getting schooled security with no budget in a hostile environment n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Getting Schooled Security with no budget in a hostile environment. PowerPoint Presentation
Download Presentation
Getting Schooled Security with no budget in a hostile environment.

Loading in 2 Seconds...

play fullscreen
1 / 34

Getting Schooled Security with no budget in a hostile environment. - PowerPoint PPT Presentation


  • 147 Views
  • Uploaded on

Getting Schooled Security with no budget in a hostile environment. Jim Kennedy System Engineer The Elyria City Schools Elyria Ohio. WHOIS. KennedyJim@ElyriaSchools.org @ TonikJDK. Terminology. White Hat/Black Hat Blue Team, Red Team

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Getting Schooled Security with no budget in a hostile environment.' - fausto


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
getting schooled security with no budget in a hostile environment

Getting SchooledSecurity with no budget in a hostile environment.

Jim Kennedy

System Engineer

The Elyria City Schools

Elyria Ohio

whois
WHOIS

KennedyJim@ElyriaSchools.org @TonikJDK

terminology
Terminology
  • White Hat/Black Hat
  • Blue Team, Red Team
  • Risk Assessment, Vuln Scan, Pen Test, Security Audit
  • Red Teaming
  • Pivoting
  • APT
environment
Environment
  • 14 Buildings, fiber back to data center and fiber to the net.
  • Internal gig everywhere.
  • 7000 users, 6300 students and 700 staff.
  • Primarily a Microsoft/Cisco house.
  • 37 servers physical/virtual, 3500 XP/Win7-8 desktops and 1000 IPads/Nexus
  • BYOD
it department
It department
  • Technology Director that is hands on.
  • Secretary who is technically sound. She is our helpdesk and administers our Cisco phone system.
  • 3 desktop technicians.
  • 1 Network Administrator
  • 1 System Engineer
success is an epic fail
Success is an epic fail
  • When students succeed at hacking, I have failed them. I need to know they are trying, to teach them the limits. But if they pull off a successful breach, if they pull off putting porn all over the screen then they face suspension or expulsion. If I let them get that far, I have failed them.
threats
Threats
  • Outside. More high value than you think, consider the balance in our bank accounts.
  • Inside. The targets are very tempting to a student. Tests, grades, attendance, their ‘permanent’ record and PI on staff.
  • Surfing. A threat in it’s own. They are children with hormones, porn is high on the list. Plus interests in music and free games that lead them to a ton of virus/malware laden websites. Beating the filter is extremely high value. That leads them to proxies and trying to get staff accounts that have a more lenient filter.
  • BYOD
what to do
What to do?
  • Derbycon talk three years ago.
    • Stop buying stuff.
    • Stick with what you know or you will mess it up.
  • The tools are there, the safeguards are there. If you dot every I and cross every T on every system. It really can be that simple.
  • Watch the Red Team. What are they doing, what are they bragging about. How does that apply to my systems.
  • ListservsNTSysAdmin, Patchmanagement.org Twitter Security Cons (Hack3rCon, Derbycon)
management buy in
Management Buy in
  • Embrace the security audit and get one. Pick the right one.
  • That probably becomes a public record. At the very least it is a written record of your networks issues. There is no debate, just a standing order: Fix it.
what have i got
What have I got?
  • Document and define every system and every system interaction.
  • Document the software.
  • Document the traffic.
  • Document access. Who needs what, build a list with an eye towards segmentation.
what is it doing
What is it doing?
  • Read the logs.
    • Server logs. You must audit access success and failure.
    • Web Filter logs. Blocks are a key metric.
nessus by tenable
NESSUSbytenable
  • NESSUS yourself regularly. http://www.tenable.com/products/nessus
intrusion detection and moar
Intrusion detectionand moar.
  • Security Onion
    • http://blog.securityonion.net
    • IDS
    • Full packet capture
    • Reconstructs full transactions
    • So simple even a Windows jockey can do it
    • 30 minutes from download to fully running
web filter
Web filter
  • Yea, people hate them. Sorry about that, talk to Congress.
  • Five strikes and you are out.
  • A very simple and powerful tool; this dropdown:
patch it all
Patch it all
  • MS08-067 Seriously, why do I need this slide?
  • 90 day patch window on average.
  • Remember our software documentation? That drives your third party patching. Build a spreadsheet that lists them, with version and a clickable link to check for the newest.
server hardening
Server hardening
  • Microsoft’s free EMET 4.1
    • Ask the red team how many boxes they have popped recently that are running EMET
  • Firewall between users and servers.
  • Build your severs with segmentation of resources in mind so you can segment your users. Control that with your ASA and your VLANS.
  • Firewall on. Seriously, 2008+ the firewall is automatic.
  • Consider taking servers out of the domain. HVAC servers on management Vlan.
  • Encrypt your databases.
  • Patch them, all of it especially third party software. Veritas <sigh>.
desktop hardening via gpo
Desktop hardening via gpo
  • No local admin. Period. Remember our now public record security audit. Sorry about that, talk to the memo I got that said ‘Fix it’. Control it with Restricted Groups.
  • EMET 4.1
  • RDS for Finance and the like.
  • Local firewall via gpo.
  • Event logging with auditing on success and failure.
  • Hide last user login
  • UAC
  • Autorun off
  • Software Restrictions
slide28
MOAR
  • Nuke Control Panel items.
  • Nuke Explorer search and menu search
  • Nuke task manager
  • Disable run/cmd/Internet Explorer drives which also kills \\servername in IE
  • No bat files, no VBS in user context
  • Hide the system drive.
  • IE Maintenance via GPO. Zones, History……
  • Restrict exe’s in AppData (Cryptolocker)
no av
No AV
  • Can’t think of anything it could possibly protect me from.
    • The occasional user profile deletion for malware.
    • Remember our web filter is a finely tuned killing machine.
    • Remember we have standardized images. 30 minutes to nuke and image.
slide30
java
  • EMET kills much of it. It looks for behavior not signatures.
  • In other cases egress filtering and/or the web filter. With only 80 and 443 allowed out the filter sees the exploit phoning home.
  • 91 percent of all attacks in 2013 were Java based
  • EDU software with Java. WE need to push back HARD.
byod tablets
BYOD/Tablets
  • Get out in front of it, don’t wait for them to dictate how it’s going to happen.
    • Today I want to announce our awesome new BYOD program. This is going to rock!!
      • Guest Network, straight out to the internet.
      • GAFE
      • Good luck, enjoy.
  • District owned tablets
    • Meraki (free)
      • Find them and wipe them.
    • Tab Pilot.
      • Publish apps to a custom home screen, kill the rest of it.
leverage your switches routers fw
Leverage your switches-routers-fw
  • SSH only from management network.
  • Sticky Macs.
  • Kill unused ports.
    • Yea, it’s annoying for desktop techs. Talk to the memo.
  • Egress filtering.
it never ends
It never ends
  • Have management read the memo they gave you dictating ‘fix it’ from the audit.
    • Point out that this takes time, I negotiated 20 percent of my time for this. One day a week, Wednesday. If my boss pulls me off I ask him to talk to the memo about it.