Practical Application Of Back to Basics Methods

Joel Cardella GrrCon 2014

SECURITY ON THE CHEAP

BIOGRAPHICAL INFO

• Joel Cardella

• 20 years in Information Technology .. Blah blah blah

• Currently Regional Security Officer for multinational industrial manufacturing organization

• Passionate evangelist of infosec

• But none of this matters because basics is a common sense method

Other controls

Low

Medium

High

Critical

Basic security starts with foundations

http://infospectives.me/2014/07/31/modifying-maslow-what-really-drives-your-infosec-needs-the-state-of-security/

Cindy Valladares

Buy latest hyped

product

Panic

Pray

Hope

Procrastinate

Unfortunately…

http://infospectives.me/2014/07/31/modifying-maslow-what-really-drives-your-infosec-needs-the-state-of-security/

Cindy Valladares

• “…if your roof has leaks, you fix the leaks in the roof before you remodel the house, right?”

• John Pescatore, SANS

• http://www.techrepublic.com/blog/tech-decision-maker/it-security-fix-the-leaky-roof-before-remodeling-the-house/

WE ARE ALL SAYING THE SAME THING

BASICS FOCUS

Prevention Detection

Response Recovery

Risk

Basics does not address advanced threats!

WHAT RISK CAN WE CONTROL?

THREATS X VULNERABILITIES X TIME = RISK

No control Direct ControlIndirect Control (Vendor reliance)Direct Control (Issuing patches & updates)

None of these values is ever zero, but we should work toward zero

SECURITY BASICS

• Security requires resources; you must invest to get a return

• If you don’t invest the resources, you will increase the vulnerability and likelihood, and thus the risk

• If you can’t invest money, then you invest time

• NOW: How do we do this cheaply?

INVESTMENT DIRECTION

WHAT ARE YOUR STANDARDS?

• Critical Security Controls (SANS 20)

• Australian Defence Signals Directorate (DSD)

CSC FIRST FIVE QUICK WINS• For those wanting a highly focused and direct starting point, we have emphasized the “First Five Quick

Wins”: sub-controls that have the most immediate impact on preventing attacks. These actions are specially noted in the Controls listings, and consist of:

• 1. Application whitelisting (found in CSC 2 / DSD 1);

• 2. Use of standard, secure system configurations (found in CSC 3);

• 3. Patch application software within 48 hours (found in CSC 4 / DSD 2);

• 4. Patch system software within 48 hours (found in CSC 4 / DSD 3); and

• 5. Reduced number of users with administrative privileges (found in CSC 3 and CSC

• 12 / DSD 4).

THE FIRST FIVE

Mitigation strategy

Overall security

effectiveness

User resistan

ce

Upfront cost (staff,

equipment, technical

complexity)

Maintenance cost (mainly

staff)

Helps detect

intrusions

Helps mitigate intrusion stage 1:

code execution

Helps mitigate intrusion stage 2: network

propagation

Helps mitigate intrusion stage 3:

data exfiltrati

on

Application whitelisting Essential Medium High Medium Yes Yes Yes Yes

Standard Configurations Essential Low Medium Medium Possible Yes Yes Yes

Patch applications < 48 hrs

Essential Low High High No Yes Possible No

Patch operating system vulnerabilities < 48 hrs 

Essential Low Medium Medium No Yes Possible No

Restrict administrative privileges 

Essential Medium Medium Low No Possible Yes No

Focusing on these 5 will address 80% of your risk – Australian DSD

Pareto Principle – 20% of our focus can address 80% of our risk

FIRST FIVE QUICK WINS• For those wanting a highly focused and direct starting point, we have emphasized the “First Five

Quick Wins”: sub-controls that have the most immediate impact on preventing attacks. These actions are specially noted in the Controls listings, and consist of:

• 1. Application whitelisting (found in CSC 2 / DSD 1);

• 2. Use of standard, secure system configurations (found in CSC 3);

• 3. Patch application software within 48 hours (found in CSC 4 / DSD 2);

• 4. Patch system software within 48 hours (found in CSC 4 / DSD 3); and

• 5. Reduced number of users with administrative privileges (found in CSC 3 and CSC 12 / DSD 4).

