Managing the IT Security Octopus
Scott Grimes
Biography -> 25+ Years in IT● Sr Systems Administrator + DevOps● Employer: IBM iX - Helping businesses with their digital experience
journey● SysAdmin: CentOS, Ubuntu, FreeNAS, VMware,
○ OS/2, SVR4, Solaris, AIX, Windows Server● DBA: Oracle, SQL Server, MySQL● Developer: HIPPA compliant web-based EMR● Been attending LinuxFest for 12+ years● Personal Challenge: Make the LinuxFest Security Talk “better”
HousekeepingThe open source security landscape is changing at a dizzying pace
● It is impossible for any one person to have all current knowledge. Thank you in advance for overlooking technical details that may be out of date or now inaccurate
● All slide images are free or public domain
● Audience: End-User, Developer, SysAdmin
● I will talk to the slides, but not read them verbatim
Please hold questions / comments to the end. I plan to leave time to answer a few.
Out of Scope - Time Restriction● Logging / Auditing● Encryption at Rest● Honey Pots● Penetration Testing● Dirty little secrets of hackers● IPv6● Policies + Practices
In Scope● Increase Overall Security Awareness● Deepen Technical Understanding● Provide Practical Take-aways
The new “Gold” is DATA!
● Do not underestimate the value of any data
● Good security is about making things HARDER
● Good security is a combination of technology + policies / practices
● You do not need to spend a King’s ransom to implement good security
● You have way more “pirates” than you are probably aware
Hackers have become increasingly organized & sophisticated
● Russian computer science graduate. Two most profitable job opportunities○ Work for the government○ Hacker
● Global collaborative development network● Agile development methods, incremental, continuous integration● Shared code base repos● Use SSL / TLS security. Use Encryption● Scanning tools● “bots” = global networks of attack systems or bitcoin mining
IP Sec
SSL / TLS
SSH
GPG / PGPMulti-Factor
Patching
S/MIME
Awareness Training
Encryption Protocols
IT Security Landscape
Firewalls
A successful defense is “layered”
SSL/TLS
OS Patching
LoggingFirewall
Phishing
USB
Social Engineering
- Keyboard- Keystroke Logger
What does good digital security need to do?1. Verify your source2. Verify your destination3. Prevent “man-in-the-middle” attacks4. Setup an encrypted transport5. Authenticate _without_ sending the secret6. Verify what was sent did not change during transport7. Prevent session “replay”
Layering security to apply multiple defenses
Castle OSI Model Security
Door + Lock Application Passwords, Multi-Factor, SSH, Services, Anti-Virus, Phishing
Tower Presentation SSL / TLS, Digital Certs
Session
Transport
Wall + Gate Network Firewall, IP Sec
DataLink
Drawbridge Physical Bluetooth, Ethernet, WiFi
WiFiIt IS “safe” to broadcast your SSID Name
WEP = Wired Equivalent Privacy. Exploited. Disable.
WPA = WiFi Protected Access. Weak. Disable.
WPA2 = Enable. Use a long shared key. 32 characters.
WiFiQ: “I’m WPA2 encrypted. I’m secure!”
A: SSID “spoofing”:
● Comfort Inn● Comfort Inn rogue
Comfort Inn
Rogue Comfort Inn
Relay
Layering security to apply multiple defences
OSI Model Security
Application Passwords, Multi-Factor, SSH, HTTPS, Services, Anti-Virus, Phishing
Presentation SSL / TLS, Digital Certs
Session
Transport
Network Firewall, IP Sec
DataLink
Physical Bluetooth, Ethernet, WiFi
Firewall
● Advantages○ Limit access to “trusted” IPs
and ports○ Firewall EVERY device
● Disadvantages○ “Spoof” the IP address○ Unblocked “High” ports○ Security “bugs” in the
service
Port 1
65535
1023
SSH (22)Time (123)HTTP (80)HTTPS (443)
Hom
e =
210.
