Abstract image of a woman sitting on books and studying on a laptop

Going outside the application

Download as PPTX, PDF
M
Matthew Saltzman

The document outlines security measures necessary for protecting sensitive data within the Blackboard Learn application, emphasizing the importance of securing not only the application itself but also the surrounding environment, including networks and databases. It details various security components such as SSL implementation, firewall configurations, traffic shaping, intrusion detection systems, and database security protocols. Additionally, it highlights the need for strong password policies, auditing practices, and adherence to institution policies to ensure overall data security and prevent unauthorized access.

Software
1 of 51
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
Going Outside the Application Securing the Environment for Blackboard Learn Matthew Saltzman, Security Engineer Blackboard Inc.
ABOUT ME Matthew Saltzman Security Engineer Blackboard Inc. matthew.saltzman@blackboard.com I have been at Blackboard for over 5 years, 4 of those in Blackboard Support
INTRODUCTION • Blackboard contains Sensitive Information • Names • Addresses • Social Security Numbers • Should be removed if present • Grade Information for Courses • This data must be protected • Securing the application can only be one component in securing this information • Also need to secure the environment it runs on
COMPONENTS TO SECURE • Application • Network • Operating System • Database • 3rd Party components external to Blackboard • Institution Policies
Going outside the application
SSL • Protection against network monitoring tools • Traffic Sniffing • Protection against Man in the Middle Attacks • Easy to configure Blackboard to use SSL • Requires an SSL certificate from a signing authority (SA) • Configure webserver to use SSL certificate • Turn on SSL • Through the Application • Via SSL offloading
TYPES OF CERTIFICATES Regular SSL Certificate • single site • up to 256-bit encryption EV Certificate • single site • up to 256-bit encryption • Much stricter issuing criteria Wildcard Certificate • multiple sites in the same domain • up to 256-bit encryption Intermediary Certificate • single site • Used in conjunction with a Wildcard Certificate to validate the identity of the individual site
ALTERNATE CONTENT DOMAIN • Purpose: XSS Prevention from files • Creates a single-use session for downloading the file • Prevents session stealing from main Blackboard session • Expires as soon as the file is downloaded • Requires separate SSL certificate for alternate domain • Otherwise SSL errors will appear
CHANGES DUE TO ALTERNATE DOMAIN Without Alternate Domain for serving content: With Alternate Domain for serving content:
PATCHES AND UPGRADE SCHEDULE • Application Vulnerabilities often fixed via patches • Released via bbpatch • Publish a Security Advisory to Behind the Blackboard • Not all vulnerabilities fixed this way • Too complex a fix • Fixed by a new security feature • Capturing Security Events (SP12) • Secure User Password Storage (SP12) • Keep Blackboard version up to date as well
Going outside the application
FIREWALL • Helps prevent unauthorized access to the server • Limits access to allowed ports • Blocks access from devices that should not have access • Required Ports (Defaults): 80 - HTTP port 8011 - Collab HTTP Port 443 - SSL port 8443 - Collab SSL Port 8009 - Tomcat Port number 8006 - Collab Shutdown Port 8005 - Tomcat Shutdown Port 1521 - (Oracle DB) 1433 - (SQLServer) 8010 - Collab TCP Port 8016 - BBExec Service Port 61616 – ActiveMQ Port
DEMO • How Firewalls help prevent network penetration • Demonstration of how port scanning works
IPTABLES CONFIGURATION
NETWORK SEGMENTING • Different types of servers should be in different network zones • DMZ – perimeter network containing external facing servers • Most vulnerable • Any other network zone – Should not contain external servers • Firewall present between DMZ and rest of network • Application servers should be in the DMZ • Database should not
NETWORK DIAGRAM
TRAFFIC SHAPER • Device that does “Rate Limiting” on network traffic to specific devices • Packet Shaping • Helps prevent DoS attacks • Slows rate of traffic hitting server • Requires statistics • Expected Incoming Traffic • Acceptable incoming traffic Rates • Traffic rate too low causes performance issues for end users • Traffic rate too high could allow DoS attack to succeed • Could be done through Load Balancer
TRAFFIC SHAPER GRAPH
SSL OFFLOADING • Can use either Load Balancer or specific offloading tool (SSL Accelerator) • Cuts down cost of encryption • Tool (Load Balancer or otherwise) much faster at encryption then Application Server • Allows Longer SSL encryption key • Thus, helps prevent DoS due to SSL
INTRUSION DETECTION/ PREVENTION SYSTEM • Monitors network for malicious traffic • Can take various actions when discovered: • Send an Alert • Log malicious traffic for review • Drop malicious traffic (Prevention only) • Can be configured using custom rules • Different types • Network Based – prevents network attacks • Host based – prevents OS level attacks • Some examples (Open Source): • Snort (Network IPS) • OSSEC (Host IPS) • Suricata (Network IPS)
