MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ [email protected]@es-es.net ://es-es.net.

MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+

[email protected] http://es-es.net

Edmodo code: 1181799

http://es-es.net/3.html

Got a Network / Security Check List?I Do (You can too! Lots of Resources and Best Practices )

I AM NOT A LAWYER!

For legal advice contact legal counsel on your campus or your General Counsel’s Office. The information presented here is accurate to the best of my knowledge!

Cloud Vendor Security

• On-premises Security Systems /Controls?– Outside Testing of Security systems– Backup verification / test in production

• Authentication and Authorization– Password strength (Length matters more than complexity) – IP range blacklists/whitelists (IP Spoofing) – Login hours /Timeouts – Account Lockouts – Access Control

• By Vendor• By you

• Encrypt ALL Communications between remote and corporate infrastructures

http://www.csoonline.com/article/print/658279

http://www.redbooks.ibm.com/redpapers/pdfs/redp4614.pdf

• Encryption Internal/External – HTTPS– SSL/TLS for ODBC – SSN and Passwords PII stored in a hashed format

• Data Leak/Loss Prevention (DLP) @ your site

• Information Leak/Loss Prevention (ILP)– @ Cloud vendors site

• Both (DLP/ILP) Should be a part of your SLA with specific controls in place

• Audit trails who did what when• Denial-of-service (DOS) protection• Never send unencrypted PII or confidential information by e-

mail • Render PII Information unreadable whenever stored

http://www.csoonline.com/article/print/658279

Cloud Vendor Security 2

http://www.redbooks.ibm.com/redpapers/pdfs/redp4614.pdf

Cloud Vendor Password

• Should block known bad passwords 

– http://techcrunch.com/2009/12/27/twitter-banned-passwords/

–  http://www.businessinsider.com/twitters-list-of-370-banned-passwords-2009-12

• Top ten bad passwords and abc123 & 123456 is in the top ten!

– http://www.youtube.com/watch?v=_7RP6UiNSWA

• Passwords should be at least 10 Characters long

http://blogs.wsj.com/digits/2010/12/13/the-top-50-gawker-media-passwords/

Best Practices with SSN’s

• Assign Another Primary Identifier• Comply with State Regulations

– (More Info es-es.net & edmodo)

• Inform Students• Remove Social Security Numbers• Updating the Computer System • Hash / Encrypt SSNs • Make sure all transmission of SSN’s is Secure (Use SSL or

other form of encryption) • Some states classify academic records as Private and the PII

laws protect that information

http://www.ssa.gov/kc/id_practices_best.htm

10 Common Security Flaws

1. Set it and forget it

2. Opening more firewall ports than necessary

3. Pulling double duty

4. Ignoring networks workstations

5. Failing to use SSL encryption where it counts

6. Using self-signed certificates

7. Excessive security logging

8. Randomly grouping virtual servers (Don’t put FW and Production on same physical hosts)

9. Placing member servers in the DMZ

10. Depending on users to install updates

Where we are Today

Network Security Shift

• SaaS: Security as-a Service instead of appliances or Layer 7 Filtering

• The changing face of NAC’s, URL filtering, gateway appliances,

Daily Security Checklist

• Verify the current connections• Look at network traffic statistics• Look at your antivirus logs• Read the security logs on your domain

servers• Check for new security patches• Meet and brief• Check more logs – Backup FW(outgoing)

– I would set them to automatically go to your phone (Think Spiceworks free Helpdesk software)

• Turn knowledge into action

Security Breach Now What

• Carefully plan a layered defense (Before) • Consider hiring a computer forensic specialists• Assess the damages done and remove services• Alert your legal department (what legal requirements)

• Document what you do• Begin locking down your system• Get bank involved if Credit Card info compromised • Contact any families, employers, and suppliers affected by

the breach• Have a set of recovery plans in case a breach occurs again

Keeping Data Thieves Out: Best practices in Data Security &

http://www.itworld.com/print/134572

Staff Security Forms

• 10 Things You Should Know about FERPA

• Confidentiality: What Is Our Responsibility Power Point– GCA Privacy Training for Staff and Student workers quiz

• Confidentiality Pledge for Contractors

• Cyber Bullying Policy

• Fax Cover Sheet for Medical info

• Colorado Department of Education FERPA Checklist

• Cloud Security Guidance by IBM

• VCloud Security for VMware

Internal Audit Checklists

• Internal Audit Review update ( A high level overview designed to help administration understand what should be done)

• Self Audit General Controls Rev Jan 2011 (The backup for documentation for the Internal Audit Review)

