Security Essentials for Desktop System Administrators

Security Essentials for Desktop System Administrators

Civilization Is Made Of People …Civilization Is Made Of People …

Civilization is Risk.-- Not Big Brother

Civilization is Risk.-- Not Big Brother

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 22

Dave Barry On Civilization …Dave Barry On Civilization …

New Technology Is Invented LargelyTo Overcome Previous "Advances"

New Technology Is Invented LargelyTo Overcome Previous "Advances"

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 33

Dave Barry On Civilization …Dave Barry On Civilization …

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 44

Dave Barry On Civilization …Dave Barry On Civilization …

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 55

Dave Barry On Civilization …Dave Barry On Civilization …

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 66

Dave Barry On Civilization …Dave Barry On Civilization …

Fields -> Trees -> Caves -> HousesFields -> Trees -> Caves -> Houses

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 77

Dave Barry On Civilization …Dave Barry On Civilization …

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 88

Dave Barry On Civilization …Dave Barry On Civilization …

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 99

Dave Barry On Civilization …Dave Barry On Civilization …

Houses -> Windows -> GlassHouses -> Windows -> Glass

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1010

Dave Barry On Civilization …Dave Barry On Civilization …

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1111

Dave Barry On Civilization …Dave Barry On Civilization …

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1212

Dave Barry On Civilization …Dave Barry On Civilization …

Glass -> Drapes -> Tents (in Fields!)Glass -> Drapes -> Tents (in Fields!)

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1313

Dave Barry On Civilization …Dave Barry On Civilization …

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1414

Dave Barry On Civilization …Dave Barry On Civilization …

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1515

Dave Barry On Civilization …Dave Barry On Civilization …

Fireplaces -> Microwaves -> Bean BurritosFireplaces -> Microwaves -> Bean Burritos

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1616

Dave Barry On Civilization …Dave Barry On Civilization …

-> ->

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1717

Computer Security …Computer Security …

Essentially A People ProblemEssentially A People Problem

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1818

Internet

A Basic “People Problem”A Basic “People Problem”

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1919

Privacy

Internet

A Slightly More Precise ViewA Slightly More Precise View

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2020

Privacy

Blog Rants (tl;dr)

Bruce SchneierBruce Schneier

Once the technology is in place, there willalways be the temptation to use it ...

(Secrets and Lies, 2000)

Once the technology is in place, there willalways be the temptation to use it ...

(Secrets and Lies, 2000)

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2121

Technology

How Technology WorksHow Technology Works

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2222

SurprisingUses

Surprising Technology UseSurprising Technology Use

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2323

Surprising Technology Non-UseSurprising Technology Non-Use

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2424

MUDFLAPSSO I HERD U LIEK THEM

MUDFLAPSSO I HERD U LIEK THEM

Surprising Technology UseSurprising Technology Use

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2525

Technology

Technology And RiskTechnology And Risk

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2626

SurprisingUses

Technology

Technology And RiskTechnology And Risk

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2727

SurprisingUses

MaliciousActivity*

* not to scale

Bruce SchneierBruce Schneier

And it is poor civic hygiene to installtechnologies that could somedayfacilitate a police state.

And it is poor civic hygiene to installtechnologies that could somedayfacilitate a police state.

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2828

xkcd …xkcd …

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2929

… xkcd… xkcd

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3030

Dealing With RiskDealing With Risk

Recognize | Reduce | RecoverRecognize | Reduce | Recover

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3131

Dealing With RiskDealing With Risk

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3232

Recognizing RisksRecognizing Risks

High BandwidthEnormous StoragePosh .gov Location

Nothing Marketable

High BandwidthEnormous StoragePosh .gov Location

Nothing Marketable

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3333

Recognizing RisksRecognizing Risks

High BandwidthEnormous StoragePosh .gov Location

Nothing Marketable*

High BandwidthEnormous StoragePosh .gov Location

Nothing Marketable*

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3434

Recognizing RisksRecognizing Risks

Caching warezSending SPAMSpreading malwareBeing/controlling botsCommitting/suffering DDoS attacks

Caching warezSending SPAMSpreading malwareBeing/controlling botsCommitting/suffering DDoS attacks

