PPT

advertisement
Enduser Cybersecurity
Phillip Barker
IT Systems Administrator
City of Lincoln City
pbarker@lincolncity.org
Topics and Concepts Discussed
•
Balancing Risk and Security
•
Customer Security Awareness
•
Behind The Scenes
•
Risk Reduction
•
Awareness Campaign
•
Email / Web Security Layer
•
Web Security
•
General Security Issues
•
A More Secure Environment
•
Firewall Successes
•
Tactics to Consider
•
Threatscape
•
SysAdmin Training and Awareness
•
Links to SysAdmin Tools
Balancing Risk and Security
Striking a balance between security and usability is
never easy; the more secure you make it the less
useful it is.
Ongoing need for customer education and protection
Organizational Risk Tolerance:
- What do you stand to lose if you are hacked?
- How difficult is recovery?
- Does this incident impact the public standing or
approval of the organization?
Customer Security Awareness
You worry about:
•
Passwords
•
Encryption
•
Remote Access
•
Phishing
•
Viruses
•
Spyware
•
Hostile email & websites
Behind the Scenes
Your SysAdmins worry about a lot more:
End-user awareness training
Attack kill chains
Internal Pen-testing
Use of default credentials
Intrusion Detection
Incident Response
External audits
Threat Awareness
Design defect mitigation
Disaster Recovery
Host Hardening
Patch management
Management of Encryption Keys
Survivable Infrastructure
Unauthorized device discovery
Physical security of critical systems
Compliance with Higher Authority
Swiftly identifying misconfigured systems
Management of real-time monitoring with incident alerting
Detecting and alerting on uncharacteristic network traffic
Suitability and reliability of third-party applications like Java and Flash
Undisclosed implications concerning HeartBleed and ShellShock.
Risk Reduction
Difficult but Essential:
Identify, Mitigate or eliminate reachable and
exploitable vulnerabilities
Use layered security model to scrutinize data headed
to customers
Layers are physical, technical and psychological
Awareness Campaign
Essential User Awareness Campaign:
Offer carefully crafted information and training
Extremely difficult to balance:
Customer Burnout; too many warnings
IT concern for customers who refuse to learn what
can get them hacked; ignore or discard advisories
– They can become unwitting platform for internal
attack against the enterprise
Information needs to clearly indicate why concern is
warranted and steps taken by IT to minimize
threat.
Email / Web Security Layer
•
Inspection and screening of all email and web access is
critical in defending networks against attack – most
email now includes embedded HTML content that can
contain attack code or lead to sites crafted to target
specific sectors
(Think: Industrial Espionage, Hacktivists, Anonymous)
•
Its generally best to screen with technology different
from your targeted system to lessen chance something
bad slips through
Example: Linux content inspection in front of windows
systems – avoid mono-culture solutions and enterprise
to minimize attack surfaces, diversity is no accident
•
Taking reasonable steps to protect your customers is
prudent
Web Security
Hostile websites can be from anywhere
NOT running vulnerable software is a critical concern
Countermeasures can include:
- Monitoring network traffic to trap and alert for customers using
vulnerable software or browser plug-ins
- Upstream web-filtering proxy
Browser security plug-ins:
- NoScript
- FlashBlock
- AdBlock
- McAfee Site Advisor and others
Why run unsolicited / untrusted content?
General Security Issues
If your policy authorizes, you can consider:
At the border firewall, strip content originating from unrelated third
parties:
Why should your browser run content from the Czech Republic when you're
viewing Facebook content with no relationship to that nation? A very
effective way to block attack from hacked websites containing
IFrame, Flash and JAVA exploits. Either strip content at the proxy-level
or at the border firewall
Use application white-listing solutions to prevent execution of any
unsigned-programs or scripts
Use Global Policy Objects to deny execution of code from temporary
directories on Windows servers and workstations
If you operate a public venue such as a Library or Community Center, use
physical separation to prevent any possibility of exposure to critical
systems. If the public network has an air-gap and cannot touch critical
networks you prevent any risk of exposure
A More Secure Environment
Is a combination of:
•
Hardened hosts, minimized attack surfaces
•
Intrusion detection at each layer
•
Developing careful habits
•
Skilled watchful IT Staff
•
Continuous awareness
•
Know your baseline!
Is unsolicited email about your Italian Lottery
winnings from Bulgaria really okay?
Firewall Successes
•
At the border, drop all traffic from:
Former Warsaw Pact Nations, Iran, The Stans
(Uzbekistan, Pakistan, Kazakhstan, etc), Iraq,
China, South America, The Koreas, Screen content
from network ranges used by ISP's for residential
users that normally would have no legitimate
need to run servers or associated services.
Shun and log all unsolicited or inappropriate
connection attempts, especially if
uncharacteristic:
Q: Who uses SSH or HTTPS on DNS or NTP ports?
A: Malware Command and Control
Tactics to Consider
Use the same assessment and profiling
tools used by hackers to find and remove
weak-points before they’re exploited
Problems to look for can include:
Unpatched, Obsolete, Default,
Noncompliant, Unfiltered, Unrestricted,
Misconfigured, Unaudited
Threatscape
Attack tools are now more
widespread and easier to use:
- No special skills or knowledge
required
- Makes simple attacks trivial to
unskilled attackers
- Both free and paid training now
available to hacker wannabees
SysAdmin Training
and Awareness
•
•
•
•
•
•
Sans.edu
Cert.org
InfoSecIsland.com
Cisco
IBM
Microsoft
Links to SysAdmin Tools
•
•
•
•
•
•
•
•
www.tenable.com
www.beyondtrust.com
www.snort.org
www.bro.org
www.wireshark.org
sguil.sourceforge.net
securityonion.net
bit9.com
Questions?
Thanks for taking the time to learn
more about IT security issues
Phillip Barker
IT Systems Administrator
City of Lincoln City
pbarker@lincolncity.org
Download