Security Best Security Best Practices Practices What are we fighting? What are we fighting? What are we trying to What are we trying to protect? protect? How can we best combat these How can we best combat these problems? problems?
May 24, 2015
Security Best PracticesSecurity Best Practices
What are we fighting?What are we fighting?
What are we trying to protect?What are we trying to protect?
How can we best combat these How can we best combat these problems?problems?
Security Best PracticesSecurity Best Practices
Overall Top IssuesOverall Top IssuesPC SecurityPC Security Internal Network SecurityInternal Network SecurityWireless SecurityWireless SecurityFile System SecurityFile System SecurityFirewall or Perimeter SecurityFirewall or Perimeter Security
What are we fighting?What are we fighting?
VirusesViruses Sophos polled 3,000 IT administrators and learned Sophos polled 3,000 IT administrators and learned
that most do not update antivirus signatures for that most do not update antivirus signatures for remote offices and telecommuters as often as they do remote offices and telecommuters as often as they do for office-based systemsfor office-based systems
Normally attaches to filesNormally attaches to files WormsWorms
Propagates over the networkPropagates over the network Unpatched systems are at riskUnpatched systems are at risk
What are we fighting?What are we fighting?
TrojansTrojansMay look friendly May look friendly Client/server approach = ZombieClient/server approach = Zombie
Network AttacksNetwork AttacksScanning, sniffing, intrusion attempts, buffer Scanning, sniffing, intrusion attempts, buffer
overflows, DDOS attacksoverflows, DDOS attacks Internal AttacksInternal Attacks
Unauthorized attemptsUnauthorized attempts
What are we trying to protect?What are we trying to protect?
PerimeterPerimeterLocal NetworksLocal NetworksPC’sPC’s
Overall Top Issues - 1Overall Top Issues - 1
Implement Physical ControlsImplement Physical ControlsServers and networking equipment in a locked Servers and networking equipment in a locked
areaareaBackup devices and media in locked areaBackup devices and media in locked areaLogin access to backup server securedLogin access to backup server secured
Overall Top Issues - 2Overall Top Issues - 2
Require or strongly encourage employees to Require or strongly encourage employees to choose strong passwords choose strong passwords Let upper management know the reasons why this is Let upper management know the reasons why this is
important to protect the businesses assetsimportant to protect the businesses assets Internet programs use brute force dictionary attacks Internet programs use brute force dictionary attacks
which contain tens of thousands of common which contain tens of thousands of common passwords that hackers use to break in to unsecured passwords that hackers use to break in to unsecured computer systems computer systems
Passwords should have a minimum of seven Passwords should have a minimum of seven characters, be nondictionary words, and combine characters, be nondictionary words, and combine uppercase, lowercase, and special charactersuppercase, lowercase, and special characters
10 trillion combinations 10 trillion combinations
Overall Top Issues - 3Overall Top Issues - 3
Require new passwordsRequire new passwords Every 90 days or at least twice a yearEvery 90 days or at least twice a year Why?Why?
A stagnate network is a perfect test bed for exploitationA stagnate network is a perfect test bed for exploitation At the very least, if an intrusion was occurring, it raises the At the very least, if an intrusion was occurring, it raises the
deterrent factordeterrent factor If your company was profiled by a hacker and recorded that If your company was profiled by a hacker and recorded that
passwords frequently change, they may not waste time on passwords frequently change, they may not waste time on youyou
Set account lockout parametersSet account lockout parameters Use a brute force attack on your own passwordsUse a brute force attack on your own passwords
Overall Top Issues - 4Overall Top Issues - 4
Verify that your virus-protection Verify that your virus-protection subscription is current and workingsubscription is current and workingCan you include spyware protection also?Can you include spyware protection also?Does engine updates to the antivirus Does engine updates to the antivirus
programs occur automatically or manually?programs occur automatically or manually?