90.7
76.5
5
Rogue App (22727)Inte
rnet
= 1
2.14
3.67
.559
Low
Hig
h
Firewall SpoofingPort 1
65535
HTTPS (443)
Hom
e =
210.
90.7
76.5
5
Good App (22727)Inte
rnet
= 1
2.14
3.67
.559
Net
wor
k P
rovi
der =
12.
143.
67.5
59
Net Monitor
IP Sec[urity]Advantages
● Whatever is running through the pipe is automatically encrypted
● Good for host to host or network to network
● Easy Windows activation● Lots of VPN implementations
Disadvantages
● Setup required for each source / target● Someone compromises one network, the
other network is at risk
Key I Key II
FirewallAWS
Layering security to apply multiple defences
OSI Model Security
Application Passwords, Multi-Factor, SSH, HTTPS, Services, Anti-Virus, Phishing
Presentation SSL / TLS, Digital Certs, Encryption
Session
Transport
Network Firewall, IP Sec
DataLink
Physical Bluetooth, Ethernet, WiFi
Encryption Algorithms -> Strength● Based upon a key length (128,
256, 1024, 2048, …)● Data “munging” algorithm (Cipher)● CPU cycles (Time)
LOW - Disable
MEDIUM - Disable
MEDIUM:HIGH - Disable if app < 5 years old.
HIGH
0000000000000000000000000000000000000A
0000000000000000000000000000000000000B
0000000000000000000000000000000000000C
0000000000000000000000000000000000000Z
000000000000000000000000000000000000AA
000000000000000000000000000000000000AB
000000000000000000000000000000000000AC
000000000000000000000000000000000000AD
Key Space
Encryption Algorithms - TrustedAES-256 (Advanced Encryption Standard)
TWOFISH
SHA-256
RSA
OpenPGP
Encryption Algorithms - FAQQ: What’s a good key Strength?
A: 2048 bits or longer (100 yrs)
Q: I thought encryption was slow?
A: +5%
Q: Quantum Computing
A: Movie: Sneakers = “No more secrets”
Presentation - SSL / TLS EncryptionSSL = Secure Socket Layer
TLS = Transport Layer Security
● SSL v1 - Exploited. Disable.● SSL v2 - Exploited. Disable.● SSL v3 - Exploited. Disable.● TLS v1.0 - Weak. Disable.● TLS v1.1 - Weak. Disable.● TLS 1.2 - Available for 5 years now. Solid.● TLS 1.3 - Released in Mar 2018 after 4
years of development & testing○ "major improvements in the areas of
security, performance, and privacy."○ Already supported in Chrome & Firefox
Presentation - HTTPS Source Verification
Inside a certificate….
Issuer: C=US, O=International Business Machines Corporation, CN=IBM INTERNAL INTERMEDIATE CA
Not Before: Mar 23 04:00:00 2018 GMT
Not After : Mar 22 03:59:59 2021 GMT
Subject: C=US, ST=Columbus, OH, L=Columbus, OH, O=ibm.com, CN=www.ibm.com/[email protected]
Public-Key: (2048 bit)
00:c1:77:95:eb:4f:5b:4b:3f:05:56:32:26:35:2a:
f6:8d:2e:1b:ed:42:e9:39:8b:ef:4d:3d:e0:01:cb:
Root Cert 1Root Cert 2Root Cert 3
Root Cert 4Root
Cert 64
Business Intermediate Cert
Business Intermediate Srvs
Host Certwww.ibm.com
DNS
Browser SSL/TLS Source Verification VisualInside a certificate….
Subject: C=US, ST=CA, L=Santa Clara, CA, O=google.com, CN=www.google.com/[email protected]
letsencrypt.org = Free. Good for 90 days.