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3535

Recognizing RisksRecognizing Risks

Destruction Of DataWaste Of BandwidthWaste Of TimeFrustration

Destruction Of DataWaste Of BandwidthWaste Of TimeFrustration

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3636

Recognizing RisksRecognizing Risks

Default admin privsVisiting malicious sitesPromiscuous USB sharingLack of gruntlement

Default admin privsVisiting malicious sitesPromiscuous USB sharingLack of gruntlement

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3737

Newer ThreatsNewer Threats

CarrierIQ / mobile device surveillanceQR Code attacksCarrierIQ / mobile device surveillanceQR Code attacks

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3838

Newer ThreatsNewer Threats

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3939

Grace Hopper

Grace Hopper

Life was simple before World War II.After that we had systems.

Life was simple before World War II.After that we had systems.

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4040

TLAs for TCB: ISM? DID!TLAs for TCB: ISM? DID!

Integrated Security Management (ISM)

Defense In Depth (DID)

Integrated Security Management (ISM)

Defense In Depth (DID)

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4141

Reducing Risks: DIDReducing Risks: DID

Perimeter ControlsAuto-blockingMail virus scanningCentral Authentication (via LDAP/Kerberos)

Perimeter ControlsAuto-blockingMail virus scanningCentral Authentication (via LDAP/Kerberos)

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4242

Reducing Risks: DIDReducing Risks: DID

Patch and configuration mgmtCritical VulnerabilitiesPrompt response via FCIRTIntelligent and informed usersGeneral and special enclaves

Patch and configuration mgmtCritical VulnerabilitiesPrompt response via FCIRTIntelligent and informed usersGeneral and special enclaves

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4343

Recognizing Risks: ISMRecognizing Risks: ISM

Computer Security not an add-onNot “one size fits all”Largely common sense

Computer Security not an add-onNot “one size fits all”Largely common sense

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4444

Reducing Risks: ISMReducing Risks: ISM

Primary passwords off the netSingle turn-off pointNo visible services without Strong AuthenticationLab systems scanned for compliance

Primary passwords off the netSingle turn-off pointNo visible services without Strong AuthenticationLab systems scanned for compliance

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4545

Recovery: ISMRecovery: ISM

General Computer Security Coordinators (Listed at http://security.fnal.gov/ )Work with Computer Security TeamDisseminate informationDeal with incidents

General Computer Security Coordinators (Listed at http://security.fnal.gov/ )Work with Computer Security TeamDisseminate informationDeal with incidents

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4646

What About Us Users?What About Us Users?

Malicious Surprises aboundUse reasonable cautionMalicious Surprises aboundUse reasonable caution

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4747

Users: We Get MailUsers: We Get Mail

You haven’t won $10MDon’t open (most) attachmentsBest not to click links in mailDisable scripting for mail

You haven’t won $10MDon’t open (most) attachmentsBest not to click links in mailDisable scripting for mail

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4848

Users: We Get MailUsers: We Get Mail

Can you trust the (so-called) sender?Can you trust the (so-called) sender?Received: from [123.28.41.241] (unknown [123.28.41.241]) by hepa1.fnal.gov (Postfix) with ESMTP id 808F76F247 for <baisley@fnal.gov>; Thu, 01 Apr 2010 09:41:02 -0500 (CDT)From: Wayne E Baisley <baisley@fnal.gov>To: Wayne E Baisley <baisley@fnal.gov>

route: 123.28.32.0/19descr: VietNam Post and Telecom Corporation (VNPT)address: Lo IIA Lang Quoc te Thang Long, Cau Giay, Ha Noi

Can you trust the (so-called) sender?Can you trust the (so-called) sender?Received: from [123.28.41.241] (unknown [123.28.41.241]) by hepa1.fnal.gov (Postfix) with ESMTP id 808F76F247 for <baisley@fnal.gov>; Thu, 01 Apr 2010 09:41:02 -0500 (CDT)From: Wayne E Baisley <baisley@fnal.gov>To: Wayne E Baisley <baisley@fnal.gov>

route: 123.28.32.0/19descr: VietNam Post and Telecom Corporation (VNPT)address: Lo IIA Lang Quoc te Thang Long, Cau Giay, Ha Noi