• MS Security Compliance Management Toolkit

• HRP-330 - WORKSHEET - FERPA Compliance

– http://www.huronconsultinggroup.com/SOP

• HRP-331 - WORKSHEET - HIPAA Authorization

– http://www.huronconsultinggroup.com/SOP

• Auditor’s Data Systems Checklist

Computer Help Desk Lists

• 10 Things HP (Best Printer Trouble shooting Checklist)

• Computer and MAINT SECUIRTY CHECKLISTS• Computer Account Access Form (Tech Republic)

• Server Deployment Migration Checklist (Tech Republic)

• Tune-Up Checklist (Tech Republic)

• Malware Removal Checklist (Tech Republic)

• NATO Codes• Laptop Checkout Form• Imaging Check Sheet

Server Maint. Daily

Daily Checklist• Check the following things each day:• Server health status of all the servers• Backup results - normal• E-mail queue and throughput - • Virus scan results• Time synchronization on the servers (Very Important on

VMs)

Server Maint. Weekly

Weekly maintenance checklist we include the following routines:– check event logs;

– check server performance;

– check security logs for possible attacks;

– check antivirus alerts;

– install software updates;

– install system/kernel updates (reboot scheduled with Customer).

– Backup up “Important” data over SSL encrypted session stored on a remote location server

– Security issues - for example, use the weekly reports from secunia

Server Maint. Monthly

• Monthly maintenance checklist we include the following routines:– check hdd fragmentation and health;

– check RAID health;

– verify RPM database integrity;

– perform full security audit

– Full Backup of ALL VM’s and take them offsite

– Delete all old VM Snapshots

Switches/Routers Weekly

• Weekly maintenance checklist we include the following routines:

• check event logs;• check device performance;• check security logs for possible attacks;• check links throughput;• interface errors (collisions, input errors, etc.);• install security updates;• install system/kernel updates (reboot scheduled with the

customer).

Switches/Routers Monthly

• Monthly maintenance checklist we include the following routines:– perform configuration backup;

– perform configuration consistency audit;

– perform full security audit.

Network Checklists

• Checklist Deploying a Windows Server 2008 Forest Root Domain

• Employee Separation Checklist (Tech Republic)

• Network Documentation Checklist a good baseline or starting point (Tech Republic)

• Maintenance Checklist ( A more comprehensive checklist)

• Secure Mac OS X and beyond Server and workstation • Apple iOS hardening Checklist

Network Checklists II

• Network Maint Checklist ( a brief checklist by a typical vendor)

• New User Form Checklist (Tech Republic ?)

• Windows Security Survival Guide 2008 (Tons of links and resources from Microsoft)

• Server Change Control Form

• Cloud Security Guidance by IBM

Know Your System

• What is the hardware? • What software is installed?

– What versions?

– What is the licensing?

• What services are running and why? * Each service takes up system resources.– What services are exposed to the Internet and why?

• Document systems, as well as any maintenance tasks. • What antivirus is installed, is it up to date• Perform updates of software• Apply patches to servers• Check system resources (CPU, Memory)

Know Your System II

• What firewalls?

– What version of firmware?

– How are they configured?

– What are they allowing into the network and why?

• What switches? • What Printers

– What Firmware

– Web interface disabled

• SNMP? V3 • Kill all Telnet options (Phones can sniff and connect to Telnet)

• Understand and Document Physical to Virtual – Understand both

Trouble Shooting VPNs

• Find out who is affected • Determine whether users can establish a VPN connection• Look for policies that may be preventing connectivity• Don’t rule out the client• Check to see if the user can log in locally• Check to see if the users are behind NAT firewalls• Check for Network Access Protection• Try accessing various resources on the network• Try accessing resources by IP name rather than server name• Is the connection not working, or just painfully slow?

Fix These Security Leaks

• Unauthorized smart phones on your WIFI network• Open ports on a network printers• Custom web applications with bad code• Social network spoofing• Employees downloading illegal movies and music• SMS spoofs and malware infections• Disable Telnet SNMP v1

http://www.computerworld.com/s/article/353317/Six_Leaks_to_Plug_Right_Now?source=CTWNLE_nlt_thisweek_2011-01-24

TODAY!

Top Web Hacks of 2010

• The ASP. Net cookie has been changed, leaving a vulnerability

• Evercookie - can enable a Java script to hide 8 different cookies in your browser

• Hacking Auto complete - A script that forces auto complete to hand over personal information stored on your computer

• Attacking HTTPS with Cache Injection • Bypassing CSRF protections with Click Jacking and HTTP

Parameter Pollution• Universal XSS in IE8

http://www.itworld.com/print/134554

Web Hacks cont.

