Server administration presentation by

group 2
Topic: service security

Introduction
In today’s interconnected environments, servers are a prime target for cybercriminals. Whether
it's a web server hosting critical business applications or a database server storing customer
data, a compromised server can lead to devastating losses.
This lesson will help you understand not only what needs to be protected, but why, and how,
you should do it.

Lesson Objectives

By the end of this topic, students should be able to:

1. Define server security and explain its significance in modern networks.

2. Identify and describe common threats and vulnerabilities that affect servers.
3. Apply server hardening techniques to strengthen system defenses.
4. Follow best practices for ongoing server protection.
5. Use tools and monitoring techniques to maintain server integrity.
6. Analyze real-world server breaches and evaluate how they could have been prevented.

Learning Outcomes

After completing this lesson, students will be able to:

1. Clearly explain the concept and purpose of server security.

2. Recognize and assess vulnerabilities and threat vectors in real-world server
environments.
3. Apply technical and procedural controls to protect server infrastructure.
4. Use common security tools to monitor, audit, and maintain server health.
5. Critically analyze case studies and propose improvements.

1
1. Definition, What is server security?
Server security refers to the protective measures and practices applied to servers to prevent
unauthorized access, data breaches, malware infections, misuse, and downtime.
It involves a combination of:
 Hardware and software configurations
 Access control mechanisms
 Monitoring and auditing tools
 Update and patch management
 Policies and procedures

2. Importance of Server Security

a. Data Protection
 Servers often hold sensitive data: user credentials, business records, financial info,
emails, etc.
 Breaches can lead to identity theft, financial loss, or legal consequences.
b. Service Availability
 Servers provide essential services (websites, databases, APIs).
 Downtime due to cyberattacks (like DDoS) affects productivity and revenue.
c. Prevent Unauthorized Access
 Unpatched or misconfigured servers are entry points for attackers.
 Attackers can gain administrative access and take over systems.
d. Compliance and Legal Obligations
 Organizations must comply with laws like GDPR, HIPAA, PCI-DSS.
 Poor security can lead to fines and reputational damage.
e. Reputation and Trust
 A compromised server undermines user trust.
 Businesses risk losing customers after a security incident.

2
 f. Foundation for Other Security Layers
 Server security is the base for network, application, and user-level security.
 Weak server security undermines the whole system.

3. Types of Server Threats and Vulnerabilities

Servers face many threats, both external and internal, that can compromise their security.
Understanding these helps in planning effective protection.

4. Server hardening techniques

I. What Is Server Hardening?
Server hardening is the process of enhancing the security of a server by reducing its
attack surface and strengthening its defenses against potential threats. This involves
implementing various security measures and best practices to minimize vulnerabilities
and protect sensitive data and resources.
II. Common vulnerabilities that server hardening aims to address include:
 Weak authentication mechanisms: Default or easily guessable passwords, lack of
multifactor authentication, and insecure authentication protocols can make servers
vulnerable to unauthorized access.
 Unpatched software and operating systems: Failure to install security patches and
updates leaves servers exposed to known vulnerabilities that attackers can exploit.
 Insecure configurations: Incorrectly configured server settings, services, or
permissions can create security loopholes that attackers can exploit to gain
unauthorized access or execute malicious activities.
 Lack of intrusion detection and prevention: Without proper intrusion detection
and prevention systems in place, it becomes challenging to identify and respond to
unauthorized access attempts or suspicious activities in real-time.
 Insufficient logging and monitoring: Inadequate logging and monitoring
mechanisms make it difficult to track and analyze security events, detect anomalies,
and investigate security incidents effectively.
 Unnecessary services and ports: Running unnecessary services or keeping unused
ports open increases the attack surface and provides additional entry points for
attackers to exploit.
III. Benefits of server hardening include:

