1 / 14

Infrastructure (in)security

Infrastructure (in)security. Ing. Ond ř ej Š eve č ek | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator | ondrej@sevecek.com | www.sevecek.com |. Agenda. Where antimalware fails? Where admin fails!.

brynn-landry
Download Presentation

Infrastructure (in)security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Infrastructure(in)security Ing. OndřejŠeveček | GOPAS a.s. | MCSM:Directory |MVP:Enterprise Security |CEH:Certified Ethical Hacker |CHFI:Computer Hacking Forensic Investigator | ondrej@sevecek.com |www.sevecek.com |

  2. Agenda • Where antimalware fails? • Where admin fails!

  3. Custom code • Antimalware detects only well-known code signatures • heuristics? • PowerShell, C#, ASP, … • Take a look at this…

  4. Limited user • Hardware keylogger* • Software keylogger * • https://www.sevecek.com/Lists/Posts/Post.aspx?ID=416 • Never type sensitive passwords on insecure machines

  5. What to do with a password? • Try if any other account does not have the same password* • https://www.sevecek.com/Lists/Posts/Post.aspx?ID=387 • Never use the same password twice

  6. UAC will keep me secure • No • https://www.sevecek.com/Lists/Posts/Post.aspx?ID=404 • It works only locally • code started manually* • Do not work under sensitive accounts • Use personal limited accounts

  7. That guys are local admins! • Hack local admin* • system partition unencrypted • https://www.sevecek.com/Lists/Posts/Post.aspx?ID=213 • Any workstation is compromised • Encrypt system with BitLocker and TPM • users must not know the password

  8. UAC will keep me secure • No • It works only locally • code injected through "autorun"* • Do not work under sensitive accounts on insecure machines

  9. Audit tools? • Antimalware? • Autoruns? • does not verify PowerShell code* • trusts in what you yourself trust * • https://www.sevecek.com/Lists/Posts/Post.aspx?ID=235 • Every tool can be fooled

  10. Web servers • Third party suppliers • Local limited admins • impersonation* • basic delegation* • Kerberos delegation* • https://www.sevecek.com/Lists/Posts/Post.aspx?ID=101 • Never access applications with privileged accounts

  11. RDP is plain-text authentication • Unfortunately • passwords can be extracted from LSASS memory* • https://www.sevecek.com/Lists/Posts/Post.aspx?ID=360 • Use MMC, RPC, DCOM, WMI, C$, Admin$, REGEDIT or SCCM Remote Tools instead • authenticates with Kerberos

  12. LSASS extraction made nice • Just let the admin access your web site • passwords can be extracted from LSASS memory * • Again, never access applications with privileged accounts

  13. Stolen CA • NTAuth CAs issue logon certificates independently from DCs • never appears on CRL * • Do not let them take your CA

  14. Thank you! • and also come to GOPAS: • GOC169 - Auditing ISO/IEC 27001 and 27002 • GOC171 - Active Directory Troubleshooting • GOC172 - Kerberos Troubleshooting • GOC173 - Enterprise Cryptography and PKI • GOC175 - Advanced Windows Security

More Related