Date post: | 24-Dec-2015 |
Category: |
Documents |
Upload: | whitney-preston |
View: | 213 times |
Download: | 0 times |
Who Am I
Matthew Strahan from Content Security
Principal Security Consultant
I look young, but I’ve been doing this for a while
What is this about?
• Where schools fall apart in their IT security• How schools can have better IT security
Schools are unique in security
• Lack of time and resources• Has highly sensitive personal information• Users are not only untrusted, but actively
distrusted
Mistake
• Just ad hoc install patches or rely on Windows Update
• Forget half of the environment• People are just lazy
What will happen
• Students will google “how to hack servers”• Students will follow a handy 12 step guide• Suddenly they have control over half the
school
What should we do?
• Make sure everything is patched• Centralised patch management• Vulnerability assessment
Mistake
An old library server from 10 years ago• No-one knows who set it up• Maybe it’s important, better not touch it• It’s never been patched• Contains valid passwords, connected to
AD, privileges access
What will happen
• Students will google “how to hack servers”• Students will follow a handy 12 step guide• Students will use their access to find
passwords, connect to AD, exploit privileged access
• Suddenly they get 100% in every test
What should we do?
• Remove old systems• Keep a list of what you have, why it’s
there, and if you still need it
Mistake
• Someone thinks "qwertyui" is a good password
• People put passwords on post-its• No-one changes the password to a router• People share their passwords• All devices have the same password• Local admin
What will happen?
• Students will google default passwords and find this: www.cirt.net/passwords/
• Students will google how to crack weak passwords
• Students will read post-it notes• Students will use cracked passwords in
other systems
But students don’t have specialist hardware to crack systems!
• Yes they do• I’m not joking, they really do• A “specialist password cracking system” is
also known as an “awesome gaming system”
• >1 billion combinations per second
What should we do?
• Deployment procedure that includes changing default passwords
• Password policies enforced with group policy
• No shared passwords
Wireless Encryption Schemas
• WEP is bad• WPA2-PSK is better than nothing, but
carries risks• WPA2 Enterprise is best• Never use WPS
WPA2-PSK
• Shared password• If someone has the passphrase, they can
intercept all data• Shared student passphrases leads to
MITM attacks
What should we do?
• Use WPA2 Enterprise if you can• If you have to use PSK, preconfigure
devices and segment between networks if you can…still best to just use WPA2 Enterprise
Mistake
• A site has been online for the last 10 years. Who knew it was vulnerable to SQL Injection?
• “I want to access this from home”• Weak external firewall rules
Parameter Manipulation
• http://yourschool.edu.au/getinfo.php?id=4• Student should only be able to access
id=4• Who knew they could change the URL to
id=5?
SQL Injection
Application sends commands using the database using SQL:• “SELECT * FROM information
WHERE id = <user supplied>”
What if <user supplied> is SQL as well?• “SELECT * FROM information WHERE
id=3 union select password from users”
Cross Site Scripting
• The application allows users to post up comments
• Doesn’t think to stop users from posting HTML and Javascript code
• Javascript code can be used to compromise a user account
Other Mistakes
• Not patching web software: wordpress needs to be patched as well!
• Misconfiguring sites• Bad/default admin credentials
What will happen?
• Defacements• Stealing personal information• Stealing financial data• Denial of service• Even if you’re not a target, sites can be
automatically exploited
What should we do?
• Be careful what you have on the internet• Make sure you secure your sites properly• Make sure you patch and update your web
applications• Get them tested if you can afford it• If you’re not sure, take it down
Mistake
• No-one thinks of printers when they think of security
• Printers can do more than print• Often they aren’t even password protected
What will happen
• Denial of service• Pranks, 100s of pages of juvenile creativity• Retrieve copies of printed documents, like
upcoming tests
Mistake
• All students now have laptops• Hard to manage, patch and secure• So we have a standard admin password...• So we have laptop restrictions...
What will happen?
• Physical access always wins• Never trust students• Shared passwords will be cracked• Client side restrictions will be bypassed
What should we do?
• ...• Don't have shared passwords if you can
avoid it.• Never rely on client side restrictions.
Mistake
• We're a school, why would we need a firewall?
• Students can access all servers• Students can access teacher services
What should we do?
• Use a firewall• Server subnet, student subnet, teacher
subnet• Only allow what is necessary, block
everything else• Keep a current list of services
About Content Security
Provided services and solutions since 2000
Works to improve the security of schools (and government, banks, law, corporate, etc)
http://www.contentsecurity.com.au/