Google “bumps” any site in its search response if the entire site is SSL protected
SSL Everywhere Firefox plugin
Site verified
Business verified
Presentation - SSL / TLS & Risks
Root Cert 1Root Cert 2Root Cert 3
Root Cert 4
Root Cert 64
Business Intermediate Cert
Business Intermediate Srvs
Host Certwww.ibm.com
DNS
Business Intermediate Cert
Logon credentials
Bank transactions
HIPPA, PII
RISKS
Network SnifferLast Pass
Presentation - SSL / TLS & Risks
Root Cert 4
Root Cert 64
Business Intermediate Cert
Business Intermediate Srvs
Host Certwww.ibm.com
DNSLogon credentials
Bank transactions
HIPPA, PII
Root Cert 1
Network Sniffer
NetworkingIT SecurityCust SupportNSA | FBI
RISKS
Layering security to apply multiple defences
OSI Model Security
Application Passwords, Multi-Factor, SSH, HTTPS, Services, Anti-Virus, Phishing
Presentation SSL / TLS
Session
Transport
Network IPv4, IPv6, Firewall, IP Sec
DataLink
Physical Bluetooth, Ethernet, WiFi
Application - Password Authentication
● NIST, 2017 => Drop Expiring Password requirement● NIST, 2017 => Drop “Com-plex” password requirement. Found to be less secure.● “Use a Long memorized Secret” rather than “a-Funki0ne”. The longer the harder to crack. 10 char
minimum.○ Lyric from a favorite song. Bible Verse. Movie quote.
Half the security credentials are easily obtainable.
Authentication & Authorization rests on one, hard to guess, password
Application - Multi-Factor AuthenticationTwo-Factor: Something you know + something you have
Example: Debit Card
SMS Text: “token”
Authy, Google Authenticator, Duo, FreeOTP
Time limited, 6 digit, random number
Supported: Google, Facebook, AWS, more ...
Application - Multi-Factor Authentication - RiskEvery multi-factor authentication generates a session “cookie” or “key” that the app uses for authentication & authorization going forward.
Intercept the “cookie” or “key” and you can impersonate the user.
● SSL / TLS “snooping”● Browser Plug-In● Rouge App reading memory
Application - Insecure protocols
telnet = Needs to die
rsh = Needs to die ( Remote SHell )
FTP = Needs to die
rcp = Needs to die ( Remote CoPy )
E-mail = sending passwords UNencrypted
Replace with SSH
Replace with SSH
Replace with: scp (Secure CoPy) or rsync --rsh=/bin/ssh
Replace with scp
Add S/MIME or PGP
Application - Secure SHell (SSH)More features & options than a swiss army knife
SSH on Windows => Client => https://www.putty.org/
openSSH => Windows Server => OpenSSH-Win64.zip
ssh-keygen -t rsa -b 2048 -C ‘[email protected]’
Inside the file….
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwmiquDVM+XhfaOL/f9r8iSPR4KcDr+MyCKx783VCJOL/e/D0h6rBGrY5f1r2guSFK50V3XTRikwEQBuFX6T0GejWFJiWSo9HJcmrbBfm3igBu6RjGwEtxLVOjpvHifntBAU+8UyMfxIQKC5mE+FHwxJ+WxNLfcP5QqnGGJeilEAge4IYOxjLaJeKXg2CK72hpJvQQi3Ku5+9gSb/230Vlm3dzdPK5fIcVr478oHnrbiska59+NvX4eeUhCQrp0gShE+ovPSYg2ugQr3jKIeUiLhDFM51FZvU26v/VHw1DD08AQVil7ma0h5llShLWfUEtIWZ6zxDCqbCMyjdnRm+5 [email protected]
id_rsa id_rsa.pub
GLOBALLY UNIQUECryptographic relationship
Private Key Public Key
Two Factor: Something you HAVEPassword: Something you KNOW
$HOME/.ssh/
Sharing
$HOME/.ssh/ id_rsa
Your laptop
id_rsa.pub
authorized_keys
Remote system 1
Keep Private
Share
stash.resource.com
github.ibm.com/ix
id_rsa.pub
id_rsa.pub
pbcopy < ~/.ssh/id_rsa.pub
$HOME/.ssh/
$HOME/.ssh/
SSH is picky about SECURITY
id_rsa
Your laptop
id_rsa.pub
authorized_keys
remote system 1
Keep Private
stash.resource.com
github.ibm.com/ix
id_rsa.pub
id_rsa.pub
-rwx --- --- sgrimes
-rw- --- --- sgrimes
-rw- --- --- sgrimes
-rw- r-- r-- sgrimes usr_group world
First Contact ssh sgrimes@remote_system
Your laptopremote systemPROVE you are the
system I think I am connecting to
/etc/ssh/ssh_host_rsa_key/etc/ssh/ssh_host_rsa_key.pub
$HOME/.ssh/authorized_keys
system-credentialsI’ve not seen this system before. Do you trust this hash is the srv? yes$HOME/.ssh/known_hosts
$HOME/.ssh/id_rsa
I want to authenticate as sgrimes
Encrypt this token & send it back
token encrypted w/ id_rsa
Yep. You must have sgrimes private key matching sgrimes public key. Authenticated
Can I decrypt msg using authorized_key and get same token I sent?
