1 / 52

Security and Risk Management

Security and Risk Management. Who Am I. Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for a while. What is this about?. Where schools fall apart in their IT security How schools can have better IT security.

leon
Download Presentation

Security and Risk Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security and Risk Management

  2. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for a while

  3. What is this about? • Where schools fall apart in their IT security • How schools can have better IT security

  4. Why do you need good security? • Because any student nowadays can learn how to hack

  5. Schools are unique in security • Lack of time and resources • Has highly sensitive personal information • Users are not only untrusted, but actively distrusted

  6. Patch Management

  7. Mistake • Just ad hoc install patches or rely on Windows Update • Forget half of the environment • People are just lazy

  8. What will happen • Students will google “how to hack servers” • Students will follow a handy 12 step guide • Suddenly they have control over half the school

  9. What should we do? • Make sure everything is patched • Centralisedpatch management • Vulnerability assessment

  10. Old PCs/Servers Noone Knows About

  11. Mistake An old library server from 10 years ago • No-one knows who set it up • Maybe it’s important, better not touch it • It’s never been patched • Contains valid passwords, connected to AD, privileges access

  12. What will happen • Students will google “how to hack servers” • Students will follow a handy 12 step guide • Students will use their access to find passwords, connect to AD, exploit privileged access • Suddenly they get 100% in every test

  13. What should we do? • Remove old systems • Keep a list of what you have, why it’s there, and if you still need it

  14. Password Management

  15. Mistake • Someone thinks "qwertyui" is a good password • People put passwords on post-its • No-one changes the password to a router • People share their passwords • All devices have the same password • Local admin

  16. What will happen? • Students will google default passwords and find this: www.cirt.net/passwords/ • Students will google how to crack weak passwords • Students will read post-it notes • Students will use cracked passwords in other systems

  17. Default Passwords

  18. Default Passwords

  19. But students don’t have specialist hardware to crack systems! • Yes they do • I’m not joking, they really do • A “specialist password cracking system” is also known as an “awesome gaming system” • >1 billion combinations per second

  20. Demo

  21. What should we do? • Deployment procedure that includes changing default passwords • Password policies enforced with group policy • No shared passwords

  22. Wireless

  23. Mistake • Not locking down wireless • Using Wireless insecurely • Using the wrong encryption schema

  24. Wireless Encryption Schemas • WEP is bad • WPA2-PSK is better than nothing, but carries risks • WPA2 Enterprise is best • Never use WPS

  25. WPA2-PSK • Shared password • If someone has the passphrase, they can intercept all data • Shared student passphrases leads to MITM attacks

  26. Decrypting WPA2-PSK

  27. What should we do? • Use WPA2 Enterprise if you can • If you have to use PSK, preconfigure devices and segment between networks if you can…still best to just use WPA2 Enterprise

  28. Web Applications and Internet Facing Infrastructure

  29. Mistake • A site has been online for the last 10 years. Who knew it was vulnerable to SQL Injection? • “I want to access this from home” • Weak external firewall rules

  30. Parameter Manipulation • http://yourschool.edu.au/getinfo.php?id=4 • Student should only be able to access id=4 • Who knew they could change the URL to id=5?

  31. SQL Injection Application sends commands using the database using SQL: • “SELECT * FROM informationWHERE id = <user supplied>” What if <user supplied> is SQL as well? • “SELECT * FROM information WHERE id=3 union select password from users”

  32. Cross Site Scripting • The application allows users to post up comments • Doesn’t think to stop users from posting HTML and Javascript code • Javascript code can be used to compromise a user account

  33. Other Mistakes • Not patching web software: wordpress needs to be patched as well! • Misconfiguring sites • Bad/default admin credentials

  34. Automatic Exploitation

  35. What will happen? • Defacements • Stealing personal information • Stealing financial data • Denial of service • Even if you’re not a target, sites can be automatically exploited

  36. What should we do? • Be careful what you have on the internet • Make sure you secure your sites properly • Make sure you patch and update your web applications • Get them tested if you can afford it • If you’re not sure, take it down

  37. Printers

  38. Mistake • No-one thinks of printers when they think of security • Printers can do more than print • Often they aren’t even password protected

  39. What will happen • Denial of service • Pranks, 100s of pages of juvenile creativity • Retrieve copies of printed documents, like upcoming tests

  40. What should we do? • Password protect printers • Segment them off into their own subnet

  41. Student Laptops

  42. Mistake • All students now have laptops • Hard to manage, patch and secure • So we have a standard admin password... • So we have laptop restrictions...

  43. What will happen? • Physical access always wins • Never trust students • Shared passwords will be cracked • Client side restrictions will be bypassed

  44. What should we do? • ... • Don't have shared passwords if you can avoid it. • Never rely on client side restrictions.

  45. Network Segmentation

  46. Mistake • We're a school, why would we need a firewall? • Students can access all servers • Students can access teacher services

  47. What will happen • Servers with personal info and marks are exposed • Way more risk than you need

  48. What should we do? • Use a firewall • Server subnet, student subnet, teacher subnet • Only allow what is necessary, block everything else • Keep a current list of services

  49. It’s easy to learn to hack

  50. Overview of a pentest

More Related