3
  Improved security posture: By implementing security best practices and mitigating
known vulnerabilities, server hardening strengthens the overall security posture of
an organization's IT infrastructure.
 Reduced risk of data breaches: Hardened servers are less susceptible to attacks and
unauthorized access attempts, reducing the risk of data breaches and data loss.
 Enhanced compliance: Server hardening aligns with regulatory requirements and
industry standards for data security and privacy, helping organizations maintain
compliance with applicable laws and regulations.
 Increased uptime and reliability: By reducing the likelihood of successful cyber
attacks and unauthorized access, server hardening helps ensure the availability and
reliability of critical services and resources.
 Protection against evolving threats: Continuous monitoring and updating of
security measures as part of server hardening help organizations stay resilient
against emerging cyber threats and attack vectors.
IV. Essential Server Hardening Practices
Implementing essential server hardening practices is crucial for enhancing the security
of your servers. Here are some key practices to consider:
 Regular Software Updates
Regularly updating software is a foundational practice in server hardening. It
ensures that your servers are equipped with the latest security patches and fixes for
known vulnerabilities. By staying current with updates for the operating system,
applications, and utilities, you fortify your defenses against potential exploits and
unauthorized access attempts. These updates are often released by vendors in
response to emerging security threats, making them essential for maintaining the
integrity and security of your server infrastructure.
 Firewall Configuration
Configuring and enabling firewalls is another critical aspect of server hardening.
Firewalls act as a barrier between your server and the outside world, regulating
incoming and outgoing network traffic based on predefined security rules. By
implementing both host-based and network-based firewalls, you establish multiple
layers of defense against malicious actors seeking to compromise your servers.
Properly configured firewalls help minimize the attack surface by controlling access
to essential services and ports, thereby reducing the risk of unauthorized access
and potential security breaches.
 Strong Authentication Practices
Enforcing strong authentication practices is paramount for protecting server access.
This includes implementing robust password policies that mandate complex
passwords, regular password changes, and the use of multifactor authentication

4
 (MFA) where possible. MFA adds an extra layer of security by requiring users to
provide additional verification beyond passwords, such as a one-time code sent to
their mobile device. By implementing strong authentication measures, you
significantly reduce the risk of unauthorized access to your servers and sensitive
data.
 Minimizing Attack Surface
Minimizing the attack surface of your servers is essential for reducing vulnerabilities
and strengthening security. This involves disabling or removing unnecessary
services, protocols, and applications that are not essential for server functionality or
business operations. By eliminating unnecessary components, you reduce the
number of potential entry points that attackers can exploit to gain unauthorized
access. This proactive approach to minimizing the attack surface enhances the
overall security posture of your servers and mitigates the risk of successful cyber
attacks.
 Encryption for Data Security
Implementing encryption for data security is critical for protecting sensitive
information both in transit and at rest. Utilize encryption protocols such as SSL/TLS
for securing data transmitted over networks and protocols like HTTPS for web
traffic. Additionally, encrypt sensitive data stored on servers using strong encryption
algorithms to safeguard it from unauthorized access in the event of a breach.
Encryption adds an extra layer of protection to sensitive data, making it significantly
more challenging for attackers to intercept or compromise.
5. Server security best practices

10 core best practices for securing servers, each explained with practical advice and rationale:

I. Regularly Update and Patch Server Software

 Patching is essential to fix known vulnerabilities.
 Automation tools (e.g. WSUS) reduce the risk of missing critical updates.
II. Implement Strong Authentication Mechanisms
 Multi-factor authentication (MFA) is critical for access control.
 Strong, regularly updated passwords and use of password managers are
encouraged.
III. Configure Firewalls and Network Security
 Firewalls should be configured to allow only necessary traffic.
 Network segmentation (e.g. VLANs) reduces the impact of breaches.
IV. Secure Remote Access
 Use VPNs with encryption and MFA.
 Role-based access controls limit exposure.