SNORT
OSSEC
SURICATA
ALTER PORTS, REMOVE BANNERS • Port Scans • Tells scanner which ports are open • Reports any banners associated with open ports • Default ports describe which application is running • Therefore, do not use default ports • Exceptions: ports 80 and 443 • Banners on ports explain what non-default ports do • Therefore, remove any descriptions of the ports as well
PORT SCANNER
Going outside the application
PROTECT ANY OPERATING SYSTEM • Keep Operating System up to Date • OS Patches • Application/Service Packs • Dedicate Servers to specific tasks • Prevents vulnerabilities in one application or task from affecting others • Use domain accounts for users • Allows for simpler auditing of user activity • Require strong passwords for all accounts • Helps prevent unwanted access to servers
DEMO • Why dedicating servers to specific tasks is a good idea • Insecure tool running on same server as Blackboard
INSECURE SERVER CODE
AUDITING OS ACTIVITY • OS should be configured for auditing • Account with activity • Action this account took • Time the action was taken
AUDIT LOG RECOMMENDATIONS • Archive and Clear audit log daily • Prevents performance issues • Easier to read and locate problems • Easier to notice tampering with the audit log • Alerts on suspicious activity • Authentication Problems • Altering system settings • Accessing Sensitive Data
BAD AUDIT LOG
SECURING LINUX SERVERS • Require SSH instead of Telnet • Telnet is insecure • Traffic sniffing Telnet session is possible • Use public/private key authentication • Private Key file never leaves the client machine • Private key cannot be computed from public key • Add a strong passphrase to the private key file • Prevents a user from using a stolen private key
PUBLIC KEY SSH AUTHENTICATION
APACHE2 • All Linux application servers should run Apache2 • Added security, as is current version • Can keep up-to-date with patches and new versions • Does not require Blackboard intervention • Can add MOD_SECURITY • Application firewall • Can prevent some application vulnerabilities • Not easy in Blackboard Apache, if even possible • Allows for audit logging of HTTP • Information about potential malicious activity within the application
MOD_SECURITY FLOW DIAGRAM
RENDERED MOD_SECURITY LOG
SECURING WINDOWS SERVERS • Group Policy • Strong password Requirements • Require password changes often • Audit log (covered earlier) • IIS Settings • IIS User with minimal permissions to everything except application • MOD_SECURITY for IIS possible • SCW (Security Configuration Wizard) • Wizard for setting security configuration
Going outside the application
UNIQUE DATABASE CONCERNS • Contains all data from the application • Need to configure OS Security • Access to the OS means access to the DB, usually • Also need database specific security • DB is meant to be accessed remotely
DATABASE USER SECURITY • Strong Database Passwords • Should not match OS Passwords • Each Password should be Unique • Users should not use system accounts • sa, root, master, etc. • Allows for auditing of individual users’ activity
DATABASE SECURITY MEASURES • Limit DB permissions to bare minimum • Helps prevent database privilege escalation • Limit login by IP Address • Prohibits access to Database by unauthorized machines • Potential Solution: • Encrypt traffic to and from Database • Please performance test this first, may not perform well
Going outside the application
REDIS • 3rd Party Caching Database • Blackboard Developed B2 to replace server caches • See Nori’s presentation on performance impact: • 8:30 – 9:15 AM Tuesday in Murano 3301B
REDIS SECURITY FEATURES • Should never manually log into Redis cache • Password should be far more complex than normal • Stored in a properties file • Block Unused Redis commands • Prevent users who gain access from affecting Redis in unauthorized ways • Keep Redis Application up to date
OTHER 3RD PARTY APPLICATIONS • Understand scope of server • What needs to access it • Expected network traffic • Expected paths to and from server • Size the application properly • Utilize all security features of the application • Secure the server itself
Going outside the application
INSTITUTION POLICIES • Policies meant to encourage secure behavior by all personnel • Help to prevent privileged user mistakes • Such as sharing security information at a bar
PASSWORD POLICIES • Strong passwords should be encouraged • Require minimum password strength • Require users to change passwords often • Do not re-use passwords • Do not share passwords • Can prevent malicious user from accessing privileged account • Privileged accounts can bypass most security • Renders all previous actions essentially moot
DOMAIN USER POLICIES • Each user has a domain account • Each account has a set of associated roles • Defines level of access • Administration • IIS/Apache • Etc. • Limit Access to servers or admin features by role • Prevents unauthorized or unexpected access
THANK YOU! Matthew Saltzman Security Engineer Blackboard Inc. matthew.saltzman@blackboard.com

