getting schooled derbycon 3.0
Post on 17-Jan-2015
Embed Size (px)
- 1. GETTING SCHOOLED SECURITY WITH NO BUDGET IN A HOSTILE ENVIRONMENT.
2. WHOIS KennedyJamesD@Gmail.com @TonikJDK 3. ENVIRONMENT 12 Buildings in a metro area, fiber back to data center and fiber to the net. 7000 users, 6300 students and 700 staff. Primarily a Microsoft/Cisco house. 35 servers physical/virtual, 3500 XP/Win7-8 desktops and 1000 IPads/Nexu.s BYOD 4. IT DEPARTMENT 7 VS 7000 Department Manager who is very technically sound. Secretary, who is also technically sound. She is our helpdesk and administers our Cisco phone system. Three desktop technicians. Extremely good, self directed and need very little hand holding. 1 Network Administrator 1 System Engineer Money is tight, no really its tight. 5. DEPARTMENTS The usual departments: HR, Finance, PR.along with Academic/Curriculum Departments, Pupil Services, Student Information, Food Services and Building Management. Departments get their new budgets Aug. 1st. Most of their projects hit at once, delivered on August 1 with late August for install. There is very little thought given to security as these projects are defined, however they are extremely supportive and trusting of our advice on security issues. August 1st October 30th is pure chaos. 6. TEACHERS They are all very intelligent and have their own style of teaching, just as children have their own style of learning. Spend summers in classes, seminars and gathering new software. The above creates a situation where we support 1492 different applications. They have little tolerance for security issues such as our web filter or lack of administrative rights on machines to install software when it interferes with instruction. 7. STUDENTS First and foremost, they are why we exist. We serve their needs above all others. We answer to their parents and the tax payers of our community. It is their school, not ours. They are children, they are not only learning academics, they are still learning the boundaries of acceptable computer usage. They will try and hack. They will try and beat the web filter. They will try and get advanced copies of tests. Not because they are evil, they are not, but because they are children. They will break stuff for the LOLs 8. THE THIN RED LINE We want to nurture what they are doing. I need to know they are trying, to teach them the limits. But if they pull off a successful breach, if they pull off putting porn all over the screen then they face suspension or expulsion. If I let them get that far, I have failed them. When they succeed at hacking, I have failed them. 9. THEY ALL START OUT INNOCENT LIKE DAVE DID 10. THE NEXT DAVE IS IN A HIGH SCHOOL RIGHT NOW 11. THREATS Outside. Not high value other than phishing our bank accounts.. Inside. The targets are very tempting to a student. Tests, grades, attendance, their permanent record and PI on staff. Surfing. A threat in its own. They are children with hormones, porn is high on the list. Plus interests in music and free games that lead them to a ton of virus/malware laden websites. Beating the filter is extremely high value. That leads them to proxies and trying to get staff accounts that have a more lenient filter. BYOD 12. SAVED BY BORIS (WHO WOULD HAVE THOUGHT THAT) Boriss talk was a watershed moment for me. Stop buying sh*t. Stick with what you know or you will mess it up. 13. WHAT TO DO? Define the attack vectotrs. Watch the Red Team. What are they doing, what are they bragging about. How does that apply to my systems. Listservs NTSysAdmin, PatchManagement.org, Blogs. 14. MANAGEMENT BUY IN Embrace the audit and get one. For us, that becomes a public record. That makes it a very powerful document. There is no debate, just: Fix it. 15. WHAT HAVE I GOT? Document and define every system and every system interaction. Document the software. Powershell queries, SCCM Document the traffic. Document access. Who needs what, build a list with an eye towards segmentation. 16. WHAT IS IT DOING? Read the logs. Logs, logs and more logs. You must audit access success and failure. Web Filter logs. Blocks are a key metric. 17. SECURITY ONION Doug Burks is the man. Full open source Linux distro so easy even an MCSE can do it. Full packet capture Snort, Suricata, Bro, Sguil, Squert, Snorby , ELSA and Xplico. Pivot from one to the other. SecurityOnion.Blogspot.Com 18. PATCH IT ALL MS08-067 90 day patch window on average. Remember our documentation? That drives your third party patching. Build a spreadsheet that lists them, with version and a clickable link to check for the newest. NINITE (couple hundred bucks a month) Verify your patches. Powershell: Get-ADComputer | Get-HotFix 19. WEB FILTER Yea, people hate them. Sorry about that, talk to Congress. Five strikes and you are out. A very simple and powerful tool; this dropdown: 20. ANATOMY OF A PHISH 21. SERVER HARDENING EMET 4.0 ASA between users and servers. Build your severs with segmentation of resources in mind so you can segment your users. Control that with your ASA and your VLANS. Firewall on. Seriously, 2008+ the firewall is automatic. Consider taking servers out of the domain. HVAC servers on management Vlan. . 22. SERVERS CONT. Encrypt your databases. Patch them, all of it especially third party software. Veritas . FSRM on all shares. Block exes, bat, dlls, shortcuts Restricted groups for local admins, disable local admin account. Disable cached credentials F8 is your friend. 23. DESKTOP HARDENING No local admin. Period. Control it with Restricted Groups (replace not add) Common images and standardization. EMET 4.0 RDS for Finance. Local firewall via gpo. Logging on. Event logging with auditing on success and failure. Hide last user login UAC Autorun off Software Restrictions 24. MOAR Software Restrictions Nuke Control Panel items. Nuke Explorer search and menu search Nuke task manager Disable run/cmd/Internet Explorer drives which also kills servername in IE No bat files, no VBS in user context Hide the system drive. IE Maintenance via GPO. Zones, History 25. JAVA EMET kills much of it. It looks for behavior not signatures. In other cases egress filtering and/or the web filter. With only 80 and 443 allowed out the filter sees the exploit phoning home. 26. BYOD/TABLETS Get out in front of it, dont wait for them to dictate how its going to happen. Today I want to announce our awesome new BYOD program. This is going to rock!! Guest Network, straight out to the internet. GAFE Good luck, enjoy. District owned tablets Meraki (free) Find them and wipe them. Tab Pilot. Publish apps to the home screen, kill the rest of it. 27. LEVERAGE YOUR SWITCHES-ROUTERS-FW SSH only from management network. Sticky Macs. Kill unused ports. Yea, its annoying for desktop techs. Talk to the memo. Egress filtering. 28. IT NEVER ENDS Have management read the memo they gave you dictating fix it from the audit. Point out that this takes time, I negotiated 20 percent of my time for this. One day a week, Wednesday. If my boss pulls me off I ask him to talk to the memo about it. 29. TIME FOR A HUG