Overall Top Issues - 5Overall Top Issues - 5
Email IssuesEmail Issues Internal Email Server Internal Email Server
Install either a gateway or API filtering solutionInstall either a gateway or API filtering solution Both is better as some solutions will allow itBoth is better as some solutions will allow it
Client PC’s should also email scanning Client PC’s should also email scanning functionality for a second layer of defensefunctionality for a second layer of defense
Train or educate employees about email Train or educate employees about email attachments attachments Including the need to avoid opening Including the need to avoid opening
attachments from unknown sources attachments from unknown sources
Overall Top Issues - 6Overall Top Issues - 6
Beware of Social EngineeringBeware of Social EngineeringOn-site visits to gather dataOn-site visits to gather dataPerson posing on the phone as an employeePerson posing on the phone as an employeeSpoofed emailSpoofed email
Train employees to be cautiousTrain employees to be cautiousLock PC when awayLock PC when away
Overall Top Issues - 7Overall Top Issues - 7
Install a total protection solution Install a total protection solution If you host your own web sites locally, using If you host your own web sites locally, using
just a firewall is not going to make it securejust a firewall is not going to make it secure Install an IDS system and policy managementInstall an IDS system and policy management
Overall Top Issues - 8Overall Top Issues - 8
Test your security posture regularly Test your security posture regularly Hackers have all the time in the world to Hackers have all the time in the world to
update their technology and skillsupdate their technology and skillsSee where your ‘holes’ exist before someone See where your ‘holes’ exist before someone
else doeselse does
Overall Top Issues – 9Overall Top Issues – 9
Terminating employee’sTerminating employee’sRemove their network access immediatelyRemove their network access immediatelyEscort them outEscort them out
Overall Top Issues – 10Overall Top Issues – 10
Secure Telecommuting and remote Secure Telecommuting and remote accessaccessAs VPN solutions are increasing to allow As VPN solutions are increasing to allow
greater flexibility and more productivity, greater flexibility and more productivity, securing remote access is critical.securing remote access is critical.Use Quarantine services built into Windows Server Use Quarantine services built into Windows Server
2003 RRAS2003 RRAS
Overall Top Issues – 11Overall Top Issues – 11
Especially if you’re hosting web sites, Especially if you’re hosting web sites, update your Web server software regularly update your Web server software regularly Stay up-to-date on current patch level and Stay up-to-date on current patch level and
service packs for underlying OSservice packs for underlying OS
Overall Top Issues – 12Overall Top Issues – 12
Kill network services that are not neededKill network services that are not neededMay includeMay include
WebWebEmailEmailFTPFTPNetwork browsingNetwork browsing
Overall Top Issues – 13Overall Top Issues – 13
Filter ConnectionsFilter ConnectionsProtect and scan HTTP and FTP trafficProtect and scan HTTP and FTP traffic IS IM used?IS IM used?
Consider hosting your ownConsider hosting your ownFilter the trafficFilter the traffic
Overall Top Issues – 14Overall Top Issues – 14
Log everything you canLog everything you canFirewall, Web Server, Email Server, File Firewall, Web Server, Email Server, File
Server, etc…Server, etc…Copy logs to another systemCopy logs to another systemConsider a centralized approachConsider a centralized approach
Questions?Questions?
PC SecurityPC Security
Implement a FirewallImplement a Firewall BlackIce, ZoneAlarm, McAfee, SymantecBlackIce, ZoneAlarm, McAfee, Symantec
Install Patches and Service PacksInstall Patches and Service Packs Turn on the Automatic Updates feature Turn on the Automatic Updates feature Windows UpdateWindows Update Office UpdateOffice Update
Keep the antivirus software up-to-dateKeep the antivirus software up-to-date Check for updates every 2 hours minimumCheck for updates every 2 hours minimum Is the scanning engine updated automatically?Is the scanning engine updated automatically?
Use Spyware detection/removal softwareUse Spyware detection/removal software
Internal Network SecurityInternal Network Security
What makes up the network?What makes up the network?Routers, Switches, FirewallsRouters, Switches, FirewallsSERVERSSERVERS
File, Email, Web, Database, Dedicated Application, File, Email, Web, Database, Dedicated Application, Backup, TestingBackup, Testing
PC’sPC’sAnd the BIG one, And the BIG one, USERSUSERS!!Basically, anything connectedBasically, anything connected
Securing Basic Network DevicesSecuring Basic Network Devices
Why secure a switch?Why secure a switch?Man in the Middle AttacksMan in the Middle AttacksTraffic SniffingTraffic SniffingLAN port forwardingLAN port forwarding
What about a router?What about a router?Table poisonTable poisonReroute trafficReroute traffic
Server Security Best PracticesServer Security Best Practices
Disable the Alerter service and the Disable the Alerter service and the Messenger service Messenger service Alerter service notifies users of administrative Alerter service notifies users of administrative
alerts alerts This service usually is not required under This service usually is not required under
normal circumstances normal circumstances
Server Security Best PracticesServer Security Best Practices
Disable the Messenger service Disable the Messenger service This service provides the ability to send This service provides the ability to send
messages between clients and servers messages between clients and servers Allows users to use "net send" messages Allows users to use "net send" messages
hitting your computer from the internet hitting your computer from the internet The Messenger service uses UDP ports 135, The Messenger service uses UDP ports 135,
137, and 138; TCP ports 135, 139, and 445 137, and 138; TCP ports 135, 139, and 445
Server Security Best PracticesServer Security Best Practices
Disable the Clipbook serviceDisable the Clipbook serviceUsed to store information (cut / paste) and Used to store information (cut / paste) and
share it with other computers share it with other computers Service has nothing to do with moving data Service has nothing to do with moving data
from Excel to Wordfrom Excel to Word
Server Security Best PracticesServer Security Best Practices