More Related Content

PDF
CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
NCCOMMS
 
PPTX
Securing the cloud and your assets
Marcus Dempsey
 
PDF
Deploying Privileged Access Workstations (PAWs)
Blue Teamer
 
PDF
CSF18 - GDPR - Sami Laiho
NCCOMMS
 
PDF
Ch 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 
PDF
CNIT 123 Ch 8: OS Vulnerabilities
Sam Bowne
 
PPT
W982 05092004
Sumit Tambe
 
PDF
CNIT 123 8: Desktop and Server OS Vulnerabilities
Sam Bowne
 
CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
NCCOMMS
 
Securing the cloud and your assets
Marcus Dempsey
 
Deploying Privileged Access Workstations (PAWs)
Blue Teamer
 
CSF18 - GDPR - Sami Laiho
NCCOMMS
 
Ch 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 
CNIT 123 Ch 8: OS Vulnerabilities
Sam Bowne
 
W982 05092004
Sumit Tambe
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
Sam Bowne
 

What's hot (20)

PDF
Dakotacon 2017
Blue Teamer
 
PDF
CNIT 123: 6: Enumeration
Sam Bowne
 
PPTX
SnapComms Technical Overview
leanne_abarro
 
PDF
CSF18 - BitLocker Deep Dive - Sami Laiho
NCCOMMS
 
PDF
Ch 10: Attacking Back-End Components
Sam Bowne
 
PPTX
Integrating security into the application development process
Jerod Brennen
 
PDF
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
NCCOMMS
 
PPTX
Basic security and Barracuda VRS
Aravindan A
 
PDF
CNIT 141 13. TLS
Sam Bowne
 
PDF
System Hardening Recommendations_FINAL
Martin Evans
 
PDF
07182013 Hacking Appliances: Ironic exploits in security products
NCC Group
 
PDF
Bright talk mapping the right aut solution for you 2014 final (1)
Sectricity
 
PDF
Ch 9: Embedded Operating Systems: The Hidden Threat
Sam Bowne
 
PDF
Windows server hardening 1
Frank Avila Zapata
 
PDF
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
Tobias Koprowski
 
PPTX
Brian Desmond - Quickly and easily protect your applications and services wit...
Nordic Infrastructure Conference
 
