Hack Proofing Your Organization
Who am I Gary Bates Director of Information Services for the City of Harker Heights Microsoft Certified System Engineer Microsoft Certified Information Technology Professional Enterprise Administrator Certified Ethical Hacker v8 EC-Council Certified Hacking Forensic Investigator Certified Cisco Network Professional Master Degree in Information Security Finishing my dissertation.
Who am I Just made a lot of mistakes.
What do you mean Hack Proof? A more correct term would be Hack Resistant Utilizing best practices to make the City an unlikely target of opportunity
Layered Security 6 Tenants External Defense Internal Defense Monitoring and Validation Policy and Procedures User Training Disaster Mitigation and Recovery
External Defense Hardware Devices (UTM, Firewalls, IPS, etc..) Offsite or Outsource Information Hosting (Email, Web, Payment Gateways) Hosted Defenses (Anti-Spam, Anti- Virus, etc)
External Defense - Hardware Firewalls Early days this was the defense IPS\IDS Gateway Filtering Devices Content Filtering and Protection Outsource Hosting Email, Web, Payment Gateways
External Defense - Hardware Today Next Generation Firewall\Gateway Devices What to look for: Active Firewall Gateway Antivirus Intrusion Prevention Content Filtering Application Control SSL Inspection Adequate throughput for your Enterprise Reporting
External Defense - Outsourcing Geographically dislocates your Network Signature. Choose a Tier 1 provider such as: Microsoft Office 365 Amazon Web Services Or Choose a Provider that uses a Tier 1 backend.
External Defenses Hosted Defense Helps reduce the bandwidth impact. Helps masks your end-point. Reduces operational burden.
External Defense Augment Your Threat Information Join the Multi-State Information Sharing & Analysis Center http://msisac.cisecurity.org/ SANS.ORG is a wealth of security information.
Your Network External Defense Use a good quality UTM \Advanced Firewall Offsite services when possible. Use hosted defense partners as applicable. Augment your rule set with known threat information.
Internal Defenses System Anti-Virus System Firewall Automated Updates User security levels Proper Hardware
Internal Defense AntiVirus Avoid free versions or home versions of antivirus software No centralized control Violates the licensing agreement No reporting Corporate Version Centralized control allows for policy and definitions to be pushed to all systems Reporting allow for the immediate notification of a problem. It also allows for trending.
Internal Defense System Firewall Is your system firewalls turned on? If not, why not? Helps stops the localized spread of viruses from one system to another. Helps prevents a compromised system from accessing another system on the network. Same goes for servers.
Internal Defense Automated Updates Utilize a system for deploying and ensuring the deployment of Updates Look for a system that will push third party updates Adobe Flash, Java, etc. Push the updates at night and silently. Reports progress of update deployment
Internal Defense User Security Control ALL users should be standard users on their everyday system. This includes IT professional. IT professional are not exempt from viruses. Look for workarounds for applications before giving out administrative rights. Restrict users access rights only to the network folders required to do their job. Never map network administrators network drives.
Internal Defense Proper Hardware Stay away from Home User equipment WiFi Access Point\Gateway Use equipment that can authenticate personnel independently Avoid Shared Keys Radius Server Network Policy Server (NPS)
Your Networ k Internal Defense Use a Corporate Version for Antivirus Enable Windows Firewall Practice good user controls. Use Professional Grade Equipment.
Monitoring and Validation Centralized Log \ Management Server Internal Nodes \ Trigger Points Penetration Testing \ Red Team Exercises
Monitoring and Validation: Centralized Log \ Management It should be a one stop shop for isolating server \ network issues. Provide for rule based customization and event notification Examples: System Center Operation Manager Open NMS \ OSSIM SolarWinds Server and Application Monitor \ Orion
Monitoring and Validation: Centralized Log \ Management National Institute of Standards and Technology Computer Security Resource Center (csrc.nist.gov) Publication 800-123
Monitoring and Validation: Internal Nodes \ Trigger Points Monitoring switches \ network devices for abnormal network traffic Configure monitor ports on network uplinks. Utilize a IDS solution or Network Analyzer to evaluate traffic patterns Rule based notification and\or automated measure
Monitoring and Validation: Internal Nodes \ Trigger Points SNORT (www.snort.org) Open Source \ Yearly Subscription Excellent IPS that has been around since the late 90s Suricata (suricata-ips.org) Ran by Open Information Security Foundation Multiport Advanced Firewalls.
Monitoring and Validation: Internal Nodes \ Trigger Points Example of what to monitor for: IP Addresses that are listed as potential malware sites IP addresses that are listed as a CryptoLocker \ Variant site Network traffic on port 164, 6667, 6668, 6669 or 7000 SMTP traffic to IPs other than your email server or host. MS-ISAC sends out lists of known malware sites.