THE END

Thank you for listening

QUICK WINS DEEP DIVE• Assess PLAN

• Focus DO

• Measure CHECK

• Remediate ACT

73 QUICK WINS

CSC 1 CSC 2 CSC 3 CSC 4 CSC 5 CSC 6 CSC 7 CSC 8 CSC 9 CSC 10 CSC 11 CSC 12 CSC 13 CSC 14 CSC 15 CSC 16 CSC 17 CSC 18 CSC 19 CSC 201 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 12 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 23 3 3 3 3 3 3 3 3 3 3 3 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 6 6 6 6 7 7 7 8 9

CSC 1 CSC 2 CSC 3 CSC 4 CSC 5 CSC 6 CSC 7 CSC 8 CSC 9 CSC 10 CSC 11 CSC 12 CSC 13 CSC 14 CSC 15 CSC 16 CSC 17 CSC 18 CSC 19 CSC 201 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 12 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 23 3 3 3 3 3 3 3 3 3 3 3 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 6 6 6 6 7 7 7 8 9

Assess to the level of your risk appetite … your green may not be someone else’s green

TOOLS

CAVEAT EMPTOR• I will not discuss a tool in context of use unless:

• I have used it myself and found it to be effective

• It is being used effectively by a peer whom I trust

• I am going to focus on Windows systems as being higher risk than others, mostly due to proliferation and ubiquity

CHEAP <> FREE• Cheap is not permanent, it is a bridge

• Cheap is relative

• Included with other stuff (like an EA)

• Low cost for an enterprise

• Open source / FOSS

• Cheap is more expensive in terms of time when used to cut corners

TOOLS FOR CONTROLS• CSC 1 - NMAP

• CSC 2 – SCCM

• Whitelisting can be implemented using commercial whitelisting tools or application execution tools that come with anti-virus suites and with Windows (Applocker).

• CSC 3 – SCCM (for distribution)

Lansweeper

Unlimited assets scanned at your interval, kept in a historical database for $1995

Prevention Detection

Response Recovery

Risk

CSC 3 – SECURE CONFIGURATIONS• Establish and ensure the use of standard secure configurations of your operating

systems.

• Standardized images should represent hardened versions of the underlying operating system and the applications installed on the system.

• Hardening typically includes: removal of unnecessary accounts (including service accounts), disabling or removal of unnecessary services, configuring non-executable stacks and heaps, applying patches, closing open and unused network ports, implementing intrusion detection systems and/or intrusion prevention systems, and use of host-based firewalls.

• These images should be validated and refreshed on a regular basis to update their security configuration in light of recent vulnerabilities and attack vectors.

Prevention Detection

Response Recovery

Risk

DO YOUR RESEARCH!

A simple Google search returns many articles on hardening Windows

Prevention Detection

Response Recovery

Risk

HARDENING EXAMPLES• Uninstall Adobe Reader

• Remove Java, or set your browser settings to “Click To Play Plugins”

• Remove unnecessary services - http://www.blackviper.com/windows-services/

• EMET - http://support.microsoft.com/kb/2458544

http://www.insanitybit.com/2013/03/27/windows-hardening-guide/

Prevention Detection

Response Recovery

Risk

CSC 12 – CONTROLLED USE OF ADMIN• In Active Directory, restrict the membership of

• Enterprise Admins

• Schema Admins

• These are the two most powerful security groups in AD

• Do NOT allow your admins to have accounts idling in these groups – they can add & remove as needed

Prevention Detection

Response Recovery

Risk

CSC 12 – CONTROLLED USE OF ADMIN• Look at the membership of Domain Admins and Domain Workstation Admins

• Create separate accounts for admins, a regular user and an admin account

• Don’t name the admin account admin<USERNAME>

• Make it distinct but not obvious

• Enforce 2nd factor on admin logins?

Prevention Detection

Response Recovery

Risk

FURTHER SHRINK THE ATTACK SURFACE

PREVENT BRUTE FORCING• Winfail2ban (Fail2ban for *NIX)

• Scans log files like FTP Logs or Event Viewer and bans IP that make too many password failures

• http://winfail2ban.sourceforge.net/

• For webapps, don’t fail password attempts in a predictable way

• For example, most Web sites return an "HTTP 401 error" code with a password failure, although some web sites instead return an "HTTP 200 SUCCESS" code but direct the user to a page explaining the failed password attempt.

