Enduser Cybersecurity Phillip Barker IT Systems Administrator City of Lincoln City pbarker@lincolncity.org Topics and Concepts Discussed • Balancing Risk and Security • Customer Security Awareness • Behind The Scenes • Risk Reduction • Awareness Campaign • Email / Web Security Layer • Web Security • General Security Issues • A More Secure Environment • Firewall Successes • Tactics to Consider • Threatscape • SysAdmin Training and Awareness • Links to SysAdmin Tools Balancing Risk and Security Striking a balance between security and usability is never easy; the more secure you make it the less useful it is. Ongoing need for customer education and protection Organizational Risk Tolerance: - What do you stand to lose if you are hacked? - How difficult is recovery? - Does this incident impact the public standing or approval of the organization? Customer Security Awareness You worry about: • Passwords • Encryption • Remote Access • Phishing • Viruses • Spyware • Hostile email & websites Behind the Scenes Your SysAdmins worry about a lot more: End-user awareness training Attack kill chains Internal Pen-testing Use of default credentials Intrusion Detection Incident Response External audits Threat Awareness Design defect mitigation Disaster Recovery Host Hardening Patch management Management of Encryption Keys Survivable Infrastructure Unauthorized device discovery Physical security of critical systems Compliance with Higher Authority Swiftly identifying misconfigured systems Management of real-time monitoring with incident alerting Detecting and alerting on uncharacteristic network traffic Suitability and reliability of third-party applications like Java and Flash Undisclosed implications concerning HeartBleed and ShellShock. Risk Reduction Difficult but Essential: Identify, Mitigate or eliminate reachable and exploitable vulnerabilities Use layered security model to scrutinize data headed to customers Layers are physical, technical and psychological Awareness Campaign Essential User Awareness Campaign: Offer carefully crafted information and training Extremely difficult to balance: Customer Burnout; too many warnings IT concern for customers who refuse to learn what can get them hacked; ignore or discard advisories – They can become unwitting platform for internal attack against the enterprise Information needs to clearly indicate why concern is warranted and steps taken by IT to minimize threat. Email / Web Security Layer • Inspection and screening of all email and web access is critical in defending networks against attack – most email now includes embedded HTML content that can contain attack code or lead to sites crafted to target specific sectors (Think: Industrial Espionage, Hacktivists, Anonymous) • Its generally best to screen with technology different from your targeted system to lessen chance something bad slips through Example: Linux content inspection in front of windows systems – avoid mono-culture solutions and enterprise to minimize attack surfaces, diversity is no accident • Taking reasonable steps to protect your customers is prudent Web Security Hostile websites can be from anywhere NOT running vulnerable software is a critical concern Countermeasures can include: - Monitoring network traffic to trap and alert for customers using vulnerable software or browser plug-ins - Upstream web-filtering proxy Browser security plug-ins: - NoScript - FlashBlock - AdBlock - McAfee Site Advisor and others Why run unsolicited / untrusted content? General Security Issues If your policy authorizes, you can consider: At the border firewall, strip content originating from unrelated third parties: Why should your browser run content from the Czech Republic when you're viewing Facebook content with no relationship to that nation? A very effective way to block attack from hacked websites containing IFrame, Flash and JAVA exploits. Either strip content at the proxy-level or at the border firewall Use application white-listing solutions to prevent execution of any unsigned-programs or scripts Use Global Policy Objects to deny execution of code from temporary directories on Windows servers and workstations If you operate a public venue such as a Library or Community Center, use physical separation to prevent any possibility of exposure to critical systems. If the public network has an air-gap and cannot touch critical networks you prevent any risk of exposure A More Secure Environment Is a combination of: • Hardened hosts, minimized attack surfaces • Intrusion detection at each layer • Developing careful habits • Skilled watchful IT Staff • Continuous awareness • Know your baseline! Is unsolicited email about your Italian Lottery winnings from Bulgaria really okay? Firewall Successes • At the border, drop all traffic from: Former Warsaw Pact Nations, Iran, The Stans (Uzbekistan, Pakistan, Kazakhstan, etc), Iraq, China, South America, The Koreas, Screen content from network ranges used by ISP's for residential users that normally would have no legitimate need to run servers or associated services. Shun and log all unsolicited or inappropriate connection attempts, especially if uncharacteristic: Q: Who uses SSH or HTTPS on DNS or NTP ports? A: Malware Command and Control Tactics to Consider Use the same assessment and profiling tools used by hackers to find and remove weak-points before they’re exploited Problems to look for can include: Unpatched, Obsolete, Default, Noncompliant, Unfiltered, Unrestricted, Misconfigured, Unaudited Threatscape Attack tools are now more widespread and easier to use: - No special skills or knowledge required - Makes simple attacks trivial to unskilled attackers - Both free and paid training now available to hacker wannabees SysAdmin Training and Awareness • • • • • • Sans.edu Cert.org InfoSecIsland.com Cisco IBM Microsoft Links to SysAdmin Tools • • • • • • • • www.tenable.com www.beyondtrust.com www.snort.org www.bro.org www.wireshark.org sguil.sourceforge.net securityonion.net bit9.com Questions? Thanks for taking the time to learn more about IT security issues Phillip Barker IT Systems Administrator City of Lincoln City pbarker@lincolncity.org