Short Cuts
ssh-add = cache my private key in memory
scp -r -p /path/to/folder/file* sgrimes@remote_system:/path/to/store/
-r = recursive
-p = preserve permissions
scp sgrimes@remote_system:/path/to/remote/file /path/to/store/locally/
rsync --rsh=ssh /path/to/folder/file* sgrimes@remote_system:/path/to/store
Short Cuts - $HOME/.ssh/configHost * <- wildcard, apply to every server
ServerAliveInterval 180
ServerAliveCountMax 3
Host www01
User sgrimes
IdentityFile ~/.ssh/id_rsa
HostName www01.big.honking.long.fqdn
Compression yes
SSH tunnel - “Just-in-Time” VPN
AWS MySQL * : 3306
ToadDB Browser
Host: db01.aws.amazon.comPort: 3306
db01.aws.amazon.com
SSH tunnel - “Just-in-Time” VPN
AWS MySQL * : 3306
ToadDB Browser
db01.aws.amazon.comssh -f -L 3306:localhost:3306 sgrimes@db01
ssh listen process
Setup a forward, then background
Local forward
SSH tunnel - “Just-in-Time” VPN
AWS MySQL * : 3306
ToadDB Browser
db01.aws.amazon.comssh -f -L 3306:localhost:3306 sgrimes@db01
ssh
Host: localhostPort: 3306
Layering security to apply multiple defences
OSI Model Security
Application Passwords, Multi-Factor, SSH, HTTPS, Services, Anti-Virus, Phishing
Presentation SSL / TLS
Session
Transport
Network IPv4, IPv6, Firewall, IP Sec
DataLink
Physical Bluetooth, Ethernet, WiFi
Application - ServicesFirewall Port: 443 is OPEN! Application Programming Interface (API)
SQL Injection => “; SELECT * FROM users…”
https://www.site/path?security_token=aazvr...
Penetration Testing => Nessus
Code Reviews => Think like a bad guy
Libraries - Regular OS Patching
Applications - ClientGoogle Chrome => Send profile data home
Microsoft Edge => Send profile data home
Mozilla Firefox => “Your business is your business”
Gmail => “Reads” your e-mail. The world’s largest and most invasive “advertising” platform
ProtonMail => Private, end-to-end encrypted e-mail based on GPG encryption
Application - AntiVirusAnti-Virus => “We’ve lost.” -- Symantec. Use System Defender.
The Better investment is backups. Encrypted, off-server, off-site, cloud based
BackBlaze B2B => 270 GB, $0.54 / mo
FileServer => Scheduled hourly “snapshots”, keep for 2-4 weeks
FreeNAS using ZFS filesystem => Free!
Application - Phishing Attacks
PhishingSocial Engineering
Phishing => Security Awareness Training => https://www.knowbe4.com/
Stay Safe Out There - Thank You!
QuestionsScott Grimes
Website: None
Blog: NoneTwitter: None