Welcome to [Session Title]

advertisement
Edmodo code:
1181799
http://es-es.net/3.html
Got a Network / Security Check List?
I Do (You can too! Lots of Resources and Best Practices )
MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+
erstaats@es-es.net http://es-es.net
I AM NOT A LAWYER!
For legal advice contact legal
counsel on your campus or
your General Counsel’s Office.
The information presented
here is accurate to the best of
my knowledge!
Cloud Vendor Security
• On-premises Security Systems /Controls?
– Outside Testing of Security systems
– Backup verification / test in production
• Authentication and Authorization
–
–
–
–
–
Password strength (Length matters more than complexity)
IP range blacklists/whitelists (IP Spoofing)
Login hours /Timeouts
Account Lockouts
Access Control
• By Vendor
• By you
• Encrypt ALL Communications between remote and corporate
infrastructures
http://www.csoonline.com/article/print/658279
http://www.redbooks.ibm.com/redpapers/pdfs/redp4614.pdf
Cloud Vendor Security 2
• Encryption Internal/External
–
–
–
HTTPS
SSL/TLS for ODBC
SSN and Passwords PII stored in a hashed format
• Data Leak/Loss Prevention (DLP) @ your site
• Information Leak/Loss Prevention (ILP)– @ Cloud vendors site
• Both (DLP/ILP) Should be a part of your SLA with specific controls in place
• Audit trails who did what when
• Denial-of-service (DOS) protection
• Never send unencrypted PII or confidential information by email
• Render PII Information unreadable whenever stored
http://www.csoonline.com/article/print/658279
http://www.redbooks.ibm.com/redpapers/pdfs/redp4614.pdf
Cloud Vendor Password
• Should block known bad
passwords
–
http://techcrunch.com/2009/12/27/twitterbanned-passwords/
–
http://www.businessinsider.com/twitte
rs-list-of-370-banned-passwords-200912
• Top ten bad passwords and
abc123 & 123456 is in the top
ten!
–
http://www.youtube.com/watch?v=_7RP6UiNSWA
• Passwords should be at least
10 Characters long
http://blogs.wsj.com/digits/2010/12/13/the-top-50-gawker-media-passwords/
Best Practices with SSN’s
• Assign Another Primary Identifier
• Comply with State Regulations
– (More Info es-es.net & edmodo)
•
•
•
•
•
Inform Students
Remove Social Security Numbers
Updating the Computer System
Hash / Encrypt SSNs
Make sure all transmission of SSN’s is Secure (Use SSL or
other form of encryption)
• Some states classify academic records as Private and the PII
laws protect that information
http://www.ssa.gov/kc/id_practices_best.htm
10 Common Security Flaws
1.
2.
3.
4.
5.
6.
7.
8.
Set it and forget it
Opening more firewall ports than necessary
Pulling double duty
Ignoring networks workstations
Failing to use SSL encryption where it counts
Using self-signed certificates
Excessive security logging
Randomly grouping virtual servers (Don’t put FW and
Production on same physical hosts)
9. Placing member servers in the DMZ
10. Depending on users to install updates
Where we are Today
Network Security Shift
• SaaS: Security as-a Service instead
of appliances or Layer 7 Filtering
• The changing face of NAC’s, URL
filtering, gateway appliances,
Daily Security Checklist
•
•
•
•
Verify the current connections
Look at network traffic statistics
Look at your antivirus logs
Read the security logs on your domain
servers
• Check for new security patches
• Meet and brief
• Check more logs – Backup FW(outgoing)
– I would set them to automatically go to your
phone (Think Spiceworks free Helpdesk
software)
• Turn knowledge into action
Security Breach Now What
• Carefully plan a layered defense (Before)
•
•
•
•
•
•
•
Consider hiring a computer forensic specialists
Assess the damages done and remove services
Alert your legal department (what legal requirements)
Document what you do
Begin locking down your system
Get bank involved if Credit Card info compromised
Contact any families, employers, and suppliers affected by
the breach
• Have a set of recovery plans in case a breach occurs again
Keeping Data Thieves Out: Best practices in Data Security &
http://www.itworld.com/print/134572
Staff Security Forms
• 10 Things You Should Know about FERPA
• Confidentiality: What Is Our Responsibility Power
Point
– GCA Privacy Training for Staff and Student workers quiz
•
•
•
•
•
•
Confidentiality Pledge for Contractors
Cyber Bullying Policy
Fax Cover Sheet for Medical info
Colorado Department of Education FERPA Checklist
Cloud Security Guidance by IBM
VCloud Security for VMware
Internal Audit Checklists
• Internal Audit Review update ( A high level overview designed
to help administration understand what should be done)
• Self Audit General Controls Rev Jan 2011 (The backup for
documentation for the Internal Audit Review)
• MS Security Compliance Management Toolkit
• HRP-330 - WORKSHEET - FERPA Compliance
– http://www.huronconsultinggroup.com/SOP
• HRP-331 - WORKSHEET - HIPAA Authorization
– http://www.huronconsultinggroup.com/SOP
• Auditor’s Data Systems Checklist
Computer Help Desk Lists
•
•
•
•
10 Things HP (Best Printer Trouble shooting Checklist)
Computer and MAINT SECUIRTY CHECKLISTS
Computer Account Access Form (Tech Republic)
Server Deployment Migration Checklist (Tech
Republic)
•
•
•
•
•
Tune-Up Checklist (Tech Republic)
Malware Removal Checklist (Tech Republic)
NATO Codes
Laptop Checkout Form
Imaging Check Sheet
Server Maint. Daily
Daily Checklist
• Check the following things each day:
• Server health status of all the servers
• Backup results - normal
• E-mail queue and throughput • Virus scan results
• Time synchronization on the servers (Very Important on
VMs)
Server Maint. Weekly
Weekly maintenance checklist we include the following
routines:
–
–
–
–
–
–
check event logs;
check server performance;
check security logs for possible attacks;
check antivirus alerts;
install software updates;
install system/kernel updates (reboot scheduled with
Customer).