• HTTP POST DoS -- HTTP POST• JavaSnoop - A Java agent that communicates with the Java

Snoop tool to test applications for security weaknesses• CSS History Hack in Firefox without JavaScript for Intranet

Port Scanning• Java Applet DNS Rebinding

http://www.itworld.com/print/134554

Help Desk Systems

1. Know your budget

2. Prioritize the features you need

3. Check email compatibility

4. Think Database

5. Don’t forget security

6. Personalize your email templates

7. Consider the need for a Web interface

8. Evaluate ticket management features

9. Be sure you’re branded

10. Make it easy

11. Spiceworks (FREE) Network Inventory, Help Desk, Mapping, Reporting, Monitoring and Troubleshooting and

more http://www.spiceworks.com/product/

Top 12 VMware Tweaks

• Use Veeam FastSCP• Use Unsupported console for SSH/SCP access • Use VMware Tools• Defrag Your Virtual Disks• Disable Windows Visual Effects• Run VMware in Full Screen Mode (Ctrl-Alt-Enter)• Disable the CDROM in VMware• Separate Out Virtual Swap Files Onto Separate

Virtual Disks• Split Virtual Disks Among Multiple Hard Disks (Count

Spindles) Unless SSD Delete up old snapshots

• Upgrade Your Hard Disk• Upgrade Your CPU• Upgrade Your RAM

Debunk Internet Hoaxes

1. Snopes -- http://www.snopes.com/

2. About Urban Legends -- http://urbanlegends.about.com/

3. Break The Chain -- http://www.breakthechain.org/

4. Truth Or Fiction -- http://truthorfiction.com/

5. Sophos -- http://www.sophos.com/security/hoaxes/

6. Hoax-Slayer -- http://www.hoax-slayer.com/

7. Vmyths -- http://vmyths.com/

8. Symantec -- http://us.norton.com/security_response/index.jsp

9. Hoax Busters -- http://www.hoaxbusters.org/

10. Virus Busters -- http://virusbusters.itcs.umich.edu/

Using remote access to hack

• BackTrack4 - – Owning Vista with Backtrack

http://www.offensive-security.com/backtrack-tutorials.php

– How to put BT4 on a USB

– http://www.offensive-security.com/backtrack-tutorials.php

• Mobile devices – Iphone I-Touch http://www.leebaird.com/Me/iPhone.html

– Droid PS2 others

• Metasploit

Troubleshooting Slow PC’s

1. Processor overheating

2. Bad RAM

3. Hard disk issues

4. Disk type and interface

5. BIOS settings

6. Windows services

7. Runaway processes

8. Disk fragmentation

9. Background applications

10. File system issues and display options

Avoid Viruses & Spyware

1. Train Your Users STAFF & Students

2. Install quality antivirus (not always $$)

3. Install real-time anti-spyware protection

4. Keep anti-malware applications current

5. Perform daily scans

6. Disable auto run

7. Disable image previews in Outlook

8. Don’t click on email links or attachments

9. Surf smart

10. Use a hardware-based Firewall and Software on local system

11. Deploy DNS protection

Windows 7 Shortcuts

1. WinKey + Home• Minimizes all but the current

window

2. WinKey + Space• Preview Desktop (makes all

open windows transparent)

3. WinKey + Up or Down Arrow• Maximizes or

minimizes/restores the current window

4. WinKey + Left or Right Arrow• Tiles the window on the left

or right of the screen

5. WinKey + P• Chooses a Network Projector

presentation display mode

6. WinKey + Alt + 1 to 0• Accesses the Jump List of

programs on the taskbar that correspond to the number

7. WinKey + T• Cycles through the items on

the Taskbar

8. WinKey + 1 to 0• Launches or accesses a

program on the Taskbar

9. WinKey + Shift + 1 to 0• Launches new instance of a

program on the taskbar

10. WinKey + Ctrl + 1 to 0• Accesses the last active instance

of a program pinned on the Taskbar

Help PC’s Run Better

• Auto runs shows every program that runs at system boot– http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

• Ccleaner - registry cleaner (use portable version)– http://www.piriform.com/ccleaner/builds

• Recuva (save your behind or someone else's) – http://www.piriform.com/recuva/builds

• PC Decrapifier (Lists all third party software makes a restore point)

– http://www.pcdecrapifier.com/features

• WinPatrol (Large database of apps lists)

– http://www.winpatrol.com/download.html

Useful utilities

• Auslogics Registry Cleaner - http://www.auslogics.com/en/software/registry-cleaner/download/

• PuTTY: Telnet and SSH for Windows and • FileZilla: Open source FTP client and server. • VMware: Virtualization technology products.

