Post on 30-Dec-2015
Security Essentials for Desktop System Administrators
Security Essentials for Desktop System Administrators
Civilization Is Made Of People …Civilization Is Made Of People …
Civilization is Risk.-- Not Big Brother
Civilization is Risk.-- Not Big Brother
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 22
Dave Barry On Civilization …Dave Barry On Civilization …
New Technology Is Invented LargelyTo Overcome Previous "Advances"
New Technology Is Invented LargelyTo Overcome Previous "Advances"
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 33
Dave Barry On Civilization …Dave Barry On Civilization …
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 44
Dave Barry On Civilization …Dave Barry On Civilization …
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 55
Dave Barry On Civilization …Dave Barry On Civilization …
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 66
Dave Barry On Civilization …Dave Barry On Civilization …
Fields -> Trees -> Caves -> HousesFields -> Trees -> Caves -> Houses
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 77
Dave Barry On Civilization …Dave Barry On Civilization …
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 88
Dave Barry On Civilization …Dave Barry On Civilization …
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 99
Dave Barry On Civilization …Dave Barry On Civilization …
Houses -> Windows -> GlassHouses -> Windows -> Glass
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1010
Dave Barry On Civilization …Dave Barry On Civilization …
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1111
Dave Barry On Civilization …Dave Barry On Civilization …
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1212
Dave Barry On Civilization …Dave Barry On Civilization …
Glass -> Drapes -> Tents (in Fields!)Glass -> Drapes -> Tents (in Fields!)
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1313
Dave Barry On Civilization …Dave Barry On Civilization …
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1414
Dave Barry On Civilization …Dave Barry On Civilization …
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1515
Dave Barry On Civilization …Dave Barry On Civilization …
Fireplaces -> Microwaves -> Bean BurritosFireplaces -> Microwaves -> Bean Burritos
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1616
Dave Barry On Civilization …Dave Barry On Civilization …
-> ->
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1717
Computer Security …Computer Security …
Essentially A People ProblemEssentially A People Problem
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1818
Internet
A Basic “People Problem”A Basic “People Problem”
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1919
Privacy
Internet
A Slightly More Precise ViewA Slightly More Precise View
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2020
Privacy
Blog Rants (tl;dr)
Bruce SchneierBruce Schneier
Once the technology is in place, there willalways be the temptation to use it ...
(Secrets and Lies, 2000)
Once the technology is in place, there willalways be the temptation to use it ...
(Secrets and Lies, 2000)
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2121
Technology
How Technology WorksHow Technology Works
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2222
SurprisingUses
Surprising Technology UseSurprising Technology Use
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2323
Surprising Technology Non-UseSurprising Technology Non-Use
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2424
MUDFLAPSSO I HERD U LIEK THEM
MUDFLAPSSO I HERD U LIEK THEM
Surprising Technology UseSurprising Technology Use
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2525
Technology
Technology And RiskTechnology And Risk
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2626
SurprisingUses
Technology
Technology And RiskTechnology And Risk
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2727
SurprisingUses
MaliciousActivity*
* not to scale
Bruce SchneierBruce Schneier
And it is poor civic hygiene to installtechnologies that could somedayfacilitate a police state.
And it is poor civic hygiene to installtechnologies that could somedayfacilitate a police state.
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2828
xkcd …xkcd …
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2929
… xkcd… xkcd
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3030
Dealing With RiskDealing With Risk
Recognize | Reduce | RecoverRecognize | Reduce | Recover
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3131
Dealing With RiskDealing With Risk
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3232
Recognizing RisksRecognizing Risks
High BandwidthEnormous StoragePosh .gov Location
Nothing Marketable
High BandwidthEnormous StoragePosh .gov Location
Nothing Marketable
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3333
Recognizing RisksRecognizing Risks
High BandwidthEnormous StoragePosh .gov Location
Nothing Marketable*
High BandwidthEnormous StoragePosh .gov Location
Nothing Marketable*
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3434
Recognizing RisksRecognizing Risks
Caching warezSending SPAMSpreading malwareBeing/controlling botsCommitting/suffering DDoS attacks
Caching warezSending SPAMSpreading malwareBeing/controlling botsCommitting/suffering DDoS attacks
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3535
Recognizing RisksRecognizing Risks
Destruction Of DataWaste Of BandwidthWaste Of TimeFrustration
Destruction Of DataWaste Of BandwidthWaste Of TimeFrustration
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3636
Recognizing RisksRecognizing Risks
Default admin privsVisiting malicious sitesPromiscuous USB sharingLack of gruntlement
Default admin privsVisiting malicious sitesPromiscuous USB sharingLack of gruntlement
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3737
Newer ThreatsNewer Threats
CarrierIQ / mobile device surveillanceQR Code attacksCarrierIQ / mobile device surveillanceQR Code attacks
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3838
Newer ThreatsNewer Threats
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3939
Grace Hopper
Grace Hopper
Life was simple before World War II.After that we had systems.
Life was simple before World War II.After that we had systems.
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4040
TLAs for TCB: ISM? DID!TLAs for TCB: ISM? DID!