PPT
Information Security Lesson 4 - Baselines - Eric Vanderburg
Eric Vanderburg
 
PDF
AWS Community Day - Vitaliy Shtym - Pragmatic Container Security
AWS Chicago
 
PDF
How we breach small and medium enterprises (SMEs)
NCC Group
 
PDF
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
Sam Bowne
 
Dakotacon 2017
Blue Teamer
 
CNIT 123: 6: Enumeration
Sam Bowne
 
SnapComms Technical Overview
leanne_abarro
 
CSF18 - BitLocker Deep Dive - Sami Laiho
NCCOMMS
 
Ch 10: Attacking Back-End Components
Sam Bowne
 
Integrating security into the application development process
Jerod Brennen
 
CSF18 - Moving from Reactive to Proactive Security - Sami Laiho
NCCOMMS
 
Basic security and Barracuda VRS
Aravindan A
 
CNIT 141 13. TLS
Sam Bowne
 
System Hardening Recommendations_FINAL
Martin Evans
 
07182013 Hacking Appliances: Ironic exploits in security products
NCC Group
 
Bright talk mapping the right aut solution for you 2014 final (1)
Sectricity
 
Ch 9: Embedded Operating Systems: The Hidden Threat
Sam Bowne
 
Windows server hardening 1
Frank Avila Zapata
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
Tobias Koprowski
 
Brian Desmond - Quickly and easily protect your applications and services wit...
Nordic Infrastructure Conference
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Eric Vanderburg
 
AWS Community Day - Vitaliy Shtym - Pragmatic Container Security
AWS Chicago
 
How we breach small and medium enterprises (SMEs)
NCC Group
 
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
Sam Bowne
 
Ad

Similar to Going outside the application (20)

PDF
Owasp top 10 2013
Edouard de Lansalut
 
PPT
302 Content Server Security Challenges And Best Practices
phanleson
 
PDF
Web application security (eng)
Anatoliy Okhotnikov
 
PPTX
00. introduction to app sec v3
Eoin Keary
 
PPT
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
PDF
Do you lose sleep at night?
Nathan Van Gheem
 
PPTX
State of the information security nation
SensePost
 
PDF
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 
PPT
2 secure systems design
drewz lin
 
PPTX
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Jayesh Naik
 
PPTX
Application hardening
Jayesh Naik
 
DOCX
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
Rajkumars275092
 
PDF
CNIT 129S: Securing Web Applications Ch 1-2
Sam Bowne
 
PDF
Owasp top 10_openwest_2019
Sean Jackson
 
PDF
Technical Architecture of RASP Technology
Priyanka Aash
 
PPTX
Vulnerabilities in modern web applications
Niyas Nazar
 
PPT
Intro to Web Application Security
Rob Ragan
 
PPTX
OWASP_Training.pptx
Pradip Bhattarai
 
PDF
Web Security
KHOANGUYNNGANH
 
PPTX
Secure Software Engineering
Rohitha Liyanagama
 
Owasp top 10 2013
Edouard de Lansalut
 
302 Content Server Security Challenges And Best Practices
phanleson
 
Web application security (eng)
Anatoliy Okhotnikov
 
00. introduction to app sec v3
Eoin Keary
 
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
Do you lose sleep at night?
Nathan Van Gheem
 
State of the information security nation
SensePost
 
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 
2 secure systems design
drewz lin
 
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
Jayesh Naik
 
Application hardening
Jayesh Naik
 
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
Rajkumars275092
 
CNIT 129S: Securing Web Applications Ch 1-2
Sam Bowne
 
Owasp top 10_openwest_2019
Sean Jackson
 
Technical Architecture of RASP Technology
Priyanka Aash
 
Vulnerabilities in modern web applications
Niyas Nazar
 
Intro to Web Application Security
Rob Ragan
 
OWASP_Training.pptx
Pradip Bhattarai
 
Web Security
KHOANGUYNNGANH
 
Secure Software Engineering
Rohitha Liyanagama
 
Ad

Recently uploaded (20)

PDF
AI Guide for Business Growth - Arna Softech
Arna Softech
 
PDF
Microsoft Office 365 Crack Download Free
wasibhadar
 
PDF
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
PDF
DNT Brochure 2025 – ISV Solutions @ D365
sai vignesh
 
PDF
AI/ML Infra Meetup | LLM Agents and Implementation Challenges
Alluxio, Inc.
 
