Ok well here is my story: Me and my friend set up a seemingly inpenetrable computer to test if we could gain access to its administrative account and extra features, ect. Our setup was one that a business would use to keep their employees from hacking their computers while also effectively preventing them from infecting thier PCs with malware. As far as we can say it works.... almost too good. This is a windows 7 32bit computer and here's what we did.


- Reset everything to factory.
- Made a completely random admin account with a LOt of letters and numbers in name and pass to prevent cracking.
- In regedit made a group policy put the hacking account in it and prevented any executable file type from running except those already available.
- Denied access to the C drive basicly you can look not edit it.
- You have no access to regedit, device manager, or anything of that sort.
- Random bios password.
- No access to SYSTEM account.
- God Mode is still possible.

So basicly its the same as a limited account without the ability  to run executable file types. Which we soon learned was going to be our biggest problem. Soon we decided to switch to java as our soulution and that didnt work becuase java applications simply havnt gone far enough to help in such a terrible situation. So next we decided to look at viruses that would do they job for us. Most all viruses need to be laucned for the first time by executing them which was the problem becuase they cant do that because of the restriction policy. After 5 days we gave up now I have been seeking help online because we cant do this alone we dont have the hacking skills. I would consider this to be an ultimate test for any hacker ethical or otherwise so anyone that can defeat this is truely amazing. Oh yea and remember that we want to attack this computer without the help of any outside source, like another computer or taking the hard drive out, and hacking it with another computer.

I don't mean my commentary to be nothing more than constructive criticism

- Made a completely random admin account with a LOt of letters and numbers in name and pass to prevent cracking.

This means absolutely nothiing nothing. As the saying goes, "Why Crack When You Can Pass the Hash?" (http://www.sans.org/reading_room/whitepapers/testing/crack-pass-hash_33219) Furthermore, at some point in time, you're going to have to either write down that password or store it somewhere. What will you do in the event that you lose it?

- In regedit made a group policy put the hacking account in it and prevented any executable file type from running except those already available.

Also means nothing, if I replace something trusted, it will run that executable so escalation is possible. You're better off configuring HIDS (http://www.intersectalliance.com/projects/SnareWindows/index.html) with alerting going to an SIEM (http://www.alienvault.com/products.php?section=OpenSourceSIM). From the SIEM you could create triggers to perform things like logging someone off, etc

- Denied access to the C drive basicly you can look not edit it.

If I intend on extracting data your DB, all I need to do is look at it. Who cares if I can't edit it.

I believe you have particular view of security that could never work in the real world especially for a business. I suggest taking a look at the NSA's hardening guides: http://www.nsa.gov/ia/guidance/security_configuration_guides/current_guides.shtml They will give you a better guideline.

Businesses all differ and what you'll end up doing is strangling yourself and frustrating your client. Once upon a 15 years ago, I decided that C2 (http://technet.microsoft.com/en-us/library/cc767091.aspx) is the level of security I wanted to have on my network.

I created a monster ini file to go and lock down machines from copying and pasting, printscreen, sharing, you name it, there was no way in hell someone could leverage anything on the network. Guess what? Once managers were unable to perform necessary functions, it became counterproductive. The approach I took was wrong.

You seriously need to perform a risk assessment to determine what needs protecting and why. You do this so you don't waste time and resources on unnecessary things. Once you understand WHAT needs protection, then you need to determine WHO you need to protect it from.

Your house needs protection from the possibility of a burgular. Do you a) spend money on every single entrypoint or b) determine what can he possibly get into? If you said a) then you'd waste money buying gates for all of your windows, triple locks on every single door, guard dogs around the perimeter and so on. Had you said b), you could stop and think for a moment... "I'll save the money on uber locks, doors and dogs, get a good lock for the front and back and get an alarm system. Besides, if I have 3 locks on each door, what happens if there is a fire, am I trapping myself in here."

Security is comprised of processes and procedures whether we as techies like it or not. Begin with a real world plan. The theory that you submitted won't fly.

For locking down the system in a meaningful way after doing a risk analysis, you could also look at the guides published by DISA at http://iase.disa.mil/stigs/stig/index.html. These are a little more current that what is published at the NSA site. The key though, is to determine what you have that needs protected and how much protection does it need. Sil's analogy of a house is great and spot on. Hang in there.  We all made mistakes when we started.

I'd recommend the following three books to keep around and read, re-read, reference, etc.

http://www.amazon.com/Complete-Risk-Assessment-Days-Less/dp/1420062751/ref=sr_1_4?s=books&ie=UTF8&qid=1293219978&sr=1-4
http://www.amazon.com/Security-Risk-Assessment-Handbook-Assessments/dp/0849329981/ref=pd_sim_b_1
http://www.amazon.com/Security-Metrics-Replacing-Uncertainty-Doubt/dp/0321349989/ref=sr_1_1?s=books&ie=UTF8&qid=1293220200&sr=1-1

In fact, just about anything the Peltier writes is worth having. Security metrics is a must have book for security numbers management however, if you're into the IT (technology) then it will outright bore you to death. If you HAVE to or like to (don't know why), if you like to deal with security management, its worth having to aide you in coming up with decent, reasonable security metrics (math).