Disable the Human Interface Device Disable the Human Interface Device service, except for those users who need itservice, except for those users who need itService enables the use of specialized Service enables the use of specialized
devices such as game controllers and virtual devices such as game controllers and virtual reality devices reality devices
Server Security Best PracticesServer Security Best Practices
Disable the Indexing service Disable the Indexing service Makes searching the local hard drive faster by Makes searching the local hard drive faster by
keeping a virtual index of the fileskeeping a virtual index of the filesUses about 500 K to 2 MB in an idle state Uses about 500 K to 2 MB in an idle state Sore spot for buffer overflow attacksSore spot for buffer overflow attacks
Server Security Best PracticesServer Security Best Practices
Disable Machine Debug Manager Disable Machine Debug Manager Provides support for program debugging Provides support for program debugging Typically used by developersTypically used by developersDisable it in Internet ExplorerDisable it in Internet Explorer
Server Security Best PracticesServer Security Best Practices
Don't run any unnecessary network Don't run any unnecessary network services services World Wide Web Publishing Service World Wide Web Publishing Service Simple Mail Transport Protocol (SMTP)Simple Mail Transport Protocol (SMTP)FTP Publishing ServiceFTP Publishing ServiceNetwork News Transfer ProtocolNetwork News Transfer Protocol
Email Server Security Best Email Server Security Best PracticesPractices
Using a separate relayUsing a separate relayVirus/Spam ProtectionVirus/Spam ProtectionTest to verify an open relay doesn’t existTest to verify an open relay doesn’t exist
ToolsToolswww.samspade.orgwww.samspade.orgwww.abuse.net/relay.htmlwww.abuse.net/relay.html
Web Server Security Best Web Server Security Best PracticesPractices
Use IIS 6.0 if at all possibleUse IIS 6.0 if at all possibleSeparate protected application poolsSeparate protected application pools
URLScanURLScanhttp://www.microsoft.com/technet/security/toolhttp://www.microsoft.com/technet/security/tool
s/urlscan.mspxs/urlscan.mspxKeep current on patch levelKeep current on patch level
User Best PracticesUser Best Practices
Hardening user passwords Hardening user passwords Educate them as to why this is importantEducate them as to why this is importantShow them how to create strong passwordsShow them how to create strong passwordsPassword RulesPassword Rules
Putting a password on a sticky note Putting a password on a sticky note Do not store miscellaneous passwords on Do not store miscellaneous passwords on
hard drives hard drives Administrators and sensitive account users Administrators and sensitive account users
should have stronger than normal passwords should have stronger than normal passwords Enforce the policyEnforce the policy
Questions?Questions?
Wireless Security Best Wireless Security Best PracticesPractices
Change the default SSID (wireless Change the default SSID (wireless equivalency of workgroup name) to equivalency of workgroup name) to something less commonsomething less commonOr better yet, disable SSID broadcastsOr better yet, disable SSID broadcasts
Use a unique login name and password to Use a unique login name and password to gain access to the devicegain access to the deviceDefault login and passwords are publicly Default login and passwords are publicly
available on the Internetavailable on the Internet
Wireless Security Best Wireless Security Best PracticesPractices
Enable the highest method of security the Enable the highest method of security the device will allowdevice will allowWEP is not bulletproof, but it provides WEP is not bulletproof, but it provides
additional protectionadditional protection128-bit is preferred128-bit is preferred
Make sure the device has up-to-date Make sure the device has up-to-date firmwarefirmware
Wireless Security Best Wireless Security Best PracticesPractices
Implement media-access control (MAC) filtering Implement media-access control (MAC) filtering Allows only the wireless adapters specified to access Allows only the wireless adapters specified to access
the devicethe device Not bulletproof or “spoofproof”, but adds another layer Not bulletproof or “spoofproof”, but adds another layer
of securityof security
SNMP community namesSNMP community names If not being used, turn it offIf not being used, turn it off Change the string to something other than publicChange the string to something other than public
Wireless Security Best Wireless Security Best PracticesPractices
Minimize the amount of signal leaked to Minimize the amount of signal leaked to the outsidethe outside If there is no need for wireless access outside If there is no need for wireless access outside
the building, place the device to the center of the building, place the device to the center of the buildingthe building
Audit the wireless networkAudit the wireless networkWalk around the outside of the building with a Walk around the outside of the building with a
laptop laptop Use ‘Network Stumbler’ to assist with the Use ‘Network Stumbler’ to assist with the
security auditsecurity audit
Wireless Security Best Wireless Security Best PracticesPractices
Small number of wireless clients?Small number of wireless clients?Consider using static IP addresses instead of Consider using static IP addresses instead of
DHCPDHCPUse subnets different from the default settingUse subnets different from the default setting
Consider using a VLAN or VPN to protect Consider using a VLAN or VPN to protect the trafficthe trafficL2TP with IPSec is a common method L2TP with IPSec is a common method
Wireless Security Best Wireless Security Best PracticesPractices
Public Wireless Access PointsPublic Wireless Access PointsAll transmissions are unencryptedAll transmissions are unencryptedAt the very least, use a firewallAt the very least, use a firewallTurn off Windows File and Print SharingTurn off Windows File and Print SharingUse a VPN solution if connecting to Use a VPN solution if connecting to
something securesomething secure
Wireless Security Best Wireless Security Best PracticesPractices
If a RADIUS server exists, use itIf a RADIUS server exists, use itFor sites without a Remote Authentication For sites without a Remote Authentication
Dial-In User Service (RADIUS) infrastructure, Dial-In User Service (RADIUS) infrastructure, WPA supports the use of a preshared key. WPA supports the use of a preshared key. For sites with a RADIUS infrastructure, For sites with a RADIUS infrastructure, Extensible Authentication Protocol (EAP) and Extensible Authentication Protocol (EAP) and RADIUS is supported.RADIUS is supported.
