1 / 65

Secure Office

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@ sevecek.com | www.sevecek.com |. Secure Office. Motto. Thou shalt never assume The Rogue Warrior's Eight Commandment of SpecWar Richard Marcinko US Navy Seal.

beau
Download Presentation

Secure Office

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com | Secure Office

  2. Motto • Thou shalt never assume The Rogue Warrior's Eight Commandment of SpecWar Richard Marcinko US Navy Seal

  3. Current Threats to a Secure Office Threats

  4. Attackers • External • don’t know anything about your environment • can try brute force passwords at most • vulnerability scanning • Internal • most severe threats • know their environment • have already at least some level of access • can steal data they are authorized to read

  5. Protection: External Attackers • Firewalls • Antispam/Antimalware • Software Updates • Account Lockout

  6. Current Internal Threats • Assuming • Physical security • computers • data • Passwords • cracking, keyloggers • Eavesdropping • wired/wireless networks • Spam/malware • directed attacks • Remote Access • from unsecure computers • Data theft by authorized readers • currently one of the most underestimated problem

  7. Current Threats Assumptions

  8. Vulnerabilities • Examples: • My wife crossing a road • PKI misconfiguration in a bank • Hidden accounts after virus attack • Malicious mail from home vs. from work

  9. Protection: Assumptions • Never assume anything • Be careful • Know your enemy • Don’t do anything you don’t understand

  10. Current Threats to a Secure Office Case Study

  11. Environment • Windows 2008 R2 Datacenter • Windows 7 Enterprise • Exchange 2010 • SharePoint 2010 • Hyper-V • Office 2010 • mobile devices with ActiveSync

  12. Current Threats to a Secure Office Physical Security

  13. Vulnerabilities • Computers easily accessed by a lot of people • employees • maintenance staff • theft from branch offices • Attacks • stealing the whole machine • stealing the data only • Physical access = local administrator

  14. Machines and Network • Servers • rack security • Data storage • Client computers • desktops, notebooks • usually caching data • Peripherals • Remote offices • Wireless and wired networks • AirPCap, USB ethernet switch/netbook

  15. Protection: Physical access • Limit physical access • Place computers/storage into secure locations • +hardware locks, cables • Use notebooks instead of desktops • Use remote desktop/terminal • Encryption

  16. Protection: BitLocker • Disk partition encryption • AES • Provide password on startup • prevents others from becoming an administrator • Use TPM • prevents owner from becoming an administrator • Trusted Platform Module • stores the password on motherboard • checks signatures of BIOS, CMOS, MBR, Boot Sector, loader etc.

  17. Protection: BitLocker • Recovery keys in Active Directory • Windows 7 Enterprise • Gemalto .NET smart-cards • workstations/ntb require S/C to boot • manually enrolled • combined with user logon certificates

  18. Protection: 802.1x • Network Access • Ethernet, WiFi • EAP-TLS • Certificate authentication • computer/user • computer + user • automatic enrollment, AD computer account

  19. Protection: 802.1x PC PC PC PC Managed Switch PC Switch ManagedSwitch PC PC Printer PC

  20. Current Threats to a Secure Office Network Communications and Eavesdropping

  21. Vulnerabilities • Free network access • No network traffic encryption • People ignore warnings • ARP poisoning

  22. Protection: Firewall • Windows Firewall • IP/TCP/UDP/ICMP/AH/ESP inspection • FTP/PPTP/IPSec pass-through • IP/process filters • Network Location Awareness • Blocking client / client traffic

  23. Protection: Eavesdropping • IPSec encryption • IP filters • Network Location Awareness • internal traffic only • Computer certificate authentication • automatically enrolled for AC machine account • AES, SHA-2

  24. Protection: SSL Inspection • Threat Management Gateway • secure remote access • monitor users when “uploading” • Reverse inspection • Exchange, SharePoint, Terminal access • Forward • Antimalware, URL, classification

  25. SSL Publishing Certificate 443 LAN Internet TMG Certificate 443 Web Server

  26. SSL Certificate prices • Verisign – 1999 • 300$ year • Thawte – 2003 • 150$ year • Go Daddy – 2005 • 30$ year • GlobalSign – 2006 • 250$ year • StartCom – 2009 • free

  27. SSL Assurance • Email loopback confirmation • Requires just a valid email address • No assurance about the target identity

  28. EV browsers

  29. EV Certificate prices • Verisign – 1999 • 1500$ year • Thawte – 2003 • 600$ year • Go Daddy – 2005 • 100$ year • GlobalSign – 2006 • 900$ year • StartCom – 2009 • 50$ year

  30. Forward SSL Inspection LAN Internet TMG Certificate 443 Certificate 443 Certificate 443 Certificate 443

  31. SSL Inspection (MITM) False Certificate Certificate Public key Public key Client AttackerTMG WebServer Private key Private key

  32. TMG Forward SSL Inspection

  33. No SSL Inspection

  34. TMG CA Not Trusted

  35. TMG CA Not Trusted

  36. Web Server Certificate

  37. TMG CA Trusted on the Client

  38. Protection: Intrusion Prevention • Threat Management Gateway • Intrusion Prevention System • External/Internal/DMZ only

  39. Current Threats to a Secure Office Passwords

  40. Vulnerabilities • Keyloggers • software • hardware • Cache / Local Storage • Cracking

  41. Local Password Storage • Full-text passwords • IE autocomplete • password “lockers” • fingerprint readers • service/scheduled-tasks accounts • Password hashes • local user accounts • all domain accounts on Domain Controllers • password caches

  42. Password Cracking • Windows MD4 Hashes • local storage • LAN network capture • PPTP VPN • Offline • Rainbow Tables • severe up to 7 characters (minutes)

  43. Protection: Passwords • Use smart cards • convenient (3-5 characters PIN) • Gemalto .NET without installation • Require strong passwords • admin accounts • Procedures, policies and audit • Never type sensitive passwords on insecure computers • Training

  44. Protection: Comparable Algorithm Strengths (SP800-57)

  45. Protection: Smart Cards

  46. Protection: Password Policies • For individual groups/users • Granular Password Policies • Windows 2008 Domain Functional Level and newer • Non-complex password example • login: Ondrej • password: #.LonDo-NN.sea-s0n58 • Complex password example • September2011

  47. Current Threats to a Secure Office Spam/Malware

  48. Spam threats • No real prevention against spam • Spam created anonymously • no traces/auditing • Directed attacks cannot be automatically recognized

  49. Malware Threats • Virus must be first detected after infection! • Backdoors just download the real infection • does antimalware know what exactly it was? • Reinstallation of the whole password domain! • users tend to use same passwords for more services • Stability and performance

More Related