System Source Pizza Webinar 10/8 – “Ask The Security Expert: Top 10 Security Must
Do’s + YOUR Questions Answered”
Chris RileyDirectorSystem [email protected]
Tony Paul PuglieseEnterprise Consulting EngineerSystem [email protected]
Shawn Duffy, CISSPSenior Security Consultant
Agenda
Welcome and Intro – Chris Riley
• Shawn’s Top 5 IT Infrastructure Security Must Dos – Shawn Duffy
• Tony’s Top 5 Office 365 & Teams Security Must Dos – Tony Paul Pugliese
• How to pinpoint your security holes (hint…and your next priorities!) using security
audits, assessments & vulnerability scans – Shawn Duffy
Q & A – Chris Riley
We Hope You are
Enjoying Your
Pizza!!
If you haven’t received your pizza,
then contact Mike Jones:
During the Webinar…
Audio – In presentation mode
Control Panel
View webinar in full screen mode
In Chat – Tell us what you hope to learn today
In Questions - Submit your questions
Evaluation just after webinar finish (takes just 2 min.)
Two returned surveys will receive a $25 Amazon Gift
Cards (Let’s keep it fun!)
Quick wins in Securing your infrastructure
Shawn Duffy
#1 – Select and use a Security FrameworkAvailable options for micro- to small- businesses
• COBIT (Control Objectives for Information and Related Technologies)
• NIST 800 series (HIPAA, FISMA, CMMC / CUI)
• NIST CSF
• ISO 27000
• Industry-Specific Standards: GLP, GMP, GLBA, HITRUST, PCI DSS
#2 Create a Backup Program• Backups are sometimes all you have
• Automate them, but test
• Backups can be incremental
• Store backups offsite
• Test backups
• Protect backups from unauthorized recovery
#3 – Create MFA for remote access• Biometrics
• key-fabs,
• mobile applications
• digital certificates
#4 – Continuous Monitoring• You don’t know what you don’t know
• Reduce time to react
• Monitor with current OSINT
• You don’t have to commit your time to it
#5 – Test your system often• Security Assessments keep you aware
• Remediate based on risk levels
• Show improvements can helps with budgeting
• Detect Shadow IT
• Detect unauthorized entry-points
• Hackers are always testing
Top 5 (or so) security Office 365 recommendations
Tony Pugliese
• Protect Identities• Protect computing resources• Protect data
Protect Identities
1. Office 365 Azure AD MFA• (Free) Security Defaults
• Requires all users to register for Azure Multi-Factor Authentication.
• Requires administrators to perform multi-factor authentication.
• Blocks legacy authentication protocols that don’t support Modern Authentication
• Requires users to perform multi-factor authentication when necessary.
• Protects privileged activities like access to the Azure portal.
• Security Defaults setting enables MFA all users or none.
• Without Security Defaults, per-user MFA available through Azure portal
Azure AD MFA• (M365 Business Premium, M365 E3, EMS E3,
Azure AD Premium P1) Conditional Access
• Set policies to determine when MFA appropriate.
• Users prompted for multi-factor authentication only as based on policy / conditions
• Strike balance between security and user convenience
• Conditions based on Trusted IP ranges, Applications, User groups
Azure AD MFAConditional Access
Azure AD MFA• (Azure AD Premium P2)
Risk-based Conditional Access• Dynamic risk assessments to determine when MFA appropriate.
• Administrator sets risk-level in policy.
• A user risk represents the probability that a given identity or account is compromised.• Leaked Credentials – found on Dark Web or other bad neighborhood
• Azure AD Threat Intelligence – looks like account under attack
• Sign-in Risk - represents the probability that a given authentication request isn't authorized by the identity owner.
• atypical travel
• impossible travel.
• unfamiliar sign-in properties
• admin confirmed user account compromised
• malicious IP
• malware-linked IP address
• Suspicious inbox manipulation rules
• password spray
Protect Computing Resources
2. MFA for on-premises resources from outsideSynced accounts between AD to Office 365?
Your network and Azure AD are each providing vectors for hacking against the other.
