Date post: | 23-Jun-2015 |
Category: |
Internet |
Upload: | joel-cardella |
View: | 169 times |
Download: | 0 times |
Practical Application Of Back to Basics Methods
Joel Cardella GrrCon 2014
SECURITY ON THE CHEAP
BIOGRAPHICAL INFO
• Joel Cardella
• 20 years in Information Technology .. Blah blah blah
• Currently Regional Security Officer for multinational industrial manufacturing organization
• Passionate evangelist of infosec
• But none of this matters because basics is a common sense method
Other controls
Low
Medium
High
Critical
Basic security starts with foundations
http://infospectives.me/2014/07/31/modifying-maslow-what-really-drives-your-infosec-needs-the-state-of-security/
Cindy Valladares
Buy latest hyped
product
Panic
Pray
Hope
Procrastinate
Unfortunately…
http://infospectives.me/2014/07/31/modifying-maslow-what-really-drives-your-infosec-needs-the-state-of-security/
Cindy Valladares
• “…if your roof has leaks, you fix the leaks in the roof before you remodel the house, right?”
• John Pescatore, SANS
• http://www.techrepublic.com/blog/tech-decision-maker/it-security-fix-the-leaky-roof-before-remodeling-the-house/
WE ARE ALL SAYING THE SAME THING
BASICS FOCUS
Prevention Detection
Response Recovery
Risk
Basics does not address advanced threats!
WHAT RISK CAN WE CONTROL?
THREATS X VULNERABILITIES X TIME = RISK
No control Direct ControlIndirect Control (Vendor reliance)Direct Control (Issuing patches & updates)
None of these values is ever zero, but we should work toward zero
SECURITY BASICS
• Security requires resources; you must invest to get a return
• If you don’t invest the resources, you will increase the vulnerability and likelihood, and thus the risk
• If you can’t invest money, then you invest time
• NOW: How do we do this cheaply?
INVESTMENT DIRECTION
WHAT ARE YOUR STANDARDS?
• Critical Security Controls (SANS 20)
• Australian Defence Signals Directorate (DSD)
CSC FIRST FIVE QUICK WINS• For those wanting a highly focused and direct starting point, we have emphasized the “First Five Quick
Wins”: sub-controls that have the most immediate impact on preventing attacks. These actions are specially noted in the Controls listings, and consist of:
• 1. Application whitelisting (found in CSC 2 / DSD 1);
• 2. Use of standard, secure system configurations (found in CSC 3);
• 3. Patch application software within 48 hours (found in CSC 4 / DSD 2);
• 4. Patch system software within 48 hours (found in CSC 4 / DSD 3); and
• 5. Reduced number of users with administrative privileges (found in CSC 3 and CSC
• 12 / DSD 4).
THE FIRST FIVE
Mitigation strategy
Overall security
effectiveness
User resistan
ce
Upfront cost (staff,
equipment, technical
complexity)
Maintenance cost (mainly
staff)
Helps detect
intrusions
Helps mitigate intrusion stage 1:
code execution
Helps mitigate intrusion stage 2: network
propagation
Helps mitigate intrusion stage 3:
data exfiltrati
on
Application whitelisting Essential Medium High Medium Yes Yes Yes Yes
Standard Configurations Essential Low Medium Medium Possible Yes Yes Yes
Patch applications < 48 hrs
Essential Low High High No Yes Possible No
Patch operating system vulnerabilities < 48 hrs
Essential Low Medium Medium No Yes Possible No
Restrict administrative privileges
Essential Medium Medium Low No Possible Yes No
Focusing on these 5 will address 80% of your risk – Australian DSD
Pareto Principle – 20% of our focus can address 80% of our risk
FIRST FIVE QUICK WINS• For those wanting a highly focused and direct starting point, we have emphasized the “First Five
Quick Wins”: sub-controls that have the most immediate impact on preventing attacks. These actions are specially noted in the Controls listings, and consist of:
• 1. Application whitelisting (found in CSC 2 / DSD 1);
• 2. Use of standard, secure system configurations (found in CSC 3);
• 3. Patch application software within 48 hours (found in CSC 4 / DSD 2);
• 4. Patch system software within 48 hours (found in CSC 4 / DSD 3); and
• 5. Reduced number of users with administrative privileges (found in CSC 3 and CSC 12 / DSD 4).
