Security and Risk Management

Who Am I

Matthew Strahan from Content Security

Principal Security Consultant

I look young, but I’ve been doing this for a while

What is this about?

• Where schools fall apart in their IT security• How schools can have better IT security

Why do you need good security?

• Because any student nowadays can learn how to hack

Schools are unique in security

• Lack of time and resources• Has highly sensitive personal information• Users are not only untrusted, but actively

distrusted

Patch Management

Mistake

• Just ad hoc install patches or rely on Windows Update

• Forget half of the environment• People are just lazy

What will happen

• Students will google “how to hack servers”• Students will follow a handy 12 step guide• Suddenly they have control over half the

school

What should we do?

• Make sure everything is patched• Centralised patch management• Vulnerability assessment

Old PCs/Servers Noone Knows About

Mistake

An old library server from 10 years ago• No-one knows who set it up• Maybe it’s important, better not touch it• It’s never been patched• Contains valid passwords, connected to

AD, privileges access

What will happen

• Students will google “how to hack servers”• Students will follow a handy 12 step guide• Students will use their access to find

passwords, connect to AD, exploit privileged access

• Suddenly they get 100% in every test

What should we do?

• Remove old systems• Keep a list of what you have, why it’s

there, and if you still need it

Password Management

Mistake

• Someone thinks "qwertyui" is a good password

• People put passwords on post-its• No-one changes the password to a router• People share their passwords• All devices have the same password• Local admin

What will happen?

• Students will google default passwords and find this: www.cirt.net/passwords/

• Students will google how to crack weak passwords

• Students will read post-it notes• Students will use cracked passwords in

other systems

Default Passwords

Default Passwords

But students don’t have specialist hardware to crack systems!

• Yes they do• I’m not joking, they really do• A “specialist password cracking system” is

also known as an “awesome gaming system”

• >1 billion combinations per second

Demo

What should we do?

• Deployment procedure that includes changing default passwords

• Password policies enforced with group policy

• No shared passwords

Wireless

Mistake

• Not locking down wireless• Using Wireless insecurely• Using the wrong encryption schema

Wireless Encryption Schemas

• WEP is bad• WPA2-PSK is better than nothing, but

carries risks• WPA2 Enterprise is best• Never use WPS

WPA2-PSK

• Shared password• If someone has the passphrase, they can

intercept all data• Shared student passphrases leads to

MITM attacks

Decrypting WPA2-PSK

What should we do?

• Use WPA2 Enterprise if you can• If you have to use PSK, preconfigure

devices and segment between networks if you can…still best to just use WPA2 Enterprise

Web Applications and Internet Facing Infrastructure

Mistake

• A site has been online for the last 10 years. Who knew it was vulnerable to SQL Injection?

• “I want to access this from home”• Weak external firewall rules

Parameter Manipulation

• http://yourschool.edu.au/getinfo.php?id=4• Student should only be able to access

id=4• Who knew they could change the URL to

id=5?

SQL Injection

Application sends commands using the database using SQL:• “SELECT * FROM information

WHERE id = <user supplied>”

What if <user supplied> is SQL as well?• “SELECT * FROM information WHERE

id=3 union select password from users”

Cross Site Scripting

• The application allows users to post up comments

• Doesn’t think to stop users from posting HTML and Javascript code

• Javascript code can be used to compromise a user account

Other Mistakes

• Not patching web software: wordpress needs to be patched as well!

• Misconfiguring sites• Bad/default admin credentials

Automatic Exploitation

What will happen?

• Defacements• Stealing personal information• Stealing financial data• Denial of service• Even if you’re not a target, sites can be

automatically exploited

What should we do?

• Be careful what you have on the internet• Make sure you secure your sites properly• Make sure you patch and update your web

applications• Get them tested if you can afford it• If you’re not sure, take it down

Printers

Mistake

• No-one thinks of printers when they think of security

• Printers can do more than print• Often they aren’t even password protected

What will happen

• Denial of service• Pranks, 100s of pages of juvenile creativity• Retrieve copies of printed documents, like

upcoming tests

What should we do?

• Password protect printers• Segment them off into their own subnet

Student Laptops

Mistake

• All students now have laptops• Hard to manage, patch and secure• So we have a standard admin password...• So we have laptop restrictions...

What will happen?

• Physical access always wins• Never trust students• Shared passwords will be cracked• Client side restrictions will be bypassed

What should we do?

• ...• Don't have shared passwords if you can

avoid it.• Never rely on client side restrictions.

Network Segmentation

Mistake

• We're a school, why would we need a firewall?

• Students can access all servers• Students can access teacher services

What will happen

• Servers with personal info and marks are exposed

• Way more risk than you need

What should we do?

• Use a firewall• Server subnet, student subnet, teacher

subnet• Only allow what is necessary, block

everything else• Keep a current list of services

It’s easy to learn to hack

Overview of a pentest

Any Questions?

About Content Security

Provided services and solutions since 2000

Works to improve the security of schools (and government, banks, law, corporate, etc)

http://www.contentsecurity.com.au/