– Backup up “Important” data over SSL encrypted session
stored on a remote location server
– Security issues - for example, use the weekly reports from
secunia
Server Maint. Monthly
• Monthly maintenance checklist we include the following
routines:
–
–
–
–
–
–
check hdd fragmentation and health;
check RAID health;
verify RPM database integrity;
perform full security audit
Full Backup of ALL VM’s and take them offsite
Delete all old VM Snapshots
Switches/Routers Weekly
• Weekly maintenance checklist we include the following
routines:
• check event logs;
• check device performance;
• check security logs for possible attacks;
• check links throughput;
• interface errors (collisions, input errors, etc.);
• install security updates;
• install system/kernel updates (reboot scheduled with the
customer).
Switches/Routers Monthly
• Monthly maintenance checklist we include the
following routines:
– perform configuration backup;
– perform configuration consistency audit;
– perform full security audit.
Network Checklists
• Checklist Deploying a Windows Server 2008
Forest Root Domain
• Employee Separation Checklist (Tech Republic)
• Network Documentation Checklist a good
baseline or starting point (Tech Republic)
• Maintenance Checklist ( A more comprehensive
checklist)
• Secure Mac OS X and beyond Server and workstation
• Apple iOS hardening Checklist
Network Checklists II
• Network Maint Checklist ( a brief checklist by a
typical vendor)
• New User Form Checklist (Tech Republic ?)
• Windows Security Survival Guide 2008 (Tons of
links and resources from Microsoft)
• Server Change Control Form
• Cloud Security Guidance by IBM
Know Your System
• What is the hardware?
• What software is installed?
– What versions?
–
What is the licensing?
• What services are running and why? * Each service
takes up system resources.
– What services are exposed to the Internet and why?
•
•
•
•
•
Document systems, as well as any maintenance tasks.
What antivirus is installed, is it up to date
Perform updates of software
Apply patches to servers
Check system resources (CPU, Memory)
Know Your System II
•
What firewalls?
– What version of firmware?
–
–
How are they configured?
What are they allowing into the network and why?
• What switches?
• What Printers
– What Firmware
– Web interface disabled
• SNMP? V3
• Kill all Telnet options (Phones can sniff and connect to Telnet)
•
Understand and Document Physical to Virtual – Understand both
Trouble Shooting VPNs
•
•
•
•
•
•
•
•
•
•
Find out who is affected
Determine whether users can establish a VPN connection
Look for policies that may be preventing connectivity
Don’t rule out the client
Check to see if the user can log in locally
Check to see if the users are behind NAT firewalls
Check for Network Access Protection
Try accessing various resources on the network
Try accessing resources by IP name rather than server name
Is the connection not working, or just painfully slow?
Fix These Security Leaks
TODAY!
•
•
•
•
•
•
•
Unauthorized smart phones on your WIFI network
Open ports on a network printers
Custom web applications with bad code
Social network spoofing
Employees downloading illegal movies and music
SMS spoofs and malware infections
Disable Telnet SNMP v1
http://www.computerworld.com/s/article/353317/Six_Leaks_to_Plug_Righ
t_Now?source=CTWNLE_nlt_thisweek_2011-01-24
Top Web Hacks of 2010
• The ASP. Net cookie has been changed, leaving a
vulnerability
• Evercookie - can enable a Java script to hide 8 different
cookies in your browser
• Hacking Auto complete - A script that forces auto complete to
hand over personal information stored on your computer
• Attacking HTTPS with Cache Injection
• Bypassing CSRF protections with Click Jacking and HTTP
Parameter Pollution
• Universal XSS in IE8
http://www.itworld.com/print/134554
Web Hacks cont.
