Transcript
Andrew Pollack, NCT
English is the only language I speak◦ -- Unless you count programming languages
I will try to speak clearly, but if I am moving too quickly, or too slowly, please make some kind of sign, so I can adjust!
We will all point at you
Set all noise making toys to “Stun” please
If you need to type on a laptop or a Blackberry – move toward the back please
Administrator & Developer since version 2.0
Products◦ NCT Search, NCT Compliance Search, and NCT Simple Sign On, and now
Second Signal
Services◦ Site Performance Reviews◦ Application Development◦ Administrative Overhaul◦ Security Review & Penetration Testing
IBM Lotus Beacon Award Winner Firefighter
◦ Lieutenant of Cumberland, Maine – Engine 1
In firefighting, just like Server Administration it's all in the planning
Security From A Big Picture Approach
Big New Locks on Rusty Old Chains
What do I look for in a Security Review
Story Time
Summary
Are you the weakest link?
How good are your backups? A denial of service vector
Have you switched to IP Telephony? Your telephones may now be programmable computers
Who can access your server room?
Can your LAN administrators access the file systems on your Domino servers?
From a Security Officer Perspective “There are only two levels of paranoia – absolute,
and insufficient.”
From an End User Perspective “These are my friends and coworkers, I trust them
completely”
There is no perfect balance. You must learn to assess the risk and apply security in layers
Categorize Applications, then apply standard security practices based on the category
This protects developers and administrators
Some schemas I’ve seen Green, Yellow, Red Open, Internal, Confidential, Executive
Considerations for categorizing risk Employee contact data Customer list information Banking, tax, or medical information Company Planning information Company financial information
Most security problems come from inside, not outside hackers
Most administrative failures are infrastructure related, but have security implications
Sometimes, you need a way to fix it now and explain it later – reporting is critical
Internal Employee Mistakes Taking customer data to work out of the office Password Sharing Unattended Workstations
Abuse of Administrative Authority Reading people’s mail files Sending communication on behalf of someone else Intercepting Logs, Complaints, or Bad News Altering ‘metrics’ in help desk and other applications
Insufficient Termination Procedures Former Administrators or Employees Retaining Access
Unauthorized Copying of Data Employees taking the customer list as they resign
In Firefighting, we say “Try before you pry!”
You’re only as secure as your certifiers
Quit worrying about visible hash values unless everything else is locked down first
When in doubt, log and report
Policies & Procedures Matter
In a REVIEW
◦ I ask you questions and believe your answers◦ Typically 2 Days Talking + a Document◦ Cooperative Effort with the Administrative Team◦ Cannot be certified
In an AUDIT◦ I assume you my be wrong◦ Trust, but verify◦ Tends to be somewhat adversarial◦ Very Expensive, but certified accurate
From the Root Certifier on Down If you’re not using the CA, every admin you’ve ever
had probably has a copy
If your certifiers are ‘potentially compromised’ almost everything else we lock down is potential still vulnerable
User Certificates (ID Files) Who can assign them? What is the process for recovery (lost password or ID) Do you REALLY still keep copies of them somewhere?
Do you track every database?
“Owner” of the application Responsible developer? Expected size & activity ACL Requirements Scheduled Agent Requirements Security Level Category
Update tracking information every “N” months
People tend to accumulate group membership
This makes them ideal targets
Do you track every group?
“Owner” of the group Security Level Category
Update tracking information every “N” months
Group owner should “sign-off” on the accuracy periodically
Avoid Designer & Manager Access in ANY database on Production servers
VERY easy to crash servers
VERY easy to destroy data
VERY easy to exploit users
ECL’s are the single most important protection you have against intentional exploitation
Use “Design Signature” ID files and allow ONLY those to perform higher risk activities
Do not give “Design Signature” ID files to developers. An ADMIN must sign a changed application to move it to production
Never Allow End Users to Design or Manage their own databases
Local Databases must be encrypted
Local hard disks should be encrypted
Use password management policies
I love being told
◦ “HTTP Isn’t Running on our Servers”◦ “SMTP Isn’t Running on our Servers”◦ “LDAP Isn’t Running on our Servers”
Translated, this means “We’re not bothering to manage the HTTP password”
I can usually find one of these running on at least one of their servers
Set up exactly as a new temporary employee Repeat testing a new full time employee
Bring a copy of Designer on USB drive Never assume Designer is unavailable
ECL is the first thing I check If mine is set too open, most employees will be as well
CATALOG.NSF makes a great shopping list Shows me important databases Shows me databases with groups in common
Browsing Groups tells me who’s got what access
Also known as “There he goes again….”
The most simple form of attack
“I’ve forgotten my password”
Similar “Human Engineering” Attacks
Not Domino Specific
Very well secured network environment
Very good physical security
More than 75% success rate
Send a message to someone with a link
The link is actually a hotspot
The hotspot actually opens the page indicated
The hotspot also does other things
User Impersonation Attack
Very Difficult To Spot
220 mail.domain.ext ESMTP Sendmail (version); (date)
HELO local.domain.name250 mail.domain.ext Hello local.domain.name [loc.al.i.p], pleased to meet you
MAIL FROM: mail@domain.ext250 2.1.0 mail@domain.ext... Sender ok
RCPT TO: mail@otherdomain.ext250 2.1.0 mail@otherdomain.ext... Recipient ok
Subject: whatever you want250 2.1.0 mail@domain.ext... Subject okThis is the message body....250 2.0.0 ???????? Message accepted for deliveryQuit221 2.0.0 mail.domain.ext closing connectionConnection closed by foreign host.
Stop using big new locks on rusty old chains
Get control over your certifiers
Get control over your developers
Get control over your users & their local data storage devices
Get control over the databases & groups you’ve got deployed on your servers
top related