1 / 34

Getting Schooled Security with no budget in a hostile environment.

Getting Schooled Security with no budget in a hostile environment. Jim Kennedy System Engineer The Elyria City Schools Elyria Ohio. WHOIS. KennedyJim@ElyriaSchools.org @ TonikJDK. Terminology. White Hat/Black Hat Blue Team, Red Team

fausto
Download Presentation

Getting Schooled Security with no budget in a hostile environment.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Getting SchooledSecurity with no budget in a hostile environment. Jim Kennedy System Engineer The Elyria City Schools Elyria Ohio

  2. WHOIS KennedyJim@ElyriaSchools.org @TonikJDK

  3. Terminology • White Hat/Black Hat • Blue Team, Red Team • Risk Assessment, Vuln Scan, Pen Test, Security Audit • Red Teaming • Pivoting • APT

  4. Environment • 14 Buildings, fiber back to data center and fiber to the net. • Internal gig everywhere. • 7000 users, 6300 students and 700 staff. • Primarily a Microsoft/Cisco house. • 37 servers physical/virtual, 3500 XP/Win7-8 desktops and 1000 IPads/Nexus • BYOD

  5. It department • Technology Director that is hands on. • Secretary who is technically sound. She is our helpdesk and administers our Cisco phone system. • 3 desktop technicians. • 1 Network Administrator • 1 System Engineer

  6. Success is an epic fail • When students succeed at hacking, I have failed them. I need to know they are trying, to teach them the limits. But if they pull off a successful breach, if they pull off putting porn all over the screen then they face suspension or expulsion. If I let them get that far, I have failed them.

  7. This is what happens

  8. Social Engineering Toolkit

  9. MetaSploit

  10. Bedford City SchoolsClass of 2000

  11. Threats • Outside. More high value than you think, consider the balance in our bank accounts. • Inside. The targets are very tempting to a student. Tests, grades, attendance, their ‘permanent’ record and PI on staff. • Surfing. A threat in it’s own. They are children with hormones, porn is high on the list. Plus interests in music and free games that lead them to a ton of virus/malware laden websites. Beating the filter is extremely high value. That leads them to proxies and trying to get staff accounts that have a more lenient filter. • BYOD

  12. What to do? • Derbycon talk three years ago. • Stop buying stuff. • Stick with what you know or you will mess it up. • The tools are there, the safeguards are there. If you dot every I and cross every T on every system. It really can be that simple. • Watch the Red Team. What are they doing, what are they bragging about. How does that apply to my systems. • ListservsNTSysAdmin, Patchmanagement.org Twitter Security Cons (Hack3rCon, Derbycon)

  13. Management Buy in • Embrace the security audit and get one. Pick the right one. • That probably becomes a public record. At the very least it is a written record of your networks issues. There is no debate, just a standing order: Fix it.

  14. What have I got? • Document and define every system and every system interaction. • Document the software. • Document the traffic. • Document access. Who needs what, build a list with an eye towards segmentation.

  15. What is it doing? • Read the logs. • Server logs. You must audit access success and failure. • Web Filter logs. Blocks are a key metric.

  16. NESSUSbytenable • NESSUS yourself regularly. http://www.tenable.com/products/nessus

  17. Intrusion detectionand moar. • Security Onion • http://blog.securityonion.net • IDS • Full packet capture • Reconstructs full transactions • So simple even a Windows jockey can do it • 30 minutes from download to fully running

  18. Security Onion

  19. Snorby

  20. Snorby

  21. sguil

  22. sguil

  23. Web filter • Yea, people hate them. Sorry about that, talk to Congress. • Five strikes and you are out. • A very simple and powerful tool; this dropdown:

  24. Patch it all • MS08-067 Seriously, why do I need this slide? • 90 day patch window on average. • Remember our software documentation? That drives your third party patching. Build a spreadsheet that lists them, with version and a clickable link to check for the newest.

  25. Server hardening • Microsoft’s free EMET 4.1 • Ask the red team how many boxes they have popped recently that are running EMET • Firewall between users and servers. • Build your severs with segmentation of resources in mind so you can segment your users. Control that with your ASA and your VLANS. • Firewall on. Seriously, 2008+ the firewall is automatic. • Consider taking servers out of the domain. HVAC servers on management Vlan. • Encrypt your databases. • Patch them, all of it especially third party software. Veritas <sigh>.

  26. Desktop hardening via gpo • No local admin. Period. Remember our now public record security audit. Sorry about that, talk to the memo I got that said ‘Fix it’. Control it with Restricted Groups. • EMET 4.1 • RDS for Finance and the like. • Local firewall via gpo. • Event logging with auditing on success and failure. • Hide last user login • UAC • Autorun off • Software Restrictions

  27. MOAR • Nuke Control Panel items. • Nuke Explorer search and menu search • Nuke task manager • Disable run/cmd/Internet Explorer drives which also kills \\servername in IE • No bat files, no VBS in user context • Hide the system drive. • IE Maintenance via GPO. Zones, History…… • Restrict exe’s in AppData (Cryptolocker)

  28. No AV • Can’t think of anything it could possibly protect me from. • The occasional user profile deletion for malware. • Remember our web filter is a finely tuned killing machine. • Remember we have standardized images. 30 minutes to nuke and image.

  29. java • EMET kills much of it. It looks for behavior not signatures. • In other cases egress filtering and/or the web filter. With only 80 and 443 allowed out the filter sees the exploit phoning home. • 91 percent of all attacks in 2013 were Java based • EDU software with Java. WE need to push back HARD.

  30. BYOD/Tablets • Get out in front of it, don’t wait for them to dictate how it’s going to happen. • Today I want to announce our awesome new BYOD program. This is going to rock!! • Guest Network, straight out to the internet. • GAFE • Good luck, enjoy. • District owned tablets • Meraki (free) • Find them and wipe them. • Tab Pilot. • Publish apps to a custom home screen, kill the rest of it.

  31. Leverage your switches-routers-fw • SSH only from management network. • Sticky Macs. • Kill unused ports. • Yea, it’s annoying for desktop techs. Talk to the memo. • Egress filtering.

  32. It never ends • Have management read the memo they gave you dictating ‘fix it’ from the audit. • Point out that this takes time, I negotiated 20 percent of my time for this. One day a week, Wednesday. If my boss pulls me off I ask him to talk to the memo about it.

More Related