• HTTP POST DoS -- HTTP POST
• JavaSnoop - A Java agent that communicates with the Java
Snoop tool to test applications for security weaknesses
• CSS History Hack in Firefox without JavaScript for Intranet
Port Scanning
• Java Applet DNS Rebinding
http://www.itworld.com/print/134554
Help Desk Systems
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Know your budget
Prioritize the features you need
Check email compatibility
Think Database
Don’t forget security
Personalize your email templates
Consider the need for a Web interface
Evaluate ticket management features
Be sure you’re branded
Make it easy
Spiceworks (FREE) Network Inventory, Help Desk, Mapping,
Reporting, Monitoring and Troubleshooting and more
http://www.spiceworks.com/product/
Top 12 VMware Tweaks
•
•
•
•
•
•
•
•
Use Veeam FastSCP
Use Unsupported console for SSH/SCP access
Use VMware Tools
Defrag Your Virtual Disks
Disable Windows Visual Effects
Run VMware in Full Screen Mode (Ctrl-Alt-Enter)
Disable the CDROM in VMware
Separate Out Virtual Swap Files Onto Separate
Virtual Disks
• Split Virtual Disks Among Multiple Hard Disks (Count
Spindles) Unless SSD Delete up old snapshots
• Upgrade Your Hard Disk
• Upgrade Your CPU
• Upgrade Your RAM
Debunk Internet Hoaxes
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Snopes -- http://www.snopes.com/
About Urban Legends -- http://urbanlegends.about.com/
Break The Chain -- http://www.breakthechain.org/
Truth Or Fiction -- http://truthorfiction.com/
Sophos -- http://www.sophos.com/security/hoaxes/
Hoax-Slayer -- http://www.hoax-slayer.com/
Vmyths -- http://vmyths.com/
Symantec -- http://us.norton.com/security_response/index.jsp
Hoax Busters -- http://www.hoaxbusters.org/
Virus Busters -- http://virusbusters.itcs.umich.edu/
Using remote access to hack
• BackTrack4 – Owning Vista with Backtrack http://www.offensivesecurity.com/backtrack-tutorials.php
– How to put BT4 on a USB
– http://www.offensive-security.com/backtrack-tutorials.php
• Mobile devices
– Iphone I-Touch http://www.leebaird.com/Me/iPhone.html
– Droid PS2 others
• Metasploit
Troubleshooting Slow PC’s
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Processor overheating
Bad RAM
Hard disk issues
Disk type and interface
BIOS settings
Windows services
Runaway processes
Disk fragmentation
Background applications
File system issues and display options
Avoid Viruses & Spyware
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Train Your Users STAFF & Students
Install quality antivirus (not always $$)
Install real-time anti-spyware protection
Keep anti-malware applications current
Perform daily scans
Disable auto run
Disable image previews in Outlook
Don’t click on email links or attachments
Surf smart
Use a hardware-based Firewall and Software on local system
Deploy DNS protection
Windows 7 Shortcuts
1.
WinKey + Home
•
2.
Preview Desktop (makes all
open windows transparent)
7.
Maximizes or
minimizes/restores the
current window
•
8.
Tiles the window on the left
or right of the screen
WinKey + P
•
Chooses a Network Projector
presentation display mode
Cycles through the items on
the Taskbar
WinKey + 1 to 0
•
9.
Accesses the Jump List of
programs on the taskbar that
correspond to the number
WinKey + T
WinKey + Left or Right Arrow
•
5.
WinKey + Alt + 1 to 0
•
WinKey + Up or Down Arrow
•
4.
6.
WinKey + Space
•
3.
Minimizes all but the current
window
Launches or accesses a
program on the Taskbar
WinKey + Shift + 1 to 0
•
Launches new instance of a
program on the taskbar
10. WinKey + Ctrl + 1 to 0
•
Accesses the last active instance
of a program pinned on the
Taskbar
Help PC’s Run Better
• Auto runs shows every program that runs at system boot
– http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
• Ccleaner - registry cleaner (use portable version)
– http://www.piriform.com/ccleaner/builds
• Recuva (save your behind or someone else's)
– http://www.piriform.com/recuva/builds
• PC Decrapifier
(Lists all third party software makes a restore point)
– http://www.pcdecrapifier.com/features
• WinPatrol
(Large database of apps lists)
– http://www.winpatrol.com/download.html
Useful utilities
• Auslogics Registry Cleaner http://www.auslogics.com/en/software/registrycleaner/download/
• PuTTY: Telnet and SSH for Windows and
• FileZilla: Open source FTP client and server.
