ENSIB 2nd year - Linux Security test.Duration 2 hours.Computer with intern

1. ENSIB 2nd year - Linux Security test.
2.  
3. Duration 2 hours.
4. Computer with internet connection authorised.
5. Returning format simple unformatted text file (max 4 pages in English)
6.  
7.  
8. 1) Context
9. You are the Linux Security expert of the company Gwel.bzh which is specialised in professional submarine cameras. Those are associated with a specific software, allowing to correct colours in very low light conditions. The correction software is run on in house Linux servers under Redhat, located in Gwel.bzh offices. The cameras are running an embedded version of Linux derived from a project dedicated to the Automotive called AGL.
10. It’s a niche market but Gwel.bzh is alone on this market and ship all over the world,mostly to universities studying deep underwater phenomenons. Gwel.bzh is a medium size company with 120 employees all located on single site near Lorient.
11.  
12. You boss is on a business trip in Japan, and has called you at home at 1AM, asking for your urgent help. He will meet the directory of a Japanese Border Enforcement agency, in 2 hours, who is ready to attribute Gwel.bzh with a multi-million contract, but before, want reassurance that Gwel.bzh will be able to provide a secure end to end solution.
13. Your boss wants a report on the security changes that you will do in order to secure that contract before his meeting.
14.  
15. CONTEXT
16. This is a state level risk on which huge business opportunity is at stake. Maximal protection must be taken and the budget cannot be the issue. Assuming 15% of the margin for security budget would not be stupid at all.
17. ----------------------
18.  
19. 2) Demand from the Japanese customer
20. The Border Enforcement agency (BE) is in charge of controlling that no person, equipment or material is entering Japan illegally. They want to use the camera to detect objects that are left at several hundred meters under water and recovered later with fishing nets.
21. They will not give more on the exact need but Gwel.bzh was left to understand that it was related to some traffic sponsored by North Korea to destabilise Japanese economy.
22.  
23. WARNING
24.  
25. State class breaching attempt risk.
26. --------------------------------
27.  
28. For political raison they would prefer that the processing of the image remains in Europe but they are very worried that their images could be stolen and their potential finding exposed.
29. Their requirements are :
30. a) only 3 persons in Gwel.bzh, that they will wet via their secret services, will have admin right on their images and any server in the processing chain.
31.  
32.  
33. 2) Enforce encryption of home directory of those users.
34. Encrypt the image with the public requested from the customer.
35.  
36. b) images will be erased (they require erasing not deleting) from Gwel.bzh servers after processing.
37.  
38.  
39.  
40. c) no log of activity related from BE will stay on the server more than ½ day
41.  
42.  
43. d) BA will provide a list of 2 IP address that will be allowed to communicate (standard and backup). They require the same from Gwel.bzh
44.  
45.  
46. e) servers will need to be secured and monitored 24/7
47.  
48. 3) Current architecture
49. Today, Glew.bzh has a single internet provider that is directly connected to the Web server which is also used as firewall and NATing device. Behind the firewall there is a unique private LAN where all the company systems are connected.
50. The developers are running various Linux distribution, the finance and Admin, Windows 8 and 10, the shipping department has a an old WinXP with a legacy shipping software which is connected to the accounting server to send SQL request.
51. Windows login are controlled by an Active Directory server while Linux machine are let to developers to be configured. An Samba using SMB1 is used as a gateway to share files between Linux and Windows domains.
52.  
53. The transfer from the cameras to the image processing servers is done by HTTP and the improve images are sent as jpeg files, back by email via Postfix to fix address (one per contract).
54. The image processing software is running in containers based on an old Debian. Both the code and the data are embedded is a single container.
55.  
56. 4) Your challenge
57. Your response will be read by your future Japanese colleagues and so must be in English and not too long (circa 4 type pages max).
58.  
59. Obviously Gwel.bzh current infra structure is ill equipped for such contract and you will need to separate the short term actions that you will take in the coming days from the medium term activities.
60.  
61. 5) Your response (20 pts + 4 bonus)
62.  
63. a) What immediate changes will you request to the
64. - (3 pts) network manager ?
65. * Create two DMZ,
66. - one the company web server
67. - one for the image processing server
68. * Create a dedicated VLAN for Windows machine and Linux for internal use.
69. * Create an internal extra DMZ for the old Windows server
70. * Activate a monitoring solution to report any non compliant activity.
71. * Add filrewall rules to protect the DMZ.
72. * Add extra firewall between DMZ and internal network.
73. * Automate Monitor and reporting
74.  