PPTX
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
PPTX
"Secure File Sharing Solutions on AWS".pptx
sudharani74442
 
PDF
Top 10 Software Development Trends to Watch in 2025 🚀.pdf
KodekX
 
PPTX
Oracle Fusion HCM Cloud Demo for Beginners
DharanOracleerp
 
PPTX
GSA Content Generator Crack (2025 Latest)
halimaanam8
 
PPTX
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
PDF
Product Update: Alluxio AI 3.7 Now with Sub-Millisecond Latency
Alluxio, Inc.
 
PDF
How AI/LLM recommend to you ? GDG meetup 16 Aug by Fariman Guliev
HusseinMalikMammadli
 
PPTX
WiFi Honeypot Detecscfddssdffsedfseztor.pptx
singlesrihari
 
PPTX
Tech Workshop Escape Room Tech Workshop
muthuiyad
 
PDF
iTop VPN Crack Latest Version Full Key 2025
hashmianya37
 
PDF
How Tridens DevSecOps Ensures Compliance, Security, and Agility
Tridens
 
PDF
AI-Powered Threat Modeling: The Future of Cybersecurity by Arun Kumar Elengov...
Arun Kumar Elengovan
 
PDF
DuckDuckGo Private Browser Premium APK for Android Crack Latest 2025
hashmi66g66
 
PPTX
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
AI Guide for Business Growth - Arna Softech
Arna Softech
 
Microsoft Office 365 Crack Download Free
wasibhadar
 
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
DNT Brochure 2025 – ISV Solutions @ D365
sai vignesh
 
AI/ML Infra Meetup | LLM Agents and Implementation Challenges
Alluxio, Inc.
 
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
"Secure File Sharing Solutions on AWS".pptx
sudharani74442
 
Top 10 Software Development Trends to Watch in 2025 🚀.pdf
KodekX
 
Oracle Fusion HCM Cloud Demo for Beginners
DharanOracleerp
 
GSA Content Generator Crack (2025 Latest)
halimaanam8
 
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
Product Update: Alluxio AI 3.7 Now with Sub-Millisecond Latency
Alluxio, Inc.
 
How AI/LLM recommend to you ? GDG meetup 16 Aug by Fariman Guliev
HusseinMalikMammadli
 
WiFi Honeypot Detecscfddssdffsedfseztor.pptx
singlesrihari
 
Tech Workshop Escape Room Tech Workshop
muthuiyad
 
iTop VPN Crack Latest Version Full Key 2025
hashmianya37
 
How Tridens DevSecOps Ensures Compliance, Security, and Agility
Tridens
 
AI-Powered Threat Modeling: The Future of Cybersecurity by Arun Kumar Elengov...
Arun Kumar Elengovan
 
