Security Best Practices Use SHIFT ENTER to open the menu (new ...

Security Best PracticesSecurity Best Practices

What are we fighting?What are we fighting?

What are we trying to protect?What are we trying to protect?

How can we best combat these How can we best combat these problems?problems?

Security Best PracticesSecurity Best Practices

Overall Top IssuesOverall Top IssuesPC SecurityPC Security Internal Network SecurityInternal Network SecurityWireless SecurityWireless SecurityFile System SecurityFile System SecurityFirewall or Perimeter SecurityFirewall or Perimeter Security


VirusesViruses Sophos polled 3,000 IT administrators and learned Sophos polled 3,000 IT administrators and learned

that most do not update antivirus signatures for that most do not update antivirus signatures for remote offices and telecommuters as often as they do remote offices and telecommuters as often as they do for office-based systemsfor office-based systems

Normally attaches to filesNormally attaches to files WormsWorms

Propagates over the networkPropagates over the network Unpatched systems are at riskUnpatched systems are at risk


TrojansTrojansMay look friendly May look friendly Client/server approach = ZombieClient/server approach = Zombie

Network AttacksNetwork AttacksScanning, sniffing, intrusion attempts, buffer Scanning, sniffing, intrusion attempts, buffer

overflows, DDOS attacksoverflows, DDOS attacks Internal AttacksInternal Attacks

Unauthorized attemptsUnauthorized attempts

What are we trying to protect?What are we trying to protect?

PerimeterPerimeterLocal NetworksLocal NetworksPC’sPC’s

Overall Top Issues - 1Overall Top Issues - 1

Implement Physical ControlsImplement Physical ControlsServers and networking equipment in a locked Servers and networking equipment in a locked

areaareaBackup devices and media in locked areaBackup devices and media in locked areaLogin access to backup server securedLogin access to backup server secured


Require or strongly encourage employees to Require or strongly encourage employees to choose strong passwords choose strong passwords Let upper management know the reasons why this is Let upper management know the reasons why this is

important to protect the businesses assetsimportant to protect the businesses assets Internet programs use brute force dictionary attacks Internet programs use brute force dictionary attacks

which contain tens of thousands of common which contain tens of thousands of common passwords that hackers use to break in to unsecured passwords that hackers use to break in to unsecured computer systems computer systems

Passwords should have a minimum of seven Passwords should have a minimum of seven characters, be nondictionary words, and combine characters, be nondictionary words, and combine uppercase, lowercase, and special charactersuppercase, lowercase, and special characters

10 trillion combinations 10 trillion combinations


Require new passwordsRequire new passwords Every 90 days or at least twice a yearEvery 90 days or at least twice a year Why?Why?

A stagnate network is a perfect test bed for exploitationA stagnate network is a perfect test bed for exploitation At the very least, if an intrusion was occurring, it raises the At the very least, if an intrusion was occurring, it raises the

deterrent factordeterrent factor If your company was profiled by a hacker and recorded that If your company was profiled by a hacker and recorded that

passwords frequently change, they may not waste time on passwords frequently change, they may not waste time on youyou

Set account lockout parametersSet account lockout parameters Use a brute force attack on your own passwordsUse a brute force attack on your own passwords


Verify that your virus-protection Verify that your virus-protection subscription is current and workingsubscription is current and workingCan you include spyware protection also?Can you include spyware protection also?Does engine updates to the antivirus Does engine updates to the antivirus

programs occur automatically or manually?programs occur automatically or manually?


Email IssuesEmail Issues Internal Email Server Internal Email Server

Install either a gateway or API filtering solutionInstall either a gateway or API filtering solution Both is better as some solutions will allow itBoth is better as some solutions will allow it

Client PC’s should also email scanning Client PC’s should also email scanning functionality for a second layer of defensefunctionality for a second layer of defense

Train or educate employees about email Train or educate employees about email attachments attachments Including the need to avoid opening Including the need to avoid opening

attachments from unknown sources attachments from unknown sources


Beware of Social EngineeringBeware of Social EngineeringOn-site visits to gather dataOn-site visits to gather dataPerson posing on the phone as an employeePerson posing on the phone as an employeeSpoofed emailSpoofed email

Train employees to be cautiousTrain employees to be cautiousLock PC when awayLock PC when away


