Orange Team System Admin Duties Employee Documents and Security Controls Security Threats Threat Mitigation Incident Response Perform backup and restore data Add and remove users Add and remove hardware and software Configure and maintain hardware and software General user support Maintain documentation and licenses Negotiate with vendors System planning Security management Monitor system resource usage and performance Detect and correct problems Optimize performance Manage resources Automate tasks Determine and enforce usage policy Educate users Corporate priority liaison … and it’s better to do them securely! “Bake in” security Can’t anticipate all problems Can limit the problems you have Encrypt backups Secure storage o Physical access control o Environmental protections Controlled restorations o No network connections o Clean destination (no malware) o Verified assistance Old accounts can be used as backdoor Completely remove old access rights Add users while adhering to… o Need-to-know o Minimum privilege Inform users of potential outages Secure install o Configure first o Attach to network as late as possible Secure removal o Install replacements first o Avoid loss of functionality o Dispose securely (data retrieval) Keep copies of configurations Configure new elements before attaching to network Use standard maintenance routines o Document o Update Verified assistance Beware of social engineering Callers provide credentials o Educate users to safeguard credentials o Do not prompt Safeguard credentials o Do not reveal unnecessarily o Protect methods for credential creation Document procedures o New SA education o Consistency o Audit Assurance Do not use illegitimate software o Cheaper o Unethical o Illegal o Insecure Licensed products can get expensive Minimize the cost of secure behavior Vendor relationships are important o Inform them of security concerns o Request new products/solutions o Receive updated hard/firm/software o Continued business is valued and will be rewarded Scaling o Security problems and solutions scale differently o New node = new possible failure o New AV != more secure Assessing new technology o Anticipate problems o “Shinier” does not mean “safer” Anticipating and avoiding problems o Malware/attack trends o Follow day-to-day guidelines strictly “An ounce of prevention is worth a pound of cure.” Prioritize security Ideal management solution o Simple o Reproducible o Covers security needs Your job, not the users Do not invade privacy Use data to… o Identify future purchases o Notice potential threats • Excessive or unusual usage • Antivirus logs o Ensure expectations are met (SLA) Use system monitoring devices Preemptive corrections o Patching o Updating o Upgrading Reactive corrections o See incident response Users get frustrated with poor system performance Users will optimize for themselves o Non-compliance o Installing adware/freeware o Working around slow or ineffective processes Don’t optimize by removing/compromising security Know what you have and use Bad situations o Unaccounted-for router on network o Unconfigured workstation o Ordering unneeded license keys Wasting resources leads to budget cuts and layoffs Misplacing resources leads to vulnerabilities Script day-to-day tasks Focus extra time on harder tasks Don’t introduce security holes o Unauthorized use of privileged scripts/programs o Scripts disabling security features o Testing/Debugging/Configuration programs used on ‘live’ network Correct usage is essential Meaningless without enforcement A smart user is a safe user Eliminate “low hanging fruit” o Social engineering o Bad links o Phishing emails o Removal media Competing goals o Management’s budget o Your security o Customer’s service needs o Employee convenience Security needs to win o Sell to management o Educate users Acceptable Use Policy (AUP) Service Level Agreement (SLA) Non-Disclosure Agreement (NDA) Employee Contract Your responsibility to enact if there are no documents. Need-to-know Security awareness training Separation of duties Job rotation Vacations Auditing/reviews External o Hacking o E-mail attacks Internal o Malware o Ignorance o Insider Exploitation of web services Poorly configured gateways Use of backdoors o Social engineering o Previous intrusion o Internal corroborator Phishing Spam Trojans Viruses Many sources o Hacking o Insider o Ignorance Spreads quickly Use up resources Clicking bad links Poor e-mail discretion Downloading malware USB attacks Usually hardest to detect o They know the system o Sometimes privileged user Disgruntled employee Abuse of trust Preparation o Security practices o Education Incident Response Plan o If none, create one Form a Computer Security Incident Response Team o Individuals capable of correct response o Include members of management Identify Initial Response o Record basic details o Assemble CSIRT o Notify important individuals Formulate strategy Investigate o Thorough data collection o Determine what/who/how Report Resolve A smart user is a safe user Policy enforcement is the first step to a secure system Put security first in everything you do Mandia, Kevin, Chris Prosise, and Matt Pepe. Incident Response & Computer Forensics. Second ed. N.p.: Brandon A. Nordin, n.d. 11-32. Print.