Integrated Security Management (ISM)
Defense In Depth (DID)
Integrated Security Management (ISM)
Defense In Depth (DID)
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4141
Reducing Risks: DIDReducing Risks: DID
Perimeter ControlsAuto-blockingMail virus scanningCentral Authentication (via LDAP/Kerberos)
Perimeter ControlsAuto-blockingMail virus scanningCentral Authentication (via LDAP/Kerberos)
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4242
Reducing Risks: DIDReducing Risks: DID
Patch and configuration mgmtCritical VulnerabilitiesPrompt response via FCIRTIntelligent and informed usersGeneral and special enclaves
Patch and configuration mgmtCritical VulnerabilitiesPrompt response via FCIRTIntelligent and informed usersGeneral and special enclaves
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4343
Recognizing Risks: ISMRecognizing Risks: ISM
Computer Security not an add-onNot “one size fits all”Largely common sense
Computer Security not an add-onNot “one size fits all”Largely common sense
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4444
Reducing Risks: ISMReducing Risks: ISM
Primary passwords off the netSingle turn-off pointNo visible services without Strong AuthenticationLab systems scanned for compliance
Primary passwords off the netSingle turn-off pointNo visible services without Strong AuthenticationLab systems scanned for compliance
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4545
Recovery: ISMRecovery: ISM
General Computer Security Coordinators (Listed at http://security.fnal.gov/ )Work with Computer Security TeamDisseminate informationDeal with incidents
General Computer Security Coordinators (Listed at http://security.fnal.gov/ )Work with Computer Security TeamDisseminate informationDeal with incidents
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4646
What About Us Users?What About Us Users?
Malicious Surprises aboundUse reasonable cautionMalicious Surprises aboundUse reasonable caution
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4747
Users: We Get MailUsers: We Get Mail
You haven’t won $10MDon’t open (most) attachmentsBest not to click links in mailDisable scripting for mail
You haven’t won $10MDon’t open (most) attachmentsBest not to click links in mailDisable scripting for mail
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4848
Users: We Get MailUsers: We Get Mail
Can you trust the (so-called) sender?Can you trust the (so-called) sender?Received: from [123.28.41.241] (unknown [123.28.41.241]) by hepa1.fnal.gov (Postfix) with ESMTP id 808F76F247 for <baisley@fnal.gov>; Thu, 01 Apr 2010 09:41:02 -0500 (CDT)From: Wayne E Baisley <baisley@fnal.gov>To: Wayne E Baisley <baisley@fnal.gov>
route: 123.28.32.0/19descr: VietNam Post and Telecom Corporation (VNPT)address: Lo IIA Lang Quoc te Thang Long, Cau Giay, Ha Noi
Can you trust the (so-called) sender?Can you trust the (so-called) sender?Received: from [123.28.41.241] (unknown [123.28.41.241]) by hepa1.fnal.gov (Postfix) with ESMTP id 808F76F247 for <baisley@fnal.gov>; Thu, 01 Apr 2010 09:41:02 -0500 (CDT)From: Wayne E Baisley <baisley@fnal.gov>To: Wayne E Baisley <baisley@fnal.gov>
route: 123.28.32.0/19descr: VietNam Post and Telecom Corporation (VNPT)address: Lo IIA Lang Quoc te Thang Long, Cau Giay, Ha Noi
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4949
Users: Pass the WordUsers: Pass the Word
Use strong passwords Longer is betterUse different passwords Or variants, at least
Use strong passwords Longer is betterUse different passwords Or variants, at least
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5050
Royko any social engineering attemptsRoyko any social engineering attempts
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5151
Users: DataUsers: Data
Decide what data requires protectionHow to be recovered, if neededArrange backups with SysadminsOr do your own backupsOccasionally test retrieval
Decide what data requires protectionHow to be recovered, if neededArrange backups with SysadminsOr do your own backupsOccasionally test retrieval
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5252
The Incidental ComputistThe Incidental Computist
Some non-Lab-business Surprising Use is allowed:
http://security.fnal.gov/ProperUse.htm (I prefer personal iPhone/iPad/Droid
via an external network …)
Some non-Lab-business Surprising Use is allowed:
http://security.fnal.gov/ProperUse.htm (I prefer personal iPhone/iPad/Droid
via an external network …)
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5353
Activities to AvoidActivities to Avoid
Services like Skype and BitTorrentnot forbidden but very easy to misuse!Services like Skype and BitTorrentnot forbidden but very easy to misuse!
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5454
Activities to AvoidActivities to Avoid
Anything that:Is illegalIs prohibited by Lab/DOE policyMay embarrass the LabInterferes with job performanceConsumes excessive resources
Anything that:Is illegalIs prohibited by Lab/DOE policyMay embarrass the LabInterferes with job performanceConsumes excessive resources
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5555
Which Brings Us To SysadminsWhich Brings Us To Sysadmins
That wrench ain’t gonna swing itself.That wrench ain’t gonna swing itself.
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5656
Sysadmins Get Risk-RoledSysadmins Get Risk-Roled
System manager for securityAssist and instruct users to do it rightVigilant observer of your systems (and sometimes users’) behavior
System manager for securityAssist and instruct users to do it rightVigilant observer of your systems (and sometimes users’) behavior
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5757
NOISE, n.NOISE, n.