Monitoring and Validation: Penetration Testing \ Red Team Exercise Penetration Testing Black Hat \ White Hat \ Gray Hat External Testing by an experienced Security Firm is the Best Practice
Monitoring and Validation: Penetration Testing \ Red Team Exercise Network Validation Kali Linux (https://www.kali.org/) Wireless Validation and Sniffing Network Sniffing Password Cracking Wireshark(https://www.wireshark.org/) Monitor Network Traffic Cain & Abel \ Net Stumbler
Monitoring and Validation: Penetration Testing \ Red Team Exercise Red Team Exercise Simple or Complex Social Engineering Exercise to Validate User Training Examples: Sending users spoofed emails asking for network credentials Setting up a spoofed website and requesting user information Third party security provider can provide this service, too.
Your Network Monitoring & Validation Make use of a Centralized Log Management System Setup Internal Nodes \ Trigger Points Make use of Penetration Testing or Network Validation
Policy and Procedures Policy and Procedures are the law of the land. Govern acceptable use and protocols. Examples: Network\System Use Policy Remote Access Server\Network Change Policy Disaster Mitigation Recovery
Policy and Procedures: Network\System Use Should cover: Standard user accounts Network Access Acceptable Use Password Policy Signed by incoming employees during HR inprocessing.
Policy and Procedures: Remote Use This policy governs remote access of City\County\Etc resources Outlines the criteria for access Include only using government equipment Resources required during remote sessions. Outline third party remote access Includes only having monitored access, etc
Policy and Procedures: Server\Network Change Policy Includes the criteria for making a change to a server\network node. Log sheet for each server or network device. -- Ensures proper accountability. New software should be vetted in a test environment first, before being approved for production.
Policy and Procedures: Disaster Mitigation and Recovery Policy should cover: Natural Disasters (Tornado, Fire) Internal Compromises (Virus, Hacking, Data Theft) External Compromises (Physical Theft) Policy should be specific as far as who to contact, who should make the contact. What information needs to be collected.
Policy & Procedures Your Networ k Policy are the law of the land. A well written policy is your CYB Vet your policies through legal, etc.
User Training Users are your weakest link. The best security systems is of little value if the user lets the bad guys in. User Training should be an annual hands on event. Coupled with monthly security reminders and updates.
User Training Annual Event Included with our City s Annual Sexual Harassment\Safety Training Do not have to make them security experts. Just cover the current trends. Such as HTML credit card phishing. Resources: Cissecurity.org Staysafeonline.org SANS.ORG (Securing the Human paid resource.)
User Training Your Networ k Should be an instructor led class Should be an annual event Send out tips and awareness information throughout the year.
Disaster Mitigation & Recovery Backup \ Recovery Natural Disaster Malware Outbreak Theft of a Device
Disaster Mitigation & Recovery: Backup \ Recovery Backup Plan Determine data loss acceptable levels Validate data loss levels against financial resources. Implement a backup solution Utilize a enterprise solution with reporting. Validate solution routinely. Includes both local backups and remotely stored backups.
Disaster Mitigation & Recovery: Natural Disaster Natural Disaster Recovery Plan: Determine what is the acceptable data loss in a natural disaster. Determine acceptable downtime Determine critical workers Determine critical applications\servers Validate plan against financial resources.
Disaster Mitigation & Recovery: Natural Disaster Pre-stage equipment Amount equipment is determined by maximum amount of critical users. Server\Switches\Desktops should all be plug and play configurable if applicable. Application should be preinstalled if licensing allows it. If not, make sure your backup software is performing a barebones backup.
Disaster Mitigation & Recovery: Natural Disaster Test, Evaluate and Update Test your recovery deployment plan. During this time, evaluate for weakness Update system software to current patch levels, if applicable. More information can be found in NIST publication: 800-34 and 800-84
Disaster Mitigation & Recovery: Malware Outbreak \ Compromised System Notification is the key to mitigating a malware outbreak. If one system alerts; then we shut the one system down. We verify the audit logs to see what our next step should be. If more than one system alerts; we shutdown the network subnet.
Disaster Mitigation & Recovery: Malware Outbreak \ Compromised System www.cert.org has an excellent first responder book for security incidence. It specifically talks about how to forensically secure a system. MS-ISAC and CERT\CC are excellent resources to reach out to in the event of a large event.
Disaster Mitigation & Recovery Your Networ k Determine your backup plan Practice Your Disaster Recovery Plan. Know Federal Agencies that can help out.
Questions? Your Networ k