents can serve as a reference point for other cybersecurity analysts. Additionally, quality documentation can be used to educate other employees about cybersecurity measures taken within the company when incidents occur and can help businesses comply with various security audits.

5. Recommend one remediation for brute force attacks​

After documenting the incident, write one recommendation to help your organization prevent brute force attacks in the future.

Some of the common security methods used to prevent brute force attacks include:

  • Requiring strong passwords

  • Enforcing two-factor authentication (2FA)

  • Monitoring login attempts

  • Requiring more frequent password changes

  • Disallowing previous passwords from being used

  • Limiting the number of login attempts

Select one security measure, and explain why it is effective in section three of the security incident report template.

The more safety measures that are in place, the less likely a malicious actor will be able to access sensitive information.

OS Hardening Techniques - Solution​

1. Identify the network protocol involved in the incident​

Section 1: Identify the network protocol involved in the incident

The network protocol involved in the incident is HTTP. The browser initiates an HTTP request to the yummyrecipesforme.com webpage using the IP address sent by the DNS server. The browser then initiates the download of the malware. The browser also initiates an HTTP request to the IP address for greatrecipesforme.com.

We also see the message that there is a lot of traffic on the port 80, which is the default port for HTTP traffic. This indicates that the network protocol involved in the incident is HTTP.

Section 2: Document the incident

What: Several customers complained that the company’s website had prompted them to download a file to access free recipes. The customers claimed that, after running the file, the address of the website changed and their personal computers began running more slowly.

A former employee lured users to a fake website using the file download and when teh site owner attempted to log into their account they found they'd been locked out.

When: Several hours after the attack, multiple customers emailed yummyrecipesforme’s helpdesk.

Testing Activities: The analyst ran a network protocol analyzer tcpdump, then typed in the URL for the website, yummyrecipesforme.com. As soon as the website loads, the analyst was prompted to download an executable file to update the browser. The analyst created a sandbox environment to reproduce the dowload prompt, accepted the download and allowed the file to run. The browser redirected to a different URL, greatrecipesforme.com, which contained the malware.

TCPDUMP Logs: The logs show the following:

  • The initial request for the IP address of the yummyrecipesforme.com URL from the DNS server.
  • Protocol: HTTP
  • Once the file was downloaded and executed, logs show the following process:

  1. The browser initiates a DNS request for greatrecipesforme.com.

  2. The DNS server responds with the IP address for greatrecipesforme.com.

  3. The browser initiates an HTTP request to the IP address for greatrecipesforme.com.

  4. The browser is redirected to greatrecipesforme.com, which contains the malware.

  5. The logs show a lot of traffic on port 80, which is the default port for HTTP traffic.

Source Code Analysis: The source code for the website was compromised. The analyst noticed that javascript code had been added to prompt website visitors to download an executable file. Analysis of the downloaded file found a script that redirects the visitors’ browsers from yummyrecipesforme.com to greatrecipesforme.com.

Section 3: Recommend one remediation for brute force attacks

One remediation for brute force attacks is to implement a lockout policy. A lockout policy locks out an account after a certain number of failed login attempts. This prevents attackers from using brute force attacks to guess the password.

As this attack was a relatively easy brute force / guessed password attack, implementing additional security measures, such as cycling passwords, requiring strong passwords, and implementing two-factor authentication, would also be beneficial. A recommened top solution would be to move to a OTP (One Time Password) system that requires a physical device to generate a code for login via email or SMS.

The more security measures in place, the less likely a malicious actor will be able to access sensitive information.