5
 V. Regularly Backup Server Data
 Perform both full and incremental backups.
 Backups should be encrypted, tested regularly, and stored off-site or in secure cloud
environments.
VI. Monitor and Log Server Activity
 Real-time monitoring tools detect anomalies early.
 Log management supports auditing and forensic analysis.
VII. Limit User Access and Privileges
 Apply the principle of least privilege (PoLP).
 Regular audits ensure permissions remain appropriate.
VIII. Protect Against Malware and Intrusions
 Use anti-malware with real-time scanning and heuristic analysis.
 Deploy IDPS (Intrusion Detection and Prevention Systems).
IX. Encrypt Sensitive Data
 Encrypt both data at rest and in transit using TLS/SSL and AES.
 Secure and rotate encryption keys regularly.
X. Conduct Regular Security Audits and Assessments
 Perform internal audits and third-party vulnerability scans.
 Penetration testing simulates real-world attacks to uncover hidden weaknesses

6. Tools and practices used in monitoring and maintaining server security

7. Real world examples and how they could be prevented

The dashboard released by Privacy Rights Clearinghouse highlights data breach statistics in
the U.S. from February 1, 2005, to December 31, 2019. It reports a total of 9009 breaches
affecting over 10 billion records. The most common type of breach was “Hacking,” followed
by “Insider” and “Physical” threats. However, since the advent of Artificial Intelligence and
Generative AI, the sophistication of attacks has increased significantly.

6
Figure 1. Data Compromises and Impacted Individuals, 2005-2023

I. EQUIFAX DATA BREACH, 2017

Equifax was exposed to CVE-2017-5638, a critical Common Vulnerabilities and Exposure
of Apache Struts. This exposed extremely sensitive information from about 143 million
customers in the United States and Canada between May and July 2017. Personal
information such as social security number, physical address, date of birth, and more
was leaked. This vulnerability was publicly disclosed (with a fix that had to be
implemented) in March 2017, but Equifax did not patch it. Equifax introduced a system
Patch Management Policy in April 2015 before the data breach occurred. However, even
though there were 8,500 vulnerabilities in the backlog of system control devices alone,
and more than 1,000 of them were externally accessible systems, internal policies, and
procedures to resolve them immediately were not properly prepared. Even during the
incident, Equifax employees had internal conversations about the breach using Microsoft
Lync, but these conversations had difficulties in investigating the breach as they set up to
discard Lync chat after a short period of time. Even if there was no dedicated
organization, manpower, and manual to respond to cyber incidents, if the technical

7
 defense system had been preemptively equipped, the worst could have been avoided.
However, the hacker was able to take copious amounts of data from the Equifax system
for two months without detection.
As an example, Equifax had allowed over 300 security certificates to expire, including 79
certificates for monitoring business critical domains. Second, Equifax’s aggressive growth
strategy and accumulation of data resulted in a complex IT environment. Equifax ran a
number of its most critical IT applications on custom built legacy systems. Both the
complexity and antiquated nature of Equifax’s IT systems made IT security especially
challenging.
The Equifax breach that exposed sensitive data for as many as 143 million US consumers.

II. Capital One

Capital One is a finance company that focuses on credit cards, banks and loans and are
headquartered in Virginia, USA.
In July 2019, Capital One released a statement confirming that the data of over 100
million customers had been stolen from its systems. This data included social security
numbers and bank accounts.
The person responsible for this was caught when openly boasting about their
accomplishment on the popular version control site, GitHub.
The attacker used the Server Side Request Forgery (SSRF) vulnerability to gain access to
the data. Capital One had a Web Application Firewall (WAF) in place, creating a barrier
between the public internet and internal applications. However, the WAF alone was
unable to prevent the breach. The attacker was able to use SSRF to obtain metadata and
subsequently role credentials. After the credentials were obtained, the attacker was able
to retrieve the data that was stored in AWS S3, an object store.

Along with the WAF, the role should be configured using the principle of least privilege
(POLP). That is, to limit access to the bare minimum for the role to be able to perform its
function. There is some speculation that a single role was used and associated to
multiple services at Capital One. Instead, a role for each function should have been
created with limited permissions. Alerting could have been added to notify key users or
groups whenever specific, administrative credentials are used. Access to the use of these
credentials could also be limited to within the network. Threat detection services could
have been used. These services scan and monitor logs and events throughout the
network.