– Veamm Fast SCP

• Paint.NET: Image and photo editing software. • ColorPic: "Superb" pop-up color picker control • FireBug: Web debugging • KeePass: Password manager

Easy Website Testing

• Netsparker delivers detection, confirmation and exploitation of vulnerabilities

• Exploitation of SQL Injection Vulnerabilities • Getting a reverse shell from SQL Injection vulnerabilities • Exploitation of LFI (Local File Inclusion) Vulnerabilities • Downloading the source code of all the crawled pages via

LFI (Local File Inclusion) • Downloading known OS files via LFI (Local File Inclusion)

Live CDs and VMs

• Backtrack (Security OS of Choice)

http://www.remote-exploit.org/backtrack_download.html

• Samurai WTF (web pen-testing )http://samurai.inguardians.com/

• DEFT Linux (Computer Forensics)http://www.deftlinux.net/

Staying up to date on trends and exploits

• Milw0rm http://www.milw0rm.com/

• SANS Internet Storm Centerhttp://isc.sans.org/

• PacketStormhttp://www.packetstormsecurity.org/

• BugTraqhttp://www.securityfocus.com/archive/1

• RootSecurehttp://www.rootsecure.net/

Security Checklists, Certifications and Requirements

• National Security Checklists• Sarbanes Oxley (SOX) compliance (see 103, 302, 404)• PCI Security Standards Council• Common Criteria for Information Technology Security Evaluation• Common Methodology for Information Technology Security

Evaluation• Cardholder Information Security Program

Operating System Hardening

• Red Hat Linux Security Guide• Debian Linux Security• Securing SuSe Linux• Gentoo Linux security handbook• SANS Linux Security Checklist• Windows Server 2003 Security Guide

Known vulnerabilities ongoing updates

• http://www.cert.org/• http://www.securityfocus.com/bid• http://www.sans.org/newsletters/newsbites/

Password Security

• Don’t tell anyone your password.

• Don’t write your password down anywhere.

• Make sure your password cannot be easily guessed.

• If you think there is even a slight chance someone knows your password, change it.

• Don’t let someone see what you are entering as your password.

Passwords: Length Matters

• The secret: If you password is long enough, it doesn’t need to be complex. Long passwords defeat common password crackers

• How long should your passwords be? – Passwords should be a minimum of 10- 15 characters to be considered

non-trivial.

• A password of 15 characters or longer is considered secure for most general-purpose business applications. i.e. a “pass phrase”

• Disable the storage of weak cached LM password hashes in Windows, they are simple to break

Fun example: Denver1broncosrulethenhl

Don’tDon’t Use a WeakWeak One:

• With fewer than eight characters.• That could be found in a dictionary.• That uses public information about you or

your family or friends (Soc Sec #; birth date; credit card number; telephone number, etc.).

• That you have used before.• That is a variation of your user ID.• That is something significant about you.

Use Use a StrongStrong Password:

• That is at least 12 characters long.• That contains uppercase and lowercase letters.• That contains at least one number or special

character.• That is not a dictionary word in any language,

slang, or jargon.• That cannot be easily guessed and is easy to

remember.Remember to change your password every 180 days.

WeakWeak Passwords (examples):

• abc123 dog diego querty hart heat heart mary • 1dennis2 hartelephone lintelco hartwell• eednyw ydnew kayak palindrome• september superman mickeymouse r2d2• aaaabbbccd 12345678 a1b2c3d4 zxcvbnm• bonvoyage mercibeaucoup volkswagen• mircrosoft colorprinter

nowisthetimeforallgoodmen

http://www.businessinsider.com/twitters-list-of-370-banned-passwords-2009-12

MnemonicsMnemonics Made Easy

• Take a phrase that is easy for you to remember and convert it into characters.

• It could be the first line of a poem or a song lyric.

• “Water, water everywhere and not a drop to drink” (Rhyme of the Ancient Mariner) converts to Wwe&nadtdGL

• “We Three Kings from Orient Are “date "Birth Year” converts to w3KfOr3691BY.

(3691 is the year 1963 spelled backward to extend beyond six characters.)

EvaluationsStep 1: Go to http://edmodo.com/fetcevals

Step 2: Select session number, session title, and evaluate.