GETTING SCHOOLED

SECURITY WITH NO BUDGET IN A HOSTILE ENVIRONMENT.

WHOIS

KennedyJamesD@Gmail.com @TonikJDK

ENVIRONMENT

12 Buildings in a metro area, fiber back to data center and fiber to the net.

7000 users, 6300 students and 700 staff.

Primarily a Microsoft/Cisco house.

35 servers physical/virtual, 3500 XP/Win7-8 desktops and 1000 IPads/Nexu.s

BYOD

IT DEPARTMENT7 VS 7000

• Department Manager who is very technically sound.

• Secretary, who is also technically sound. She is our helpdesk and administers our Cisco phone system.

• Three desktop technicians. Extremely good, self directed and need very little hand holding.

• 1 Network Administrator

• 1 System Engineer

• Money is tight, no really it’s tight.

DEPARTMENTS

• The usual departments: HR, Finance, PR….along with Academic/Curriculum Departments, Pupil Services, Student Information, Food Services and Building Management.

• Departments get their new budgets Aug. 1st.

• Most of their projects hit at once, delivered on August 1 with late August for install.

• There is very little thought given to security as these projects are defined, however they are extremely supportive and trusting of our advice on security issues.

• August 1st – October 30th is pure chaos.

TEACHERS• They are all very intelligent and have their own style of teaching, just as children have

their own style of learning.

• Spend summers in classes, seminars and gathering new software.

• The above creates a situation where we support 1492 different applications.

• They have little tolerance for security issues such as our web filter or lack of administrative rights on machines to install software when it interferes with instruction.

STUDENTS• First and foremost, they are why we exist. We serve their needs above all others.

• We answer to their parents and the tax payers of our community. It is their school, not ours.

• They are children, they are not only learning academics, they are still learning the boundaries of acceptable computer usage.

• They will try and hack. They will try and beat the web filter. They will try and get advanced copies of tests. Not because they are evil, they are not, but because they are children.

• They will break stuff for the LOL’s

THE THIN RED LINE

• We want to nurture what they are doing.

• I need to know they are trying, to teach them the limits. But if they pull off a successful breach, if they pull off putting porn all over the screen then they face suspension or expulsion. If I let them get that far, I have failed them.

• When they succeed at hacking, I have failed them.

THEY ALL START OUT INNOCENTLIKE DAVE DID

THE NEXT DAVE IS IN AHIGH SCHOOL RIGHT NOW

THREATS

• Outside. Not high value other than phishing our bank accounts..

• Inside. The targets are very tempting to a student. Tests, grades, attendance, their ‘permanent’ record and PI on staff.

• Surfing. A threat in it’s own. They are children with hormones, porn is high on the list. Plus interests in music and free games that lead them to a ton of virus/malware laden websites. Beating the filter is extremely high value. That leads them to proxies and trying to get staff accounts that have a more lenient filter.

• BYOD

SAVED BY BORIS(WHO WOULD HAVE THOUGHT THAT)

• Boris’s talk was a watershed moment for me.

• Stop buying sh*t.

• Stick with what you know or you will mess it up.

WHAT TO DO?

• Define the attack vectotrs.

• Watch the Red Team. What are they doing, what are they bragging about. How does that apply to my systems.

• Listservs NTSysAdmin, PatchManagement.org, Blogs.

MANAGEMENT BUY IN

• Embrace the audit and get one.

• For us, that becomes a public record. That makes it a very powerful document. There is no debate, just: Fix it.

WHAT HAVE I GOT?

• Document and define every system and every system interaction.

• Document the software. Powershell queries, SCCM

• Document the traffic.

• Document access. Who needs what, build a list with an eye towards segmentation.

WHAT IS IT DOING?

• Read the logs.

• Logs, logs and more logs. You must audit access success and failure.

• Web Filter logs. Blocks are a key metric.

SECURITY ONION

• Doug Burks is the man.

• Full open source Linux distro so easy even an MCSE can do it.

• Full packet capture

• Snort, Suricata, Bro, Sguil, Squert, Snorby , ELSA and Xplico.

• Pivot from one to the other.

SecurityOnion.Blogspot.Com

PATCH IT ALL

• MS08-067

• 90 day patch window on average.

• Remember our documentation? That drives your third party patching. Build a spreadsheet that lists them, with version and a clickable link to check for the newest.

• NINITE (couple hundred bucks a month)

• Verify your patches. Powershell: Get-ADComputer | Get-HotFix

WEB FILTER• Yea, people hate them. Sorry about that, talk to Congress.

• Five strikes and you are out.

• A very simple and powerful tool; this dropdown:

ANATOMY OF A PHISH

SERVER HARDENING

• EMET 4.0

• ASA between users and servers.

• Build your severs with segmentation of resources in mind so you can segment your users. Control that with your ASA and your VLANS.

• Firewall on. Seriously, 2008+ the firewall is automatic.

• Consider taking servers out of the domain. HVAC servers on management Vlan.

.

SERVERS CONT.• Encrypt your databases.

• Patch them, all of it especially third party software. Veritas <sigh>.

• FSRM on all shares. Block exe’s, bat, dll’s, shortcuts……

• Restricted groups for local admins, disable local admin account.

• Disable cached credentials

• F8 is your friend.

DESKTOP HARDENING

• No local admin. Period. Control it with Restricted Groups (replace not add)

• Common images and standardization.

• EMET 4.0

• RDS for Finance.

• Local firewall via gpo. Logging on.

• Event logging with auditing on success and failure.

• Hide last user login

• UAC

• Autorun off

• Software Restrictions

MOAR

• Software Restrictions

• Nuke Control Panel items.

• Nuke Explorer search and menu search

• Nuke task manager

• Disable run/cmd/Internet Explorer drives which also kills \\servername in IE

• No bat files, no VBS in user context

• Hide the system drive.

• IE Maintenance via GPO. Zones, History……

JAVA• EMET kills much of it. It looks for behavior not signatures.

• In other cases egress filtering and/or the web filter. With only 80 and 443 allowed out the filter sees the exploit phoning home.

BYOD/TABLETS• Get out in front of it, don’t wait for them to dictate how it’s going to happen.

• Today I want to announce our awesome new BYOD program. This is going to rock!!

• Guest Network, straight out to the internet.

• GAFE

• Good luck, enjoy.

• District owned tablets

• Meraki (free)

• Find them and wipe them.

• Tab Pilot.

• Publish apps to the home screen, kill the rest of it.

LEVERAGE YOUR SWITCHES-ROUTERS-FW

• SSH only from management network.

• Sticky Macs.

• Kill unused ports.

• Yea, it’s annoying for desktop techs. Talk to the memo.

• Egress filtering.

IT NEVER ENDS

• Have management read the memo they gave you dictating ‘fix it’ from the audit.

• Point out that this takes time, I negotiated 20 percent of my time for this. One day a week, Wednesday. If my boss pulls me off I ask him to talk to the memo about it.

TIME FOR A HUG