75. - (3 pts) windows PC admin ?
76. * Expand Active Directory to Linux machine (either directly or via an LDAP export).
77. * Link with HR to remove right to employees who don’t need them.
78. time for login, remote connection, …
79. * Create a proxy to isolate all SQL request to the legacy XP server while waiting to replace it.
80. * See https://www.darkreading.com/risk/using-reverse-proxies-to-secure-databases/d/d-id/1137486?
81. * Activate the monitoring to report any non compliant activity.
82.  
83. - (3 pts) engineering manager (embedded and server) ?
84. * Activate https for all picture transfer.
85. * Setup a management key solution to identify each camera source.
86. * Enforce an over the air update for the camera and update OS to latest security patches.
87. * Activate firewall in the camera.
88. * Configure the OS to run / as read only
89. * Enable encryption of the picture with a public key (private will be use on the server to decrypt) to protect against off line attack.
90. * activate rejection of Picture from Camera not running the expected SW release.
91.  
92. b) (2 pts) How will you limit BE files access to 3 know individuals ?
93. * Use a MAC (e.g SE linux to limit access).
94. * Encrypt customer file files/disk with solution as Lucks which allow to enable multiple keys
95. * restrict connection from known source IP/VLAN tag.
96. * activate automatic monitoring.
97. * Restrict SSH login via key plus pass code.
98.  
99. c) (1 pts) How will you manage the possible change of those individual ?
100. * The filter on MAC should be set on a group and that group managed via LDAP/Active Directory.
101.  
102. d) (2 pts) How will you isolate the BE files and processes from other non critical customers ?
103.  
104. * BE files and processes should be run on a dedicated server, connected on a dedicated VLAN running with a MAC in paranoid mode.
105. * The processes used should be tagged by the MAC and run with a dedicated UID/GID with specific rules setting the restriction.
106. * All customer files should be encrypted.
107. * Key must be kept secured, best is to use customer public key, so only customer can decrypt.
108.  
109. e) (2 pts) How will you reduce the traffic from/to 2 identified IP address ?
110. Firewall can do that, but you also need to setup the monitoring system to control that the rules remained enforced over the time.
111. Using VLAN is a good extra allowing a belt and brace 2 levels control.
112.  
113. f) (1 pts) What strategy will you implement to keep all server and firewall secure ?
114. * Systematic over the AIR update.
115. * Permanent automated monitoring of the respect of the rules.
116. * Immediate disconnection of offending units/people.
117. * automatic monitoring
118. * fake attack once a month
119. * only user safe certified sources for package and updates.
120.  
121. g) (2 pts) Which measures will you require to limit risk of a leak from inside (e;g. Gwel.bzh employee) ?
122. * Training/information
123. * Login and station restriction and enforcement.
124. * Removing any direct root login in all the company.
125. * Creating a dedicated VPN for the superuser for after hours connection.
126. * Encrypt files.
127.  
128.  
129. h) (2 pts) Which change in the embedded code will you require to enable the identification of the BE owned camera ?
130. * Activate a trusted boot with signed software.
131. * Include customer public key in protected zone of the device
132. * Encrypt image with customer public key in camera
133. * Use Camera private key to establish https transfer.
134.  
135. i) (1 pts) How will you erase the files after processing ?
136. * The only solution for erasing a file is to rewrite it. It’s not perfect and 100% bullet proof but works quite well on HDD (but not on SSD).
137. * Several utilities can help you in that task.
138. Example https://www.cyberciti.biz/tips/linux-how-to-delete-file-securely.html
139.  
140. Create a rule in the monitoring solution which check that no image remains on the server after download from the customer.
141.  
142. j) (2 pts) How will you enable remote access to make support 24/7 possible ?
143. * Provide your selected employee with secured laptop where MAC is enforced and home dir is encrypted.
144. * Connect via a dedicated VPN which reach the company network on a dedicated VLAN.
145. * Activate automated monitoring and disconnect as soonas violation is detected.
146.  
147. 6) How you will be evaluated
148. Your Boss is not a technical expert and pass your response to BE technical expert.
149. Your responses will need to be short and clear. It will need to name the technical tool or architecture that will enable to cover the requested point.
150. Sorry, drawing does not encode well in text only format. So please, use words.
151. Japanese are not very good at English so error is not an issue but be careful with false friends or complex sentences which can mean the opposite of what you wished to say Keep it simple.
152.  
153. * Please remember that no perfect solution exists and monitoring the continious enforcement of security rules must be done. This only work if automated and that disconnection of offenders (machine or people) is fully automatic and almost real time.