Install a total protection solution Install a total protection solution If you host your own web sites locally, using If you host your own web sites locally, using

just a firewall is not going to make it securejust a firewall is not going to make it secure Install an IDS system and policy managementInstall an IDS system and policy management


Test your security posture regularly Test your security posture regularly Hackers have all the time in the world to Hackers have all the time in the world to

update their technology and skillsupdate their technology and skillsSee where your ‘holes’ exist before someone See where your ‘holes’ exist before someone

else doeselse does

Overall Top Issues – 9Overall Top Issues – 9

Terminating employee’sTerminating employee’sRemove their network access immediatelyRemove their network access immediatelyEscort them outEscort them out


Secure Telecommuting and remote Secure Telecommuting and remote accessaccessAs VPN solutions are increasing to allow As VPN solutions are increasing to allow

greater flexibility and more productivity, greater flexibility and more productivity, securing remote access is critical.securing remote access is critical.Use Quarantine services built into Windows Server Use Quarantine services built into Windows Server

2003 RRAS2003 RRAS


Especially if you’re hosting web sites, Especially if you’re hosting web sites, update your Web server software regularly update your Web server software regularly Stay up-to-date on current patch level and Stay up-to-date on current patch level and

service packs for underlying OSservice packs for underlying OS


Kill network services that are not neededKill network services that are not neededMay includeMay include

WebWebEmailEmailFTPFTPNetwork browsingNetwork browsing


Filter ConnectionsFilter ConnectionsProtect and scan HTTP and FTP trafficProtect and scan HTTP and FTP traffic IS IM used?IS IM used?

Consider hosting your ownConsider hosting your ownFilter the trafficFilter the traffic


Log everything you canLog everything you canFirewall, Web Server, Email Server, File Firewall, Web Server, Email Server, File

Server, etc…Server, etc…Copy logs to another systemCopy logs to another systemConsider a centralized approachConsider a centralized approach

Questions?Questions?

PC SecurityPC Security

Implement a FirewallImplement a Firewall BlackIce, ZoneAlarm, McAfee, SymantecBlackIce, ZoneAlarm, McAfee, Symantec

Install Patches and Service PacksInstall Patches and Service Packs Turn on the Automatic Updates feature Turn on the Automatic Updates feature Windows UpdateWindows Update Office UpdateOffice Update

Keep the antivirus software up-to-dateKeep the antivirus software up-to-date Check for updates every 2 hours minimumCheck for updates every 2 hours minimum Is the scanning engine updated automatically?Is the scanning engine updated automatically?

Use Spyware detection/removal softwareUse Spyware detection/removal software

Internal Network SecurityInternal Network Security

What makes up the network?What makes up the network?Routers, Switches, FirewallsRouters, Switches, FirewallsSERVERSSERVERS

File, Email, Web, Database, Dedicated Application, File, Email, Web, Database, Dedicated Application, Backup, TestingBackup, Testing

PC’sPC’sAnd the BIG one, And the BIG one, USERSUSERS!!Basically, anything connectedBasically, anything connected

Securing Basic Network DevicesSecuring Basic Network Devices

Why secure a switch?Why secure a switch?Man in the Middle AttacksMan in the Middle AttacksTraffic SniffingTraffic SniffingLAN port forwardingLAN port forwarding

What about a router?What about a router?Table poisonTable poisonReroute trafficReroute traffic

Server Security Best PracticesServer Security Best Practices

Disable the Alerter service and the Disable the Alerter service and the Messenger service Messenger service Alerter service notifies users of administrative Alerter service notifies users of administrative

alerts alerts This service usually is not required under This service usually is not required under

normal circumstances normal circumstances


Disable the Messenger service Disable the Messenger service This service provides the ability to send This service provides the ability to send

messages between clients and servers messages between clients and servers Allows users to use "net send" messages Allows users to use "net send" messages

hitting your computer from the internet hitting your computer from the internet The Messenger service uses UDP ports 135, The Messenger service uses UDP ports 135,

137, and 138; TCP ports 135, 139, and 445 137, and 138; TCP ports 135, 139, and 445


Disable the Clipbook serviceDisable the Clipbook serviceUsed to store information (cut / paste) and Used to store information (cut / paste) and

share it with other computers share it with other computers Service has nothing to do with moving data Service has nothing to do with moving data

from Excel to Wordfrom Excel to Word


Disable the Human Interface Device Disable the Human Interface Device service, except for those users who need itservice, except for those users who need itService enables the use of specialized Service enables the use of specialized

devices such as game controllers and virtual devices such as game controllers and virtual reality devices reality devices