8
III. Marriott Bonvoy
Marriott Bonvoy is one of the largest hotel owners in the world. They have over 7000
properties in 131 countries across the globe with revenues of over $20 billion in 2018.
In November 2018, Marriott confirmed it had a data breach of 500 million customers
with significant data being stolen. The attacker is believed to have had access to the
Marriott systems from 2014, over 4 years before the statement was made by Marriott.
Marriott had a database monitoring system which alerted Marriott when a query had
been executed against the database attempting to return a significant amount of data.
Marriott investigators discovered a Remote Access Trojan (RAT) allowing remote access
to Marriott systems from outside of their network.
The breach is reported to have occurred on a database that was inherited by Marriott
has part of a recent merger. This can be a common issue when the technology of an
organisation is acquired from another organisation. It is important that such systems
undergo a stringent security assessment and incorporate the parent organisation’s
security policies as soon as possible.
The attacker having access to the database for over 4 years would indicate that regular
security assessments were not carried out.
Databases, which typically do not need to be accessed directly over the internet, should
be put into private networks (subnets) that only allow access to the applications that
require data.
If external access is required to databases or networks, then virtual private network
(VPN) connections should be used along with multi-factor authentication (MFA) to
ensure access to the network is secure.

IV. Yahoo!
Yahoo is an American internet company. It was founded in 1994 and is one of the
original internet-based organisations. It had a revenue of $5.17 billion in 2018.
The Yahoo breach remains a textbook example of what happens when weak encryption
and delayed response collide. Hackers exploited vulnerabilities, stole Yahoo’s cookie
generation code, and bypassed login credentials leaving 3 billion accounts exposed for
years. Using outdated MD5 hashing only made things worse, allowing attackers to crack
passwords with ease. Organizations must implement strong encryption, enforce multi-
factor authentication (MFA), and continuously monitor for security gaps before attackers
find them first.
In September 2016, Yahoo released a statement confirming the security breach.
Over 500 million user account data was stolen. The hack began with a spear-phishing
email sent in early 2014 to a Yahoo company employee. It's unclear how many

9
 employees were targeted and how many emails were sent, but it only takes one person
to click on a link, and it happened. Aleksey Belan, a Latvian hacker hired by the Russian
agents, started poking around the network, he looked for two prizes: Yahoo's user
database and the Account Management Tool, which is used to edit the database. He
soon found them. The database contained names, phone numbers, password challenge
questions and answers and, crucially, password recovery emails and a cryptographic
value unique to each account. The account management tool didn't allow for simple text
searches of user names, so instead the hackers turned to recovery email addresses.
Sometimes they were able to identify targets based on their recovery email address, and
sometimes the email domain tipped them off that the account holder worked at a
company or organization of interest. The stolen data was put up for sale on the internet.
There are a number of third-party email filtering services that use artificial intelligence,
data banks and algorithms to determine whether an email is malicious or not. Yahoo
being an email service themselves may not have wanted to use a third-party and may
not have had email filters in place. There is a possibility that Yahoo may have had its
own, internal, email filtering configured but it may not have been as sophisticated as the
specialised tools available in the market.
It appears that the credentials gained by the attacker lead them to be able to retrieve
backed-up data. This is possibly another example of a single set of credentials and roles
having a wide set of permissions, allowing access to unnecessary services. The POLP
could have implemented for all roles and credentials at Yahoo.
Yahoo did not report the breach, which occurred in 2014, until 2016. A large proportion
of the data could have been protected by communicating to their user base and asking
for simple password resets.

References

Privacy Rights Clearinghouse. Data Breach Chronology. [Internet]. Available from:

https://privacyrights. org/data-breaches

https://medium.com/@sat_g/3-mega-breaches-and-how-they-could-have-been-prevented-
c35f29873b3e

10