Wireless Security Best Wireless Security Best PracticesPractices
Using WPA on Your Wireless Network Using WPA on Your Wireless Network Wi-Fi Protected Access is a stronger protocol that Wi-Fi Protected Access is a stronger protocol that
fixes the weaknesses in WEPfixes the weaknesses in WEP The encryption key changes with every frameThe encryption key changes with every frame
Three critical components needed to upgrade Three critical components needed to upgrade wireless security from WEP to WPAwireless security from WEP to WPA
access point (AP) or wireless router that supports WPA access point (AP) or wireless router that supports WPA wireless network card that has WPA drivers available wireless network card that has WPA drivers available client that supports WPA and your operating system client that supports WPA and your operating system
Wireless Security Best Wireless Security Best PracticesPractices
Updating the OS to include WPA Updating the OS to include WPA functionalityfunctionalityMicrosoft provides a free WPA upgrade, but it Microsoft provides a free WPA upgrade, but it
only works with Windows XP only works with Windows XP Microsoft Knowledge Base Article 815485Microsoft Knowledge Base Article 815485
If the OS other than Win XP, you'll need third-If the OS other than Win XP, you'll need third-party client software party client software MeetingHouse Data CommunicationsMeetingHouse Data Communications
http://www.mtghouse.com/products/index.shtmlhttp://www.mtghouse.com/products/index.shtml
Questions?Questions?
File System SecurityFile System Security
NTFS vs FATNTFS vs FATFAT 16FAT 16
DOSDOS
FAT 32FAT 32Windows 98, ME, 2000, XPWindows 98, ME, 2000, XP
NTFSNTFSWindows NT, 2000, XPWindows NT, 2000, XP
NTFS5NTFS5Windows 2000, XPWindows 2000, XP
File System SecurityFile System Security
NTFS SecurityNTFS SecurityObject ownership Object ownership Permission inheritance Permission inheritance Auditing Auditing
Encrypting File System (EFS)Encrypting File System (EFS)Sharing and File PermissionsSharing and File Permissions
Full Control, Change, and ReadFull Control, Change, and Read Is there a difference between Server 2000 Is there a difference between Server 2000
and 2003?and 2003?
Firewall TechnologyFirewall Technology
Basically three types of Firewall technologyBasically three types of Firewall technology Packet filter Packet filter
Routes traffic based on IP/portRoutes traffic based on IP/port
Stateful packet inspection Stateful packet inspection Analyzes traffic on top of routingAnalyzes traffic on top of routing
Application proxyApplication proxy Works as a translatorWorks as a translator
Most Firewalls are a combination or hybridMost Firewalls are a combination or hybrid The general role is to block unsolicited trafficThe general role is to block unsolicited traffic
Firewall or Perimeter SecurityFirewall or Perimeter Security
Do we need publicly accessible servers?Do we need publicly accessible servers?How to protect transports?How to protect transports?
Remote accessRemote accessVPNVPNLock down where inbounds are coming fromLock down where inbounds are coming from
EmailEmailAn Intrusion Detection System (IDS) is a An Intrusion Detection System (IDS) is a
necessity todaynecessity today
Questions?Questions?
This presentation can be found online at:This presentation can be found online at:http://www.kirbykomputing.com/Shared%20Documents/Forms/AllItems.aspxhttp://www.kirbykomputing.com/Shared%20Documents/Forms/AllItems.aspx
Brian Kirby
SEDA – Council of Governments