

Orange Team





System Admin Duties
Employee Documents and Security Controls
Security Threats
Threat Mitigation
Incident Response









Perform backup and restore data
Add and remove users
Add and remove hardware and software
Configure and maintain hardware and software
General user support
Maintain documentation and licenses
Negotiate with vendors
System planning
Security management








Monitor system resource usage and performance
Detect and correct problems
Optimize performance
Manage resources
Automate tasks
Determine and enforce usage policy
Educate users
Corporate priority liaison




… and it’s better to do them securely!
“Bake in” security
Can’t anticipate all problems
Can limit the problems you have


Encrypt backups
Secure storage
o Physical access control
o Environmental protections

Controlled restorations
o No network connections
o Clean destination (no malware)
o Verified assistance



Old accounts can be used as backdoor
Completely remove old access rights
Add users while adhering to…
o Need-to-know
o Minimum privilege


Inform users of potential outages
Secure install
o Configure first
o Attach to network as late as possible

Secure removal
o Install replacements first
o Avoid loss of functionality
o Dispose securely (data retrieval)



Keep copies of configurations
Configure new elements before attaching to network
Use standard maintenance routines
o Document
o Update

Verified assistance


Beware of social engineering
Callers provide credentials
o Educate users to safeguard credentials
o Do not prompt

Safeguard credentials
o Do not reveal unnecessarily
o Protect methods for credential creation

Document procedures
o New SA education
o Consistency
o Audit Assurance

Do not use illegitimate software
o Cheaper
o Unethical
o Illegal
o Insecure



Licensed products can get expensive
Minimize the cost of secure behavior
Vendor relationships are important
o Inform them of security concerns
o Request new products/solutions
o Receive updated hard/firm/software
o Continued business is valued and will be rewarded

Scaling
o Security problems and solutions scale differently
o New node = new possible failure
o New AV != more secure

Assessing new technology
o Anticipate problems
o “Shinier” does not mean “safer”

Anticipating and avoiding problems
o Malware/attack trends
o Follow day-to-day guidelines strictly



“An ounce of prevention is worth a pound of cure.”
Prioritize security
Ideal management solution
o Simple
o Reproducible
o Covers security needs

Your job, not the users


Do not invade privacy
Use data to…
o Identify future purchases
o Notice potential threats
• Excessive or unusual usage
• Antivirus logs
o Ensure expectations are met (SLA)


Use system monitoring devices
Preemptive corrections
o Patching
o Updating
o Upgrading

Reactive corrections
o See incident response


Users get frustrated with poor system performance
Users will optimize for themselves
o Non-compliance
o Installing adware/freeware
o Working around slow or ineffective processes

Don’t optimize by removing/compromising security


Know what you have and use
Bad situations
o Unaccounted-for router on network
o Unconfigured workstation
o Ordering unneeded license keys


Wasting resources leads to budget cuts and layoffs
Misplacing resources leads to vulnerabilities



Script day-to-day tasks
Focus extra time on harder tasks
Don’t introduce security holes
o Unauthorized use of privileged scripts/programs
o Scripts disabling security features
o Testing/Debugging/Configuration programs used on ‘live’ network


Correct usage is essential
Meaningless without enforcement


A smart user is a safe user
Eliminate “low hanging fruit”
o Social engineering
o Bad links
o Phishing emails
o Removal media

Competing goals
o Management’s budget
o Your security
o Customer’s service needs
o Employee convenience

Security needs to win
o Sell to management
o Educate users




Acceptable Use Policy (AUP)
Service Level Agreement (SLA)
Non-Disclosure Agreement (NDA)
Employee Contract
Your responsibility to enact if there are no documents.






Need-to-know
Security awareness training
Separation of duties
Job rotation
Vacations
Auditing/reviews

External
o Hacking
o E-mail attacks

Internal
o Malware
o Ignorance
o Insider



Exploitation of web services
Poorly configured gateways
Use of backdoors
o Social engineering
o Previous intrusion
o Internal corroborator




Phishing
Spam
Trojans
Viruses

Many sources
o Hacking
o Insider
o Ignorance


Spreads quickly
Use up resources




Clicking bad links
Poor e-mail discretion
Downloading malware
USB attacks

Usually hardest to detect
o They know the system
o Sometimes privileged user


Disgruntled employee
Abuse of trust

Preparation
o Security practices
o Education

Incident Response Plan
o If none, create one

Form a Computer Security Incident Response Team
o Individuals capable of correct response
o Include members of management


Identify
Initial Response
o Record basic details
o Assemble CSIRT
o Notify important individuals


Formulate strategy
Investigate
o Thorough data collection
o Determine what/who/how


Report
Resolve



A smart user is a safe user
Policy enforcement is the first step to a secure system
Put security first in everything you do
Mandia, Kevin, Chris Prosise, and Matt Pepe. Incident
Response & Computer Forensics. Second ed. N.p.:
Brandon A. Nordin, n.d. 11-32. Print.