getting schooled security with no budget in a hostile environment n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Getting Schooled Security with no budget in a hostile environment. PowerPoint Presentation
Download Presentation
Getting Schooled Security with no budget in a hostile environment.

Loading in 2 Seconds...

play fullscreen
1 / 34

Getting Schooled Security with no budget in a hostile environment. - PowerPoint PPT Presentation


  • 147 Views
  • Uploaded on

Getting Schooled Security with no budget in a hostile environment. Jim Kennedy System Engineer The Elyria City Schools Elyria Ohio. WHOIS. KennedyJim@ElyriaSchools.org @ TonikJDK. Terminology. White Hat/Black Hat Blue Team, Red Team

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Getting Schooled Security with no budget in a hostile environment.


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
getting schooled security with no budget in a hostile environment

Getting SchooledSecurity with no budget in a hostile environment.

Jim Kennedy

System Engineer

The Elyria City Schools

Elyria Ohio

whois
WHOIS

KennedyJim@ElyriaSchools.org @TonikJDK

terminology
Terminology
  • White Hat/Black Hat
  • Blue Team, Red Team
  • Risk Assessment, Vuln Scan, Pen Test, Security Audit
  • Red Teaming
  • Pivoting
  • APT
environment
Environment
  • 14 Buildings, fiber back to data center and fiber to the net.
  • Internal gig everywhere.
  • 7000 users, 6300 students and 700 staff.
  • Primarily a Microsoft/Cisco house.
  • 37 servers physical/virtual, 3500 XP/Win7-8 desktops and 1000 IPads/Nexus
  • BYOD
it department
It department
  • Technology Director that is hands on.
  • Secretary who is technically sound. She is our helpdesk and administers our Cisco phone system.
  • 3 desktop technicians.
  • 1 Network Administrator
  • 1 System Engineer
success is an epic fail
Success is an epic fail
  • When students succeed at hacking, I have failed them. I need to know they are trying, to teach them the limits. But if they pull off a successful breach, if they pull off putting porn all over the screen then they face suspension or expulsion. If I let them get that far, I have failed them.
threats
Threats
  • Outside. More high value than you think, consider the balance in our bank accounts.
  • Inside. The targets are very tempting to a student. Tests, grades, attendance, their ‘permanent’ record and PI on staff.
  • Surfing. A threat in it’s own. They are children with hormones, porn is high on the list. Plus interests in music and free games that lead them to a ton of virus/malware laden websites. Beating the filter is extremely high value. That leads them to proxies and trying to get staff accounts that have a more lenient filter.
  • BYOD
what to do
What to do?
  • Derbycon talk three years ago.
    • Stop buying stuff.
    • Stick with what you know or you will mess it up.
  • The tools are there, the safeguards are there. If you dot every I and cross every T on every system. It really can be that simple.
  • Watch the Red Team. What are they doing, what are they bragging about. How does that apply to my systems.
  • ListservsNTSysAdmin, Patchmanagement.org Twitter Security Cons (Hack3rCon, Derbycon)
management buy in
Management Buy in
  • Embrace the security audit and get one. Pick the right one.
  • That probably becomes a public record. At the very least it is a written record of your networks issues. There is no debate, just a standing order: Fix it.
what have i got
What have I got?
  • Document and define every system and every system interaction.
  • Document the software.
  • Document the traffic.
  • Document access. Who needs what, build a list with an eye towards segmentation.
what is it doing
What is it doing?
  • Read the logs.
    • Server logs. You must audit access success and failure.
    • Web Filter logs. Blocks are a key metric.
nessus by tenable
NESSUSbytenable
  • NESSUS yourself regularly. http://www.tenable.com/products/nessus
intrusion detection and moar
Intrusion detectionand moar.
  • Security Onion
    • http://blog.securityonion.net
    • IDS
    • Full packet capture
    • Reconstructs full transactions
    • So simple even a Windows jockey can do it
    • 30 minutes from download to fully running
web filter
Web filter
  • Yea, people hate them. Sorry about that, talk to Congress.
  • Five strikes and you are out.
  • A very simple and powerful tool; this dropdown:
patch it all
Patch it all
  • MS08-067 Seriously, why do I need this slide?
  • 90 day patch window on average.
  • Remember our software documentation? That drives your third party patching. Build a spreadsheet that lists them, with version and a clickable link to check for the newest.
server hardening
Server hardening
  • Microsoft’s free EMET 4.1
    • Ask the red team how many boxes they have popped recently that are running EMET
  • Firewall between users and servers.
  • Build your severs with segmentation of resources in mind so you can segment your users. Control that with your ASA and your VLANS.
  • Firewall on. Seriously, 2008+ the firewall is automatic.
  • Consider taking servers out of the domain. HVAC servers on management Vlan.
  • Encrypt your databases.
  • Patch them, all of it especially third party software. Veritas <sigh>.
desktop hardening via gpo
Desktop hardening via gpo
  • No local admin. Period. Remember our now public record security audit. Sorry about that, talk to the memo I got that said ‘Fix it’. Control it with Restricted Groups.
  • EMET 4.1
  • RDS for Finance and the like.
  • Local firewall via gpo.
  • Event logging with auditing on success and failure.
  • Hide last user login
  • UAC
  • Autorun off
  • Software Restrictions
slide28
MOAR
  • Nuke Control Panel items.
  • Nuke Explorer search and menu search
  • Nuke task manager
  • Disable run/cmd/Internet Explorer drives which also kills \\servername in IE
  • No bat files, no VBS in user context
  • Hide the system drive.
  • IE Maintenance via GPO. Zones, History……
  • Restrict exe’s in AppData (Cryptolocker)
no av
No AV
  • Can’t think of anything it could possibly protect me from.
    • The occasional user profile deletion for malware.
    • Remember our web filter is a finely tuned killing machine.
    • Remember we have standardized images. 30 minutes to nuke and image.
slide30
java
  • EMET kills much of it. It looks for behavior not signatures.
  • In other cases egress filtering and/or the web filter. With only 80 and 443 allowed out the filter sees the exploit phoning home.
  • 91 percent of all attacks in 2013 were Java based
  • EDU software with Java. WE need to push back HARD.
byod tablets
BYOD/Tablets
  • Get out in front of it, don’t wait for them to dictate how it’s going to happen.
    • Today I want to announce our awesome new BYOD program. This is going to rock!!
      • Guest Network, straight out to the internet.
      • GAFE
      • Good luck, enjoy.
  • District owned tablets
    • Meraki (free)
      • Find them and wipe them.
    • Tab Pilot.
      • Publish apps to a custom home screen, kill the rest of it.
leverage your switches routers fw
Leverage your switches-routers-fw
  • SSH only from management network.
  • Sticky Macs.
  • Kill unused ports.
    • Yea, it’s annoying for desktop techs. Talk to the memo.
  • Egress filtering.
it never ends
It never ends
  • Have management read the memo they gave you dictating ‘fix it’ from the audit.
    • Point out that this takes time, I negotiated 20 percent of my time for this. One day a week, Wednesday. If my boss pulls me off I ask him to talk to the memo about it.