Download
1 / 19
200 likes | 306 Vues
Top 10 Security Mistakes. Presented by: CMS Consulting Inc. Visit us online at http://www.cms.ca. Your Presenter. Brian Bourne CMS Consulting Inc, President Toronto Area Security Klatch, Co-Founder Black Arts Illuminated Inc., Director Fancy Credentials CISSP, MCT, MCSE:Security.
E N D
Top 10 Security Mistakes Presented by: CMS Consulting Inc. Visit us online at http://www.cms.ca
Your Presenter • Brian Bourne • CMS Consulting Inc, President • Toronto Area Security Klatch, Co-Founder • Black Arts Illuminated Inc., Director • Fancy Credentials • CISSP, MCT, MCSE:Security
CMS Consulting Inc. Microsoft Infrastructure and Security Experts Active Directory - Windows Server - Exchange - SMS - ISA MOM - Clustering - Office – Desktop Deployment - SQL – Terminal Services - Security Assessments - Lockdown – Wireless Training by Experts for Experts MS Infrastructure – Security - Vista and Office Deployment Visit us online: www.cms.ca Downloads – Resources – White Papers For Security Solutions For Advanced Infrastructure For Network Solutions For Information Worker For Mobility Solutions
1. ~~~~~~~~~ 2. ~~~ ~~ ~~ 3. ~~~~ Agenda Today • Top 10 Security Mistakes • Based on the results of numerous health check and assessment service offerings • Top 10 Areas for Security Improvement • Based on feedback from the consulting team at CMS
1. Password Management • This is painfully obvious and still a problem at every customer. • Problems include: • Poor policy or poor policy enforcement • Password re-use (eg. FileMaker password = Domain Password = Banking Password) • User training – hey, did you know a simple sentence is complex? “My first born is Grant.” • Password storage
2. Patches and Upgrade • Typical Issues: • No inventory of software and hardware (no idea what to patch) • No reporting of patch status or deployment • Legacy software that’s simply unpatchable • Software that followed the “deploy and forget” methodology • Remember: • All software and hardware needs patching, not just Microsoft! Especially security products!
3. NTFS and Share Permissions • Everyone, Full Control, Everywhere • Anonymous is part of everyone! • Simple Rules: • Permissions are cumulative, except Deny wins. • Never grant permissions to users. Grant to groups. • Avoid upgrading W2K. Install W2K3 fresh. • Use security templates and group policy to set/maintain security
4. Too much privilege! • No one seems to follow the rule of least privilege. • Enumerate the following groups: • Enterprise, Domain and Schema Administrators • Server, Print and Backup Operators • Service Accounts need special treatment • Separate OU with GPO’s limiting rights • Should be “Administrators”, not DA or EA! • Use OU’s and delegate required administrative functions
5. Administrative Practices Please don’t use a DA account for day to day activity. Better yet, don’t use a DA from anything but a designated high security, administrative workstation (think about bad things like keyloggers when logging in from untrusted machines) Guard EA accounts! Don’t share the administrator password. At minimum, you want some level of non-repudiation.
6. UnUsed Services • The most common installed and unneeded service? Any guesses? (IIS) • Reduce the attack surface! • Define Role based Templates • Test, test, test • Enforce by GPO! • Good guide to understanding services • http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/prodspecs/win2ksvc.mspx
7. Auditing and Logging How will we ever know if something happens? How will we ever be able to piece together “the crime scene” without any evidence? Audit only what’s important. Think beyond Windows events. Applications, firewalls, switches, etc. Consider log shipping also.
8. Missing or Incomplete Backups System State on all FSMO role holders. Critical data everywhere else. Remember to test procedures with restores Consider encryption/password protection to prevent unauthorized restores Offsite storage, secured fireproof vault Part of a larger Disaster Recovery plan
9. Security Education and Awareness • For IT Staff: • Security Architecture • Secure Operating Procedures • Understanding of attack methods • Defence in Depth techniques • For All Staff • Awareness training • Email and Internet Usage • Social Engineering awareness
10. Incident Response • Have a plan and have training! • DO NOT: • Touch the computer. • Delete files. • Or frankly react in anyway without a carefully thought out and professional approved plan!
1. ~~~~~~~~~ 2. ~~~ ~~ ~~ 3. ~~~~ Bonus Material Things People Need to Think More About: • Funding for security • Application filtering and layer 7 firewalls • Intrusion detection and prevention • Incident Response Planning and Training • Security Policy, Usage Policy • Log collection, management and co-relation • Physical controls • Network controls (who can plug in) • Firewalls should not look like swiss cheese (Hint: Use IPSec instead) • VPN controls and other remote access methods
Security Education Conference in Toronto November 20 – 21, 2007, MTCC, Toronto, ON, Canadahttp://www.sector.ca/
CMS Training Offerings • INSPIRE Infrastructure Workshop • 4 days of classroom training - demo intensiveAD, Exchange, ISA, Windows Server, SMS, MOM, Virtual Server • Business Desktop Deployment – Deploying Vista/Office • 3 days of classroom training - hands on labs (computers provide)Business Desktop Deployment Concepts, Tools, Processes, etc. Vista and Office • Securing Internet Information Services • Securing ActiveDirectory • Securing Exchange 2003 • 1 day classroom training per topic TRAINING BY EXPERTS FOR EXPERTS
Contacting Us. @ • Brian Bourne, President – brian@cms.ca • Robert Buren, VP Business Development – robert@cms.ca • CMS Consulting Inc. – http://www.cms.ca/ • CMS Training – http://www.cms.ca/training/ • Toronto Area Security Klatch – http://www.task.to/
CMS Consulting Inc. Q & A Thank You! Visit: CMS Consulting at http://www.cms.ca Join: Toronto Area Security Klatch at http://www.task.to Register: Security Education in Toronto at http://www.sector.ca