From my perspective, there is ONLY OBJECTIVE points of view, NEVER CAN IT BE SUBJECTIVE DO NOT BE FOOLED; OBJECTIVE POV's when it comes to security management/risk metrics. That of the AV * EF = (*cough*bull*cough) SLE

Fuzzy math. Here is the breakdown, followed by my bastardization of the breakdown:

* AV = Asset Value (Expressed in dollars)
(http://en.wikipedia.org/wiki/Asset) Try understanding how to define an asset when your infrastructure is in the cloud will you. What shall you say is your asset value then, the cost of the cloud computing service you're paying for.

* EF = Exposure factor (Expressed as a percentage of the asset value)
See above. What shall you do when you're cloud provider doesn't allow you to perform a vulnerability OR penetration test against your virtualized instance. You could NEVER get a concrete number on this.

* SLE = Single Loss Expectancy (It can be defined as the monetary value expected from the occurrence of a risk on an asset.)
But if you're not allowed to perform proper Risk Assessments on what will you be basing your number?

* ALE = Annual Loss Expectancy
Yawn

* ARO = Annual Rate of Occurrence (Number of exposures or incidents that could be expected per year)
Yawn...


So my example is as follows... I have an Amazon EC3 host which provides email service. This generates for me approximately 10,000.00 per year. The total cost for me to have this EC3 instance is $25.00 per month (300.00 per year). It cost me a one time charge of 100.00 to configure and a recurring 10.00 per month to maintain. So far I am spending $420.00 per year. I'll set my asset value at $500.00 to be fair. EC3 is not a tangible asset and can be replaced at the whopping cost of 120.00. There are other fees associated with the setup I could throw in the mix. Cost of salary associated with the programmers and developers who'd have to do the work and so on. In a nutshell, fuzzy math, it's whatever I want it to be (OBJECTIVE) even though I can use SUBJECTIVE numbers (25.00 * 12)

AV = 120.00
EF = 10% (because its Amazon, they WON'T let me pentest in a multitenant cloud... I don't and WON'T have real security metrics)
SLE = 1,200.00
ARO = How humorous is that... ARO. "Gee, I'm hoping to not get owned 2x this year. But because its Amazon and out of my control, I can't outright fix things, 2x per year I expect this happening" So my ARO is 2,400.00

Would it be save to say that I should spend $240.00 to protect myself? $240.00 to protect myself... I'm making 10,000.00 per year from this venture. Anyhow, risk management metrics is an art, not a proven science. While there are some measurables to be obtained from risk management, the fact is as quoted in the past: "There are lies, damned lies and statistics"

AV * EF = SLE is flawed for technology from my POV because there are too many variables to throw into the equation:


From OWASP:


Looking at OWASP's (http://www.cgisecurity.com/owasp/html/ch03.html) interpretation of it makes sense no? How about we define some more threats...

Loss of power = threat ... Sometimes even Colo's go down
Loss of connectivity = threat ... Anonymous' attacks via Mastercard/Visa shows this threat...

How do you calculate these risks/threats. You don't. That is, according to the rules of the game you don't: You can define your own range, So what is the value of these metrics at the end of the day when you CAN'T truly calculate risk. All you can do is offer qualitative metrics (but that is an altogether 'nother story (Qualitative versus Quantitative) http://wilderdom.com/research/QualitativeVersusQuantitativeResearch.html)

Thanks Sil !! Wow that is good explanation and a good start from me to learn more about risk assessment.

One more question I have done security assessment basically all  I do is Vulnerability Scanning is that what general industry practise ?? or should i be doing more steps..anything i refer and Learn.

Hello,

Vulnerability scanning is only one "technical" part of the risk assesment process. The "business" part is equally important.

One method (not the best) to approacjh Risk Assesment is:

RISK = THREAT +  WAY OF ATTACK + VULNERABILITIE + ASSET + IMPACT

These 5 components have to be estimate into the organization specific context with the approval of the business.

Once this estimate is done, business, and only business, have to evaluate the risk and then decide to keep, avoid, reduce or transfer the risk.

You're only here to estimate the risk. Executives and business people are here to evaluate it and decide the way to treat it

At this point, it is possible to determine necessary and sufficient security objectives and requirements.

This approach is called "EBIOS" and is promoted by the DCSSI and recognized by the French administrations and, accordiang to me, has a some good pedagogic virtues

(more info)

Hope this helps

(sorry for my bad english, you guess it... i'm french)