ANY Service using AD credentials that is externally available should be MFA protected• Exchange Web Access / admin portal
• VPN access
• Remote Desktop Services / Terminal Server / Citrix Server
• Publicly available SharePoint, Wiki or Intranet portal sites
• timesheet entry / HR portal
3. Use dedicated admin accountUse ONLY for administrative tasks
Always use it with MFA when outside your network
Never choose option to save passwords in browser sessions
Use different accounts and / or passwords for each of your admin accounts
Logout of admin account when done.
Protect Your Data
4. Configure Consistent Security for Office 365 / Azure services
Microsoft Teams is front-end interface that hooks into these back-end services:
• SharePoint
• OneDrive
• Azure Groups
Security settings from each of these components interact and can conflict.
• Guest / external (federated) Teams members
• External SharePoint and OneDrive Access
MAKE SURE YOU UNDERSTAND HOW THEY FIT TOGETHER!
• Exchange
• (and some others)
5. Use tools you can trustAutomation is good only if you can trust what’s being done.
For downloaded scripted tools, verify code
• Only download and run scripted code when you can see the source.
• Especially if running as an administrator!
If you can’t see the source, find another way...
• hire a coder to assist with <insert automation / scripting language here>
• Roll your own scripts tailored to your workflow and requirements.
• Use pre-built, packaged, commercial 3rd party tools
6. Train your users
More than 90% of cyberattacks and resulting data breaches start with a phishing campaign
• Users are often the weak link in security
Weak or stolen user credentials are used in 95% of all web application attacks.
• Password theft is constantly evolving as hackers employ methods like keylogging, phishing, and pharming. Passwords are NOT security anymore!
6. Train your usersMore credentials lost through phishing than any other method
Setup automated and repetitive phishing campaigns to:
• Train and test your users
• increase awareness
• Help them spot phony links to web sites
• Make them more resistant to phishing attacks
How to pinpoint your security holes
Shawn Duffy
Audit v. Assessment➢ Audit
Two types: Internal and External audits. Security audit is an examination of results to verify a system against specifications, standards, processes, etc. generally carried out on the basis of checklists.
➢ Assessment
Two types: Internal and External assessments.Security assessment is an evaluation of the security robustness of the system. The assessor’s experience is valuable for interpretation of the evaluation.
Threat v. Vulnerability v. Risk
➢ Threat (always present)Anything that could potential harm the system data or infrastructure. Threats can come from physical, environmental, human error or intent.
➢ Vulnerability (needs to be acted on)Weakness or error found within a system that has the potential to be leveraged by a threat agent in order to compromise the system.
➢ Risk (the likelihood a vulnerability will be acted on)The impact to an organization and likeliness of a vulnerability to occur when enacted through a threat whether cause by human or the environment.
Effective Audits• Determine the Checklist
• Assess Security controls and enforcements
• Reporting:
✓ Summary of Findings
✓ Prioritize (Risk Scoring)
✓ Formulate Security Solutions (POA)
Effective Assessment• SME Assessor
• Strong set of tools (Commercial and Open-Src)
• Recon, Passive Information Gathering
• Active Information Gathering
• Reporting:
✓ Summary of Findings
✓ Prioritize (Risk Scoring)
✓ Formulate Security Solutions (POA)
Passive Information• Social Media
• Business | Financial Reports
• Netcraft
• Email Harvesting
• Online News
• Recent Hacks
• DNS brute-forcing
• Google Dorking
Active Information• Nmap – the network Swiss army-knife
• Port & Service Probes (TCP & UDP)
• Firewall Responses (firewalking)
• Access Limitations – MFA, Session Lockouts
• Scanning Tools – Nessus, Qualys, CrowdStrike
• Web Application Testing | Fuzzing
• NetBIOS & SMB | Samba Responses
• SNMP community strings
Q & A
Kindly complete the survey at the end of this
webinar. We will use your feedback to help us
improve.
Fun Reminder…Two returned surveys will
receive $25 Amazon Gift Cards
THANK YOU!
