derby con 2014
DESCRIPTION
2014 Derbycon slidesTRANSCRIPT
ENVIRONMENT
14 Buildings, fiber back to data center and fiber to the net.
Internal gig everywhere. 6800 users, 6000 students and 800 staff. Primarily a Microsoft/Cisco house. 37 servers physical/virtual, 3500 XP/Win7-8 desktops
and 1000 IPads/Nexus BYOD
600 Teachers do this everyday
Fire up presentation systems, computer, Smart Boards, audio and video feeds.
Rely on internet for content. YouTube, NetFlix, EDU’s, PBS, State and Federal along with a host of obscure sites from other educators.
Shared/Collaborative content from each other.
4 Educators with strong tech backgrounds developing new ways to use tech.
6000 students do this everyday
Try to surf porn. Install games and malware. Saturate our internet link with videos and music. Download IOS 8 for their phones. Try to break stuff. Try to get into servers and applications they shouldn’t. Oh, and use the system to learn.
How do we secure this and deliver the proper service level?
You need street cred in your org.Have a kid that is a recognized expert in InfoSec.Go to cons, give talks and email the talk to everyone.Talk up security that you do that is non-intrusive/unseen.Compromise.Keep it working.Get an audit.
Everything in this list is about you, and how you present the issues.
Defend Phishing attacks with user education?!?
Unknown
Pick your filter carefully
There are basically three categories on a filter, Good, Bad and Unknown.
They all do an excellent job with Good and Bad.
The percentage of the internet that is unknown key. Watch IP and ‘Content Server’ unknowns.
Only two that I have found:
Barracuda and IBoss.
+1 Cred with Bo$$+1 Cred with Management
Moar Cred!
4 days before school starts: Hey Jim, we need to set up a two Python labs for 150 students.
What could possibly go wrong? Two seconds on Google for MS08067 via Python TrustedSec.com for ready to run code.
Make it work
Dual Boot. Python air gapped via guest wireless Google Apps/Docs Hide other OS Drive
+1 Cred with Curriculum peeps.+1 Cred with Teachers.+1 Cred with my Bo$$.
But most of all students are learning and we are safe from them.
Can’t build on sand
Basic Training
Baseline everything.Common images/builds.Senior builder.Common hardware.
Recon
Document and define every system and every system interaction.
Document the software.Document the traffic.Document access. Who needs what, build
a list with an eye towards segmentation.
Recon
What is vulnerable?
NESSUS yourself regularly. http://www.tenable.com/products/nessus
What is it doing?
Read the server and desktop logs. Audit access success and failure. SCOM everything.
Defense
Intrusion detectionand moar.
• Security Onion• http://blog.securityonion.net • IDS• Full packet capture• Reconstructs full transactions• So simple even a Windows jockey can do it• 30 minutes from download to fully running
Patch it all
• MS08-067 or SQL Injections?!? You Suck.• 90 day patch window on average. Are you average?
http://patchmanagement.org/• Remember our software documentation and NESSUS.
That drives your patching.
Server hardening
Kill NTLM in your domain. Get service accounts under control.
Strong passwordsLimit privsSingle use service accounts
Google “Mitigating Service Account”HD Moore(Rapid 7), Joe Bialek(MS) and Ashwath
Murthy(Palo Alto)
Server hardening
EMET 5.0Ask the red team how many boxes they have
popped recently that are running EMETFirewall between users and servers.Build your severs with segmentation of resources in
mind so you can segment your users. Control that with your ASA and your VLANS.
Firewall on. Seriously, 2008+ the firewall is automatic.
Consider taking servers out of the domain. HVAC servers on management Vlan.
Desktop hardening
• No local admin. Period. • EMET 5.0• RDS for Finance and the like.• Local firewall via gpo.• Event logging with auditing on success and failure.• Hide last user login• UAC• Autorun off• Software Restrictions
Applocker
Remove unneeded features
Control Panel items. Explorer search and menu search Task manager Disable run/cmd/Internet Explorer drives which also
kills \\servername in IE No bat files, no VBS Hide the system drive.
No AV
99 percent of Fortune 1000 companies run Symantec. Most of the big hacks we are seeing are Fortune 1000. Ergo, 99 percent of the big hacks hit companies that
use Symantec and it apparently didn’t stop crap. Disclaimer: According to Twitter. (Allegedly).
Java
EMET kills much of it. It looks for behavior not signatures.
In other cases egress filtering and/or the web filter. With only 80 and 443 allowed out the filter sees the exploit phoning home.
91 percent of all attacks in 2013 were Java based. Keep it patched.
Network layer
• SSH only from management network. • Sticky Macs.• Kill unused ports.• Egress filtering.
Rinse, Lather and Repeat.
Negotiated time for this, and not just a general agreement. A specific agreement with days and time reserved for all of this.
Get the above on your review as a goal.
Thanks and hugs