DuckDuckGo Private Browser Premium APK for Android Crack Latest 2025
hashmi66g66
 
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 

Going outside the application

  • 1. Going Outside the Application Securing the Environment for Blackboard Learn Matthew Saltzman, Security Engineer Blackboard Inc.
  • 2. ABOUT ME Matthew Saltzman Security Engineer Blackboard Inc. matthew.saltzman@blackboard.com I have been at Blackboard for over 5 years, 4 of those in Blackboard Support
  • 3. INTRODUCTION • Blackboard contains Sensitive Information • Names • Addresses • Social Security Numbers • Should be removed if present • Grade Information for Courses • This data must be protected • Securing the application can only be one component in securing this information • Also need to secure the environment it runs on
  • 4. COMPONENTS TO SECURE • Application • Network • Operating System • Database • 3rd Party components external to Blackboard • Institution Policies
  • 6. SSL • Protection against network monitoring tools • Traffic Sniffing • Protection against Man in the Middle Attacks • Easy to configure Blackboard to use SSL • Requires an SSL certificate from a signing authority (SA) • Configure webserver to use SSL certificate • Turn on SSL • Through the Application • Via SSL offloading
  • 7. TYPES OF CERTIFICATES Regular SSL Certificate • single site • up to 256-bit encryption EV Certificate • single site • up to 256-bit encryption • Much stricter issuing criteria Wildcard Certificate • multiple sites in the same domain • up to 256-bit encryption Intermediary Certificate • single site • Used in conjunction with a Wildcard Certificate to validate the identity of the individual site
  • 8. ALTERNATE CONTENT DOMAIN • Purpose: XSS Prevention from files • Creates a single-use session for downloading the file • Prevents session stealing from main Blackboard session • Expires as soon as the file is downloaded • Requires separate SSL certificate for alternate domain • Otherwise SSL errors will appear
  • 9. CHANGES DUE TO ALTERNATE DOMAIN Without Alternate Domain for serving content: With Alternate Domain for serving content:
  • 10. PATCHES AND UPGRADE SCHEDULE • Application Vulnerabilities often fixed via patches • Released via bbpatch • Publish a Security Advisory to Behind the Blackboard • Not all vulnerabilities fixed this way • Too complex a fix • Fixed by a new security feature • Capturing Security Events (SP12) • Secure User Password Storage (SP12) • Keep Blackboard version up to date as well
  • 12. FIREWALL • Helps prevent unauthorized access to the server • Limits access to allowed ports • Blocks access from devices that should not have access • Required Ports (Defaults): 80 - HTTP port 8011 - Collab HTTP Port 443 - SSL port 8443 - Collab SSL Port 8009 - Tomcat Port number 8006 - Collab Shutdown Port 8005 - Tomcat Shutdown Port 1521 - (Oracle DB) 1433 - (SQLServer) 8010 - Collab TCP Port 8016 - BBExec Service Port 61616 – ActiveMQ Port
  • 13. DEMO • How Firewalls help prevent network penetration • Demonstration of how port scanning works
  • 15. NETWORK SEGMENTING • Different types of servers should be in different network zones • DMZ – perimeter network containing external facing servers • Most vulnerable • Any other network zone – Should not contain external servers • Firewall present between DMZ and rest of network • Application servers should be in the DMZ • Database should not
  • 17. TRAFFIC SHAPER • Device that does “Rate Limiting” on network traffic to specific devices • Packet Shaping • Helps prevent DoS attacks • Slows rate of traffic hitting server • Requires statistics • Expected Incoming Traffic • Acceptable incoming traffic Rates • Traffic rate too low causes performance issues for end users • Traffic rate too high could allow DoS attack to succeed • Could be done through Load Balancer
  • 19. SSL OFFLOADING • Can use either Load Balancer or specific offloading tool (SSL Accelerator) • Cuts down cost of encryption • Tool (Load Balancer or otherwise) much faster at encryption then Application Server • Allows Longer SSL encryption key • Thus, helps prevent DoS due to SSL
  • 20. INTRUSION DETECTION/ PREVENTION SYSTEM • Monitors network for malicious traffic • Can take various actions when discovered: • Send an Alert • Log malicious traffic for review • Drop malicious traffic (Prevention only) • Can be configured using custom rules • Different types • Network Based – prevents network attacks • Host based – prevents OS level attacks • Some examples (Open Source): • Snort (Network IPS) • OSSEC (Host IPS) • Suricata (Network IPS)
  • 21. SNORT
  • 22. OSSEC
  • 24. ALTER PORTS, REMOVE BANNERS • Port Scans • Tells scanner which ports are open • Reports any banners associated with open ports • Default ports describe which application is running • Therefore, do not use default ports • Exceptions: ports 80 and 443 • Banners on ports explain what non-default ports do • Therefore, remove any descriptions of the ports as well