…The chief product and authenticatingsign of civilization.
Ambrose Bierce, The Devil’s Dictionary
…The chief product and authenticatingsign of civilization.
Ambrose Bierce, The Devil’s Dictionary
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5858
Data PrivacyData Privacy
Generally, Fermilab respects privacyYou are required to do likewiseSpecial cases for Sysadmins during Security IncidentsOthers must have Directorate approval
Generally, Fermilab respects privacyYou are required to do likewiseSpecial cases for Sysadmins during Security IncidentsOthers must have Directorate approval
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5959
Privacy of Email and FilesPrivacy of Email and Files
May not use information in anotherperson’s files seen incidental to anyactivity (legitimate or not) for any
purpose w/o explicit permission of theowner or “reasonable belief the file
was meant to be accessed by others.”
May not use information in anotherperson’s files seen incidental to anyactivity (legitimate or not) for any
purpose w/o explicit permission of theowner or “reasonable belief the file
was meant to be accessed by others.”
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6060
Offensive MaterialsOffensive Materials
Material on computer ≈ Material on deskA line management concernNot a computer security issue per se
Material on computer ≈ Material on deskA line management concernNot a computer security issue per se
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6161
Software LicensingSoftware Licensing
Fermilab is strongly committed torespecting intellectual property rights.Use of unlicensed commercial software
is a direct violation of lab policy.
Fermilab is strongly committed torespecting intellectual property rights.Use of unlicensed commercial software
is a direct violation of lab policy.
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6262
Patch/Configuration ManagementPatch/Configuration Management
Baselines: Linux, Mac, WindowsAll systems must meet their baselineAll systems must be regularly patchedNon-essential services offWindows, especially, must run AV
Baselines: Linux, Mac, WindowsAll systems must meet their baselineAll systems must be regularly patchedNon-essential services offWindows, especially, must run AV
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6363
Patch/Configuration ManagementPatch/Configuration Management
Exceptions/Exemptions: Documented case why OS is “stuck” Patch and manage as securely
Exceptions/Exemptions: Documented case why OS is “stuck” Patch and manage as securely
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6464
Critical VulnerabilitiesCritical Vulnerabilities
Active exploits declared criticalPose a clear and present dangerMust patch by a given date or be blockedHandled via TIssue events
Active exploits declared criticalPose a clear and present dangerMust patch by a given date or be blockedHandled via TIssue events
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6565
Computer Security IncidentsComputer Security Incidents
Report suspicious events to x2345 or computer_security@fnal.govFollow FCIRT instructions during incidentsKeep infected machines off the networkPreserve system for expert investigationNot to be discussed!
Report suspicious events to x2345 or computer_security@fnal.govFollow FCIRT instructions during incidentsKeep infected machines off the networkPreserve system for expert investigationNot to be discussed!
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6666
FCIRTFCIRT
Triage initial reportsCoordinate investigationWork with local Sysadmins, expertsMay take control of affected systemsMaintain confidentiality
Triage initial reportsCoordinate investigationWork with local Sysadmins, expertsMay take control of affected systemsMaintain confidentiality
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6767
Mandatory Sysadmin RegistrationMandatory Sysadmin Registration
All Sysadmins must be registeredPrimary Sysadmin is responsible for configuring and patchinghttp://security.fnal.gov -> “Verify your node registration”
All Sysadmins must be registeredPrimary Sysadmin is responsible for configuring and patchinghttp://security.fnal.gov -> “Verify your node registration”
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6868
Do Not Want: Prohibited ActivitiesDo Not Want: Prohibited Activities
Blatant disregard of computer securityUnauthorized or malicious actionsUnethical behaviorRestricted central servicesSecurity & cracker toolshttp://security.fnal.gov/policies/cpolicy.html
Blatant disregard of computer securityUnauthorized or malicious actionsUnethical behaviorRestricted central servicesSecurity & cracker toolshttp://security.fnal.gov/policies/cpolicy.html
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6969
We Want To Avoid This …We Want To Avoid This …
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 7070
Role of SysadminsRole of Sysadmins
Manage your systems sensibly, securelyServices comply with Strong Auth rulesReport potential incidents to FCIRTAct on relevant bulletinsKeep your eyes open
Manage your systems sensibly, securelyServices comply with Strong Auth rulesReport potential incidents to FCIRTAct on relevant bulletinsKeep your eyes open
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 7171
We Can Do It …We Can Do It …
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 7272
We Can Do It. Statistically.We Can Do It. Statistically.
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 7373
Questions?Questions?
nightwatch@fnal.govfor questions about security policy
computer_security@fnal.govfor reporting security incidents
http://security.fnal.gov/
nightwatch@fnal.govfor questions about security policy
computer_security@fnal.govfor reporting security incidents
http://security.fnal.gov/
December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 7474
Security Essentials for Desktop System Administrators
Security Essentials for Desktop System Administrators
Security Essentials for Desktop System Administrators
Security Essentials for Desktop System Administrators