340 likes | 504 Vues
Getting Schooled Security with no budget in a hostile environment. Jim Kennedy System Engineer The Elyria City Schools Elyria Ohio. WHOIS. KennedyJim@ElyriaSchools.org @ TonikJDK. Terminology. White Hat/Black Hat Blue Team, Red Team
E N D
Getting SchooledSecurity with no budget in a hostile environment. Jim Kennedy System Engineer The Elyria City Schools Elyria Ohio
WHOIS KennedyJim@ElyriaSchools.org @TonikJDK
Terminology • White Hat/Black Hat • Blue Team, Red Team • Risk Assessment, Vuln Scan, Pen Test, Security Audit • Red Teaming • Pivoting • APT
Environment • 14 Buildings, fiber back to data center and fiber to the net. • Internal gig everywhere. • 7000 users, 6300 students and 700 staff. • Primarily a Microsoft/Cisco house. • 37 servers physical/virtual, 3500 XP/Win7-8 desktops and 1000 IPads/Nexus • BYOD
It department • Technology Director that is hands on. • Secretary who is technically sound. She is our helpdesk and administers our Cisco phone system. • 3 desktop technicians. • 1 Network Administrator • 1 System Engineer
Success is an epic fail • When students succeed at hacking, I have failed them. I need to know they are trying, to teach them the limits. But if they pull off a successful breach, if they pull off putting porn all over the screen then they face suspension or expulsion. If I let them get that far, I have failed them.
Threats • Outside. More high value than you think, consider the balance in our bank accounts. • Inside. The targets are very tempting to a student. Tests, grades, attendance, their ‘permanent’ record and PI on staff. • Surfing. A threat in it’s own. They are children with hormones, porn is high on the list. Plus interests in music and free games that lead them to a ton of virus/malware laden websites. Beating the filter is extremely high value. That leads them to proxies and trying to get staff accounts that have a more lenient filter. • BYOD
What to do? • Derbycon talk three years ago. • Stop buying stuff. • Stick with what you know or you will mess it up. • The tools are there, the safeguards are there. If you dot every I and cross every T on every system. It really can be that simple. • Watch the Red Team. What are they doing, what are they bragging about. How does that apply to my systems. • ListservsNTSysAdmin, Patchmanagement.org Twitter Security Cons (Hack3rCon, Derbycon)
Management Buy in • Embrace the security audit and get one. Pick the right one. • That probably becomes a public record. At the very least it is a written record of your networks issues. There is no debate, just a standing order: Fix it.
What have I got? • Document and define every system and every system interaction. • Document the software. • Document the traffic. • Document access. Who needs what, build a list with an eye towards segmentation.
What is it doing? • Read the logs. • Server logs. You must audit access success and failure. • Web Filter logs. Blocks are a key metric.
NESSUSbytenable • NESSUS yourself regularly. http://www.tenable.com/products/nessus
Intrusion detectionand moar. • Security Onion • http://blog.securityonion.net • IDS • Full packet capture • Reconstructs full transactions • So simple even a Windows jockey can do it • 30 minutes from download to fully running
Web filter • Yea, people hate them. Sorry about that, talk to Congress. • Five strikes and you are out. • A very simple and powerful tool; this dropdown:
Patch it all • MS08-067 Seriously, why do I need this slide? • 90 day patch window on average. • Remember our software documentation? That drives your third party patching. Build a spreadsheet that lists them, with version and a clickable link to check for the newest.
Server hardening • Microsoft’s free EMET 4.1 • Ask the red team how many boxes they have popped recently that are running EMET • Firewall between users and servers. • Build your severs with segmentation of resources in mind so you can segment your users. Control that with your ASA and your VLANS. • Firewall on. Seriously, 2008+ the firewall is automatic. • Consider taking servers out of the domain. HVAC servers on management Vlan. • Encrypt your databases. • Patch them, all of it especially third party software. Veritas <sigh>.
Desktop hardening via gpo • No local admin. Period. Remember our now public record security audit. Sorry about that, talk to the memo I got that said ‘Fix it’. Control it with Restricted Groups. • EMET 4.1 • RDS for Finance and the like. • Local firewall via gpo. • Event logging with auditing on success and failure. • Hide last user login • UAC • Autorun off • Software Restrictions
MOAR • Nuke Control Panel items. • Nuke Explorer search and menu search • Nuke task manager • Disable run/cmd/Internet Explorer drives which also kills \\servername in IE • No bat files, no VBS in user context • Hide the system drive. • IE Maintenance via GPO. Zones, History…… • Restrict exe’s in AppData (Cryptolocker)
No AV • Can’t think of anything it could possibly protect me from. • The occasional user profile deletion for malware. • Remember our web filter is a finely tuned killing machine. • Remember we have standardized images. 30 minutes to nuke and image.
java • EMET kills much of it. It looks for behavior not signatures. • In other cases egress filtering and/or the web filter. With only 80 and 443 allowed out the filter sees the exploit phoning home. • 91 percent of all attacks in 2013 were Java based • EDU software with Java. WE need to push back HARD.
BYOD/Tablets • Get out in front of it, don’t wait for them to dictate how it’s going to happen. • Today I want to announce our awesome new BYOD program. This is going to rock!! • Guest Network, straight out to the internet. • GAFE • Good luck, enjoy. • District owned tablets • Meraki (free) • Find them and wipe them. • Tab Pilot. • Publish apps to a custom home screen, kill the rest of it.
Leverage your switches-routers-fw • SSH only from management network. • Sticky Macs. • Kill unused ports. • Yea, it’s annoying for desktop techs. Talk to the memo. • Egress filtering.
It never ends • Have management read the memo they gave you dictating ‘fix it’ from the audit. • Point out that this takes time, I negotiated 20 percent of my time for this. One day a week, Wednesday. If my boss pulls me off I ask him to talk to the memo about it.