  • 27. PROTECT ANY OPERATING SYSTEM • Keep Operating System up to Date • OS Patches • Application/Service Packs • Dedicate Servers to specific tasks • Prevents vulnerabilities in one application or task from affecting others • Use domain accounts for users • Allows for simpler auditing of user activity • Require strong passwords for all accounts • Helps prevent unwanted access to servers
  • 28. DEMO • Why dedicating servers to specific tasks is a good idea • Insecure tool running on same server as Blackboard
  • 30. AUDITING OS ACTIVITY • OS should be configured for auditing • Account with activity • Action this account took • Time the action was taken
  • 31. AUDIT LOG RECOMMENDATIONS • Archive and Clear audit log daily • Prevents performance issues • Easier to read and locate problems • Easier to notice tampering with the audit log • Alerts on suspicious activity • Authentication Problems • Altering system settings • Accessing Sensitive Data
  • 33. SECURING LINUX SERVERS • Require SSH instead of Telnet • Telnet is insecure • Traffic sniffing Telnet session is possible • Use public/private key authentication • Private Key file never leaves the client machine • Private key cannot be computed from public key • Add a strong passphrase to the private key file • Prevents a user from using a stolen private key
  • 34. PUBLIC KEY SSH AUTHENTICATION
  • 35. APACHE2 • All Linux application servers should run Apache2 • Added security, as is current version • Can keep up-to-date with patches and new versions • Does not require Blackboard intervention • Can add MOD_SECURITY • Application firewall • Can prevent some application vulnerabilities • Not easy in Blackboard Apache, if even possible • Allows for audit logging of HTTP • Information about potential malicious activity within the application
  • 38. SECURING WINDOWS SERVERS • Group Policy • Strong password Requirements • Require password changes often • Audit log (covered earlier) • IIS Settings • IIS User with minimal permissions to everything except application • MOD_SECURITY for IIS possible • SCW (Security Configuration Wizard) • Wizard for setting security configuration
  • 40. UNIQUE DATABASE CONCERNS • Contains all data from the application • Need to configure OS Security • Access to the OS means access to the DB, usually • Also need database specific security • DB is meant to be accessed remotely
  • 41. DATABASE USER SECURITY • Strong Database Passwords • Should not match OS Passwords • Each Password should be Unique • Users should not use system accounts • sa, root, master, etc. • Allows for auditing of individual users’ activity
  • 42. DATABASE SECURITY MEASURES • Limit DB permissions to bare minimum • Helps prevent database privilege escalation • Limit login by IP Address • Prohibits access to Database by unauthorized machines • Potential Solution: • Encrypt traffic to and from Database • Please performance test this first, may not perform well
  • 44. REDIS • 3rd Party Caching Database • Blackboard Developed B2 to replace server caches • See Nori’s presentation on performance impact: • 8:30 – 9:15 AM Tuesday in Murano 3301B
  • 45. REDIS SECURITY FEATURES • Should never manually log into Redis cache • Password should be far more complex than normal • Stored in a properties file • Block Unused Redis commands • Prevent users who gain access from affecting Redis in unauthorized ways • Keep Redis Application up to date
  • 46. OTHER 3RD PARTY APPLICATIONS • Understand scope of server • What needs to access it • Expected network traffic • Expected paths to and from server • Size the application properly • Utilize all security features of the application • Secure the server itself
  • 48. INSTITUTION POLICIES • Policies meant to encourage secure behavior by all personnel • Help to prevent privileged user mistakes • Such as sharing security information at a bar
  • 49. PASSWORD POLICIES • Strong passwords should be encouraged • Require minimum password strength • Require users to change passwords often • Do not re-use passwords • Do not share passwords • Can prevent malicious user from accessing privileged account • Privileged accounts can bypass most security • Renders all previous actions essentially moot
  • 50. DOMAIN USER POLICIES • Each user has a domain account • Each account has a set of associated roles • Defines level of access • Administration • IIS/Apache • Etc. • Limit Access to servers or admin features by role • Prevents unauthorized or unexpected access
  • 51. THANK YOU! Matthew Saltzman Security Engineer Blackboard Inc. matthew.saltzman@blackboard.com

Editor's Notes

  • #13: Begin by blocking all ports Open Loopback, and remote connection ports Each AppServer Open Port 443 (and 80 without SSL System Wide) to all traffic in and out Open Ports 8009, 8005 to the local server and all other appservers only Open Port 8016 Collab Server Open the Collab Ports (8010, 8011, 8443, 8005) Database Server Open DB Port (1521 for Oracle, 1433 for SqlServer) to all appservers
  • #31: Windows: Group Policy Manager: gpedit.msc Linux: /etc/audit/auditd.conf and /etc/audit/audit.rules.