Disable the Indexing service Disable the Indexing service Makes searching the local hard drive faster by Makes searching the local hard drive faster by

keeping a virtual index of the fileskeeping a virtual index of the filesUses about 500 K to 2 MB in an idle state Uses about 500 K to 2 MB in an idle state Sore spot for buffer overflow attacksSore spot for buffer overflow attacks


Disable Machine Debug Manager Disable Machine Debug Manager Provides support for program debugging Provides support for program debugging Typically used by developersTypically used by developersDisable it in Internet ExplorerDisable it in Internet Explorer


Don't run any unnecessary network Don't run any unnecessary network services services World Wide Web Publishing Service World Wide Web Publishing Service Simple Mail Transport Protocol (SMTP)Simple Mail Transport Protocol (SMTP)FTP Publishing ServiceFTP Publishing ServiceNetwork News Transfer ProtocolNetwork News Transfer Protocol

Email Server Security Best Email Server Security Best PracticesPractices

Using a separate relayUsing a separate relayVirus/Spam ProtectionVirus/Spam ProtectionTest to verify an open relay doesn’t existTest to verify an open relay doesn’t exist

ToolsToolswww.samspade.orgwww.samspade.orgwww.abuse.net/relay.htmlwww.abuse.net/relay.html

Web Server Security Best Web Server Security Best PracticesPractices

Use IIS 6.0 if at all possibleUse IIS 6.0 if at all possibleSeparate protected application poolsSeparate protected application pools

URLScanURLScanhttp://www.microsoft.com/technet/security/toolhttp://www.microsoft.com/technet/security/tool

s/urlscan.mspxs/urlscan.mspxKeep current on patch levelKeep current on patch level

User Best PracticesUser Best Practices

Hardening user passwords Hardening user passwords Educate them as to why this is importantEducate them as to why this is importantShow them how to create strong passwordsShow them how to create strong passwordsPassword RulesPassword Rules

Putting a password on a sticky note Putting a password on a sticky note Do not store miscellaneous passwords on Do not store miscellaneous passwords on

hard drives hard drives Administrators and sensitive account users Administrators and sensitive account users

should have stronger than normal passwords should have stronger than normal passwords Enforce the policyEnforce the policy

Wireless Security Best Wireless Security Best PracticesPractices

Change the default SSID (wireless Change the default SSID (wireless equivalency of workgroup name) to equivalency of workgroup name) to something less commonsomething less commonOr better yet, disable SSID broadcastsOr better yet, disable SSID broadcasts

Use a unique login name and password to Use a unique login name and password to gain access to the devicegain access to the deviceDefault login and passwords are publicly Default login and passwords are publicly

available on the Internetavailable on the Internet


Enable the highest method of security the Enable the highest method of security the device will allowdevice will allowWEP is not bulletproof, but it provides WEP is not bulletproof, but it provides

additional protectionadditional protection128-bit is preferred128-bit is preferred

Make sure the device has up-to-date Make sure the device has up-to-date firmwarefirmware


Implement media-access control (MAC) filtering Implement media-access control (MAC) filtering Allows only the wireless adapters specified to access Allows only the wireless adapters specified to access

the devicethe device Not bulletproof or “spoofproof”, but adds another layer Not bulletproof or “spoofproof”, but adds another layer

of securityof security

SNMP community namesSNMP community names If not being used, turn it offIf not being used, turn it off Change the string to something other than publicChange the string to something other than public


Minimize the amount of signal leaked to Minimize the amount of signal leaked to the outsidethe outside If there is no need for wireless access outside If there is no need for wireless access outside

the building, place the device to the center of the building, place the device to the center of the buildingthe building

Audit the wireless networkAudit the wireless networkWalk around the outside of the building with a Walk around the outside of the building with a

laptop laptop Use ‘Network Stumbler’ to assist with the Use ‘Network Stumbler’ to assist with the

security auditsecurity audit


Small number of wireless clients?Small number of wireless clients?Consider using static IP addresses instead of Consider using static IP addresses instead of

DHCPDHCPUse subnets different from the default settingUse subnets different from the default setting

Consider using a VLAN or VPN to protect Consider using a VLAN or VPN to protect the trafficthe trafficL2TP with IPSec is a common method L2TP with IPSec is a common method