THE END
Thank you for listening
QUICK WINS DEEP DIVE• Assess PLAN
• Focus DO
• Measure CHECK
• Remediate ACT
73 QUICK WINS
CSC 1 CSC 2 CSC 3 CSC 4 CSC 5 CSC 6 CSC 7 CSC 8 CSC 9 CSC 10 CSC 11 CSC 12 CSC 13 CSC 14 CSC 15 CSC 16 CSC 17 CSC 18 CSC 19 CSC 201 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 12 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 23 3 3 3 3 3 3 3 3 3 3 3 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 6 6 6 6 7 7 7 8 9
CSC 1 CSC 2 CSC 3 CSC 4 CSC 5 CSC 6 CSC 7 CSC 8 CSC 9 CSC 10 CSC 11 CSC 12 CSC 13 CSC 14 CSC 15 CSC 16 CSC 17 CSC 18 CSC 19 CSC 201 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 12 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 23 3 3 3 3 3 3 3 3 3 3 3 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 6 6 6 6 7 7 7 8 9
Assess to the level of your risk appetite … your green may not be someone else’s green
TOOLS
CAVEAT EMPTOR• I will not discuss a tool in context of use unless:
• I have used it myself and found it to be effective
• It is being used effectively by a peer whom I trust
• I am going to focus on Windows systems as being higher risk than others, mostly due to proliferation and ubiquity
CHEAP <> FREE• Cheap is not permanent, it is a bridge
• Cheap is relative
• Included with other stuff (like an EA)
• Low cost for an enterprise
• Open source / FOSS
• Cheap is more expensive in terms of time when used to cut corners
TOOLS FOR CONTROLS• CSC 1 - NMAP
• CSC 2 – SCCM
• Whitelisting can be implemented using commercial whitelisting tools or application execution tools that come with anti-virus suites and with Windows (Applocker).
• CSC 3 – SCCM (for distribution)
Lansweeper
Unlimited assets scanned at your interval, kept in a historical database for $1995
Prevention Detection
Response Recovery
Risk
CSC 3 – SECURE CONFIGURATIONS• Establish and ensure the use of standard secure configurations of your operating
systems.
• Standardized images should represent hardened versions of the underlying operating system and the applications installed on the system.
• Hardening typically includes: removal of unnecessary accounts (including service accounts), disabling or removal of unnecessary services, configuring non-executable stacks and heaps, applying patches, closing open and unused network ports, implementing intrusion detection systems and/or intrusion prevention systems, and use of host-based firewalls.
• These images should be validated and refreshed on a regular basis to update their security configuration in light of recent vulnerabilities and attack vectors.
Prevention Detection
Response Recovery
Risk
DO YOUR RESEARCH!
A simple Google search returns many articles on hardening Windows
Prevention Detection
Response Recovery
Risk
HARDENING EXAMPLES• Uninstall Adobe Reader
• Remove Java, or set your browser settings to “Click To Play Plugins”
• Remove unnecessary services - http://www.blackviper.com/windows-services/
• EMET - http://support.microsoft.com/kb/2458544
http://www.insanitybit.com/2013/03/27/windows-hardening-guide/
Prevention Detection
Response Recovery
Risk
CSC 12 – CONTROLLED USE OF ADMIN• In Active Directory, restrict the membership of
• Enterprise Admins
• Schema Admins
• These are the two most powerful security groups in AD
• Do NOT allow your admins to have accounts idling in these groups – they can add & remove as needed
Prevention Detection
Response Recovery
Risk
CSC 12 – CONTROLLED USE OF ADMIN• Look at the membership of Domain Admins and Domain Workstation Admins
• Create separate accounts for admins, a regular user and an admin account
• Don’t name the admin account admin<USERNAME>
• Make it distinct but not obvious
• Enforce 2nd factor on admin logins?
Prevention Detection
Response Recovery
Risk
FURTHER SHRINK THE ATTACK SURFACE
PREVENT BRUTE FORCING• Winfail2ban (Fail2ban for *NIX)
• Scans log files like FTP Logs or Event Viewer and bans IP that make too many password failures
• http://winfail2ban.sourceforge.net/
• For webapps, don’t fail password attempts in a predictable way
• For example, most Web sites return an "HTTP 401 error" code with a password failure, although some web sites instead return an "HTTP 200 SUCCESS" code but direct the user to a page explaining the failed password attempt.