• VMware: Virtualization technology products.
– Veamm Fast SCP
•
•
•
•
Paint.NET: Image and photo editing software.
ColorPic: "Superb" pop-up color picker control
FireBug: Web debugging
KeePass: Password manager
Easy Website Testing
• Netsparker delivers detection, confirmation and
exploitation of vulnerabilities
• Exploitation of SQL Injection Vulnerabilities
• Getting a reverse shell from SQL Injection vulnerabilities
• Exploitation of LFI (Local File Inclusion) Vulnerabilities
• Downloading the source code of all the crawled pages via
LFI (Local File Inclusion)
• Downloading known OS files via LFI (Local File Inclusion)
Live CDs and VMs
• Backtrack (Security OS of Choice)
http://www.remoteexploit.org/backtrack_download.html
• Samurai WTF (web pen-testing )
http://samurai.inguardians.com/
• DEFT Linux (Computer Forensics)
http://www.deftlinux.net/
Staying up to date on trends
and exploits
• Milw0rm
http://www.milw0rm.com/
• SANS Internet Storm Center
http://isc.sans.org/
• PacketStorm
http://www.packetstormsecurity.org/
• BugTraq
http://www.securityfocus.com/archive/1
• RootSecure
http://www.rootsecure.net/
Security Checklists,
Certifications and Requirements
•
•
•
•
•
National Security Checklists
Sarbanes Oxley (SOX) compliance (see 103, 302, 404)
PCI Security Standards Council
Common Criteria for Information Technology Security Evaluation
Common Methodology for Information Technology Security
Evaluation
• Cardholder Information Security Program
Operating System Hardening
•
•
•
•
•
•
Red Hat Linux Security Guide
Debian Linux Security
Securing SuSe Linux
Gentoo Linux security handbook
SANS Linux Security Checklist
Windows Server 2003 Security Guide
Known vulnerabilities ongoing
updates
• http://www.cert.org/
• http://www.securityfocus.com/bid
• http://www.sans.org/newsletters/newsbites/
Password Security
• Don’t tell anyone your password.
• Don’t write your password down
anywhere.
• Make sure your password cannot be
easily guessed.
• If you think there is even a slight chance
someone knows your password, change
it.
• Don’t let someone see what you are
entering as your password.
Passwords: Length Matters
•
The secret: If you password is long enough, it doesn’t need to be
complex. Long passwords defeat common password crackers
•
How long should your passwords be?
– Passwords should be a minimum of 10- 15 characters to be considered
non-trivial.
•
A password of 15 characters or longer is considered secure for most
general-purpose business applications. i.e. a “pass phrase”
• Disable the storage of weak cached LM password hashes in
Windows, they are simple to break
Fun example: Denver1broncosrulethenhl
Don’t Use a Weak One:
• With fewer than eight characters.
• That could be found in a dictionary.
• That uses public information about you or
your family or friends (Soc Sec #; birth
date; credit card number; telephone
number, etc.).
• That you have used before.
• That is a variation of your user ID.
• That is something significant about you.
Use a Strong Password:
• That is at least 12 characters long.
• That contains uppercase and lowercase letters.
• That contains at least one number or special
character.
• That is not a dictionary word in any language,
slang, or jargon.
• That cannot be easily guessed and is easy to
remember.
Remember to change your password every 180 days.
Weak Passwords (examples):
•
•
•
•
•
•
•
abc123 dog diego querty hart heat heart mary
1dennis2 hartelephone lintelco hartwell
eednyw ydnew kayak palindrome
september superman mickeymouse r2d2
aaaabbbccd 12345678 a1b2c3d4 zxcvbnm
bonvoyage mercibeaucoup volkswagen
mircrosoft colorprinter
nowisthetimeforallgoodmen
http://www.businessinsider.com/twitters-list-of-370banned-passwords-2009-12
Mnemonics Made Easy
• Take a phrase that is easy for you to remember
and convert it into characters.
• It could be the first line of a poem or a song
lyric.
• “Water, water everywhere and not a drop to
drink” (Rhyme of the Ancient Mariner) converts
to Wwe&nadtdGL
• “We Three Kings from Orient Are “date "Birth
Year” converts to w3KfOr3691BY.
(3691 is the year 1963 spelled backward to
extend beyond six characters.)
Evaluations
Step 1: Go to http://edmodo.com/fetcevals
Step 2: Select session number, session title, and
evaluate.
Download