Public Wireless Access PointsPublic Wireless Access PointsAll transmissions are unencryptedAll transmissions are unencryptedAt the very least, use a firewallAt the very least, use a firewallTurn off Windows File and Print SharingTurn off Windows File and Print SharingUse a VPN solution if connecting to Use a VPN solution if connecting to

something securesomething secure


If a RADIUS server exists, use itIf a RADIUS server exists, use itFor sites without a Remote Authentication For sites without a Remote Authentication

Dial-In User Service (RADIUS) infrastructure, Dial-In User Service (RADIUS) infrastructure, WPA supports the use of a preshared key. WPA supports the use of a preshared key. For sites with a RADIUS infrastructure, For sites with a RADIUS infrastructure, Extensible Authentication Protocol (EAP) and Extensible Authentication Protocol (EAP) and RADIUS is supported.RADIUS is supported.


Using WPA on Your Wireless Network Using WPA on Your Wireless Network Wi-Fi Protected Access is a stronger protocol that Wi-Fi Protected Access is a stronger protocol that

fixes the weaknesses in WEPfixes the weaknesses in WEP The encryption key changes with every frameThe encryption key changes with every frame

Three critical components needed to upgrade Three critical components needed to upgrade wireless security from WEP to WPAwireless security from WEP to WPA

access point (AP) or wireless router that supports WPA access point (AP) or wireless router that supports WPA wireless network card that has WPA drivers available wireless network card that has WPA drivers available client that supports WPA and your operating system client that supports WPA and your operating system


Updating the OS to include WPA Updating the OS to include WPA functionalityfunctionalityMicrosoft provides a free WPA upgrade, but it Microsoft provides a free WPA upgrade, but it

only works with Windows XP only works with Windows XP Microsoft Knowledge Base Article 815485Microsoft Knowledge Base Article 815485

If the OS other than Win XP, you'll need third-If the OS other than Win XP, you'll need third-party client software party client software MeetingHouse Data CommunicationsMeetingHouse Data Communications

http://www.mtghouse.com/products/index.shtmlhttp://www.mtghouse.com/products/index.shtml

File System SecurityFile System Security

NTFS vs FATNTFS vs FATFAT 16FAT 16

DOSDOS

FAT 32FAT 32Windows 98, ME, 2000, XPWindows 98, ME, 2000, XP

NTFSNTFSWindows NT, 2000, XPWindows NT, 2000, XP

NTFS5NTFS5Windows 2000, XPWindows 2000, XP

File System SecurityFile System Security

NTFS SecurityNTFS SecurityObject ownership Object ownership Permission inheritance Permission inheritance Auditing Auditing

Encrypting File System (EFS)Encrypting File System (EFS)Sharing and File PermissionsSharing and File Permissions

Full Control, Change, and ReadFull Control, Change, and Read Is there a difference between Server 2000 Is there a difference between Server 2000

and 2003?and 2003?

Firewall TechnologyFirewall Technology

Basically three types of Firewall technologyBasically three types of Firewall technology Packet filter Packet filter

Routes traffic based on IP/portRoutes traffic based on IP/port

Stateful packet inspection Stateful packet inspection Analyzes traffic on top of routingAnalyzes traffic on top of routing

Application proxyApplication proxy Works as a translatorWorks as a translator

Most Firewalls are a combination or hybridMost Firewalls are a combination or hybrid The general role is to block unsolicited trafficThe general role is to block unsolicited traffic

Firewall or Perimeter SecurityFirewall or Perimeter Security

Do we need publicly accessible servers?Do we need publicly accessible servers?How to protect transports?How to protect transports?

Remote accessRemote accessVPNVPNLock down where inbounds are coming fromLock down where inbounds are coming from

EmailEmailAn Intrusion Detection System (IDS) is a An Intrusion Detection System (IDS) is a

necessity todaynecessity today


This presentation can be found online at:This presentation can be found online at:http://www.kirbykomputing.com/Shared%20Documents/Forms/AllItems.aspxhttp://www.kirbykomputing.com/Shared%20Documents/Forms/AllItems.aspx

Brian Kirby

SEDA – Council of Governments

[email protected]

[email protected]

Security Best Practices Use SHIFT ENTER to open the menu (new ...

Documents

Transcript of Security Best Practices Use SHIFT ENTER to open the menu (new ...