• Vary the behaviors to fool automation
• https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
Prevention Detection
Response Recovery
Risk
EASY 2ND FACTOR• Duo Security has an enterprise plan for $3/user/month
• Got a small team? Up to 10 users are free
• https://www.duosecurity.com/
• Google authenticator for web apps which use OAUTH tokenization
• Authy – http://www.authy.com
• Microsoft Phone Factor - http://azure.microsoft.com/en-us/services/multi-factor-authentication/
Prevention Detection
Response Recovery
Risk
THREAT MODELING FOR INCIDENT RESPONSE• Not just for web apps! Threat modeling can be used for incident response & planning
• 3 parts
1. Establish attack path
2. Table top exercise to identify controls
3. Create a security exercise that tests the controls along the path
• http://www.irongeek.com/i.php?page=videos/circlecitycon2014/117-how-to-create-an-attack-path-threat-model-wolfgang-goerlich
Prevention Detection
Response Recovery
Risk
MORE USEFUL TOOLS
POWERSHELL SCRIPTS• Poshsec project
• 63 cmdlets/functions in the PoshSec module
• Account Monitoring & Control
• Authorized Devices
• Forensics
• Log Management
• Network Baseline
• Software Management
• Utility Functions
• http://www.powershellmagazine.com/2014/07/10/introduction-to-poshsec/
Prevention Detection
Response Recovery
Risk
NETWORK FORENSICS• Wireshark
• Open source multi-platform network protocol analyzer
• Hard to learn, easy to use
• Then after a while, easy to use once your use cases are established
• Time sink but it’s time well spent
• https://www.wireshark.org/
Prevention Detection
Response Recovery
Risk
PASSWORD CRACKING• Cain & Abel
• It can recover passwords by
• sniffing the network,
• cracking encrypted passwords using dictionary, brute-force and cryptanalysis attacks,
• recording VoIP conversations,
• decoding scrambled passwords,
• revealing password boxes,
• uncovering cached passwords and
• analyzing routing protocols.
• http://www.oxid.it/cain.html
• Wordlists: http://hashcrack.blogspot.com/p/wordlist-downloads_29.htmlPrevention Detection
Response Recovery
Risk
POLICY & GOVERNANCE
OFT OVERLOOKED• Don’t underestimate the power of governance and policy
• They can not only help you manage your security workload, they can be used in legal defense
CHANGE MANAGEMENT
• Who approves your security changes?
• Is this documented and reviewed periodically?
• Who reviews your security changes for accuracy?
• Who follows up to verify the changes are still accurate?
• Document reasons for changes, approvals and mitigations
• ARE YOU SURE? Prevention Detection
Response Recovery
Risk
ESTABLISH A GOVERNANCE CALENDAR
• The calendar contains your regular cadence of review activity
• You can script reminders to the entities responsible for the review• SharePoint
• Google scripts (Google calendar)
• Internal calendaring software X
• Work this activity into your existing processes so they get prioritized
• Time box those activities!
• Get SLAs/SLOs for teams on which you rely to perform these activities
Q1 Q2 Q3 Q4
DR Testing
Recon
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Recon
Backup testing
Backup testing
Backup testing
Sample Governance Calendar
AD review
AD reviewAD
review
Operations Security Data Center
Mid year audit
Audit
SAMPLE GOVERNANCE CALENDAR
WHAT IS THE WEAKEST LINK?
SOCIAL VECTORS• This is the cheapest thing you can address which has the best ROI
• TALK TO YOUR USERS!
• Don’t lecture
• Don’t debate
• Give them usable information
• Ex: with the busiest shopping day of the year coming up, create a newsletter or workshop that shows how to buy a PC – and subtly include how to secure it
Prevention Detection
Response Recovery
Risk
A WORD ON RECOVERY• There is no “cheap” data recovery option or configuration
• Backups must be maintained, tested and verified
• Backups are a critical security strategy, but not focused on in the CSC or DSD
YMMVThese are ideas, pick and choose and twist and tinker and make it work for you
TOOLS & REFERENCES LIST
• http://csc-hub.com/ - Ken Evan’s awesome 20 CSC site• http://technet.microsoft.com/en-us/magazine/2007.02.activedirectory.aspx - AD rights
delegation• http://sectools.org/ - List of pay and free network tools• http://www.poshsec.com/ - Powershell scripts that support the 20 CSC• http://www.asd.gov.au/infosec/top35mitigationstrategies.htm - Australian DSD Top 35• http://www.counciloncybersecurity.com – Council on Cybersecurity• http://
www.jwgoerlich.us/blogengine/post/2014/04/29/Update-on-Story-Driven-Security.aspx - J. Wolfgang Goerlich and Nick Jacob’s work on effective threat modeling
• http://www.theguardian.com/commentisfree/2014/may/06/target-credit-card-data-hackers-retail-industry - Brian Kreb’s op-ed on the Target breach and some of the false pretense
THANK YOU
• GrrCon staff, especially EggDropX and P1nkN1ghtmare for making it happen
• #misec for being an awesome community
• You, for listening and turning your attention to the basics
CONTACT INFO
• Twitter: @JoelConverses
• Email: [email protected]
• IRC: FreeNODE #misec (joel_s_c)
• Info about misec: www.michsec.org ?