• Vary the behaviors to fool automation

• https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks

Prevention Detection

Response Recovery

Risk

EASY 2ND FACTOR• Duo Security has an enterprise plan for $3/user/month

• Got a small team? Up to 10 users are free

• https://www.duosecurity.com/

• Google authenticator for web apps which use OAUTH tokenization

• Authy – http://www.authy.com

• Microsoft Phone Factor - http://azure.microsoft.com/en-us/services/multi-factor-authentication/

Prevention Detection

Response Recovery

Risk

THREAT MODELING FOR INCIDENT RESPONSE• Not just for web apps! Threat modeling can be used for incident response & planning

• 3 parts

1. Establish attack path

2. Table top exercise to identify controls

3. Create a security exercise that tests the controls along the path

• http://www.irongeek.com/i.php?page=videos/circlecitycon2014/117-how-to-create-an-attack-path-threat-model-wolfgang-goerlich

Prevention Detection

Response Recovery

Risk

MORE USEFUL TOOLS

POWERSHELL SCRIPTS• Poshsec project

• 63 cmdlets/functions in the PoshSec module

• Account Monitoring & Control

• Authorized Devices

• Forensics

• Log Management

• Network Baseline

• Software Management

• Utility Functions

• http://www.powershellmagazine.com/2014/07/10/introduction-to-poshsec/

Prevention Detection

Response Recovery

Risk

NETWORK FORENSICS• Wireshark

• Open source multi-platform network protocol analyzer

• Hard to learn, easy to use

• Then after a while, easy to use once your use cases are established

• Time sink but it’s time well spent

• https://www.wireshark.org/

Prevention Detection

Response Recovery

Risk

PASSWORD CRACKING• Cain & Abel

• It can recover passwords by

• sniffing the network,

• cracking encrypted passwords using dictionary, brute-force and cryptanalysis attacks,

• recording VoIP conversations,

• decoding scrambled passwords,

• revealing password boxes,

• uncovering cached passwords and

• analyzing routing protocols.

• http://www.oxid.it/cain.html

• Wordlists: http://hashcrack.blogspot.com/p/wordlist-downloads_29.htmlPrevention Detection

Response Recovery

Risk

POLICY & GOVERNANCE

OFT OVERLOOKED• Don’t underestimate the power of governance and policy

• They can not only help you manage your security workload, they can be used in legal defense

CHANGE MANAGEMENT

• Who approves your security changes?

• Is this documented and reviewed periodically?

• Who reviews your security changes for accuracy?

• Who follows up to verify the changes are still accurate?

• Document reasons for changes, approvals and mitigations

• ARE YOU SURE? Prevention Detection

Response Recovery

Risk

ESTABLISH A GOVERNANCE CALENDAR

• The calendar contains your regular cadence of review activity

• You can script reminders to the entities responsible for the review• SharePoint

• Google scripts (Google calendar)

• Internal calendaring software X

• Work this activity into your existing processes so they get prioritized

• Time box those activities!

• Get SLAs/SLOs for teams on which you rely to perform these activities

Q1 Q2 Q3 Q4

DR Testing

Recon

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Recon

Backup testing

Backup testing

Backup testing

Sample Governance Calendar

AD review

AD reviewAD

review

Operations Security Data Center

Mid year audit

Audit

SAMPLE GOVERNANCE CALENDAR

WHAT IS THE WEAKEST LINK?

SOCIAL VECTORS• This is the cheapest thing you can address which has the best ROI

• TALK TO YOUR USERS!

• Don’t lecture

• Don’t debate

• Give them usable information

• Ex: with the busiest shopping day of the year coming up, create a newsletter or workshop that shows how to buy a PC – and subtly include how to secure it

Prevention Detection

Response Recovery

Risk

A WORD ON RECOVERY• There is no “cheap” data recovery option or configuration

• Backups must be maintained, tested and verified

• Backups are a critical security strategy, but not focused on in the CSC or DSD

YMMVThese are ideas, pick and choose and twist and tinker and make it work for you

TOOLS & REFERENCES LIST

• http://csc-hub.com/ - Ken Evan’s awesome 20 CSC site• http://technet.microsoft.com/en-us/magazine/2007.02.activedirectory.aspx - AD rights

delegation• http://sectools.org/ - List of pay and free network tools• http://www.poshsec.com/ - Powershell scripts that support the 20 CSC• http://www.asd.gov.au/infosec/top35mitigationstrategies.htm - Australian DSD Top 35• http://www.counciloncybersecurity.com – Council on Cybersecurity• http://

www.jwgoerlich.us/blogengine/post/2014/04/29/Update-on-Story-Driven-Security.aspx - J. Wolfgang Goerlich and Nick Jacob’s work on effective threat modeling

• http://www.theguardian.com/commentisfree/2014/may/06/target-credit-card-data-hackers-retail-industry - Brian Kreb’s op-ed on the Target breach and some of the false pretense

THANK YOU

• GrrCon staff, especially EggDropX and P1nkN1ghtmare for making it happen

• #misec for being an awesome community

• You, for listening and turning your attention to the basics

CONTACT INFO

• Twitter: @JoelConverses

• Email: jscardella@pobox.com

• IRC: FreeNODE #misec (joel_s_c)

• Info about misec: www.michsec.org ?