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4949

Users: Pass the WordUsers: Pass the Word

Use strong passwords Longer is betterUse different passwords Or variants, at least

Use strong passwords Longer is betterUse different passwords Or variants, at least

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5050

Royko any social engineering attemptsRoyko any social engineering attempts

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5151

Users: DataUsers: Data

Decide what data requires protectionHow to be recovered, if neededArrange backups with SysadminsOr do your own backupsOccasionally test retrieval

Decide what data requires protectionHow to be recovered, if neededArrange backups with SysadminsOr do your own backupsOccasionally test retrieval

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5252

The Incidental ComputistThe Incidental Computist

Some non-Lab-business Surprising Use is allowed:

http://security.fnal.gov/ProperUse.htm (I prefer personal iPhone/iPad/Droid

via an external network …)

Some non-Lab-business Surprising Use is allowed:

http://security.fnal.gov/ProperUse.htm (I prefer personal iPhone/iPad/Droid

via an external network …)

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5353

Activities to AvoidActivities to Avoid

Services like Skype and BitTorrentnot forbidden but very easy to misuse!Services like Skype and BitTorrentnot forbidden but very easy to misuse!

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5454

Activities to AvoidActivities to Avoid

Anything that:Is illegalIs prohibited by Lab/DOE policyMay embarrass the LabInterferes with job performanceConsumes excessive resources

Anything that:Is illegalIs prohibited by Lab/DOE policyMay embarrass the LabInterferes with job performanceConsumes excessive resources

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5555

Which Brings Us To SysadminsWhich Brings Us To Sysadmins

That wrench ain’t gonna swing itself.That wrench ain’t gonna swing itself.

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5656

Sysadmins Get Risk-RoledSysadmins Get Risk-Roled

System manager for securityAssist and instruct users to do it rightVigilant observer of your systems (and sometimes users’) behavior

System manager for securityAssist and instruct users to do it rightVigilant observer of your systems (and sometimes users’) behavior

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5757

NOISE, n.NOISE, n.

…The chief product and authenticatingsign of civilization.

Ambrose Bierce, The Devil’s Dictionary

…The chief product and authenticatingsign of civilization.

Ambrose Bierce, The Devil’s Dictionary

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5858

Data PrivacyData Privacy

Generally, Fermilab respects privacyYou are required to do likewiseSpecial cases for Sysadmins during Security IncidentsOthers must have Directorate approval

Generally, Fermilab respects privacyYou are required to do likewiseSpecial cases for Sysadmins during Security IncidentsOthers must have Directorate approval

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5959

Privacy of Email and FilesPrivacy of Email and Files

May not use information in anotherperson’s files seen incidental to anyactivity (legitimate or not) for any

purpose w/o explicit permission of theowner or “reasonable belief the file

was meant to be accessed by others.”

May not use information in anotherperson’s files seen incidental to anyactivity (legitimate or not) for any

purpose w/o explicit permission of theowner or “reasonable belief the file

was meant to be accessed by others.”

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6060

Offensive MaterialsOffensive Materials

Material on computer ≈ Material on deskA line management concernNot a computer security issue per se

Material on computer ≈ Material on deskA line management concernNot a computer security issue per se

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6161

Software LicensingSoftware Licensing

Fermilab is strongly committed torespecting intellectual property rights.Use of unlicensed commercial software

is a direct violation of lab policy.

Fermilab is strongly committed torespecting intellectual property rights.Use of unlicensed commercial software

is a direct violation of lab policy.

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6262

Patch/Configuration ManagementPatch/Configuration Management

Baselines: Linux, Mac, WindowsAll systems must meet their baselineAll systems must be regularly patchedNon-essential services offWindows, especially, must run AV

Baselines: Linux, Mac, WindowsAll systems must meet their baselineAll systems must be regularly patchedNon-essential services offWindows, especially, must run AV

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6363

Patch/Configuration ManagementPatch/Configuration Management

Exceptions/Exemptions: Documented case why OS is “stuck” Patch and manage as securely

Exceptions/Exemptions: Documented case why OS is “stuck” Patch and manage as securely

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6464

Critical VulnerabilitiesCritical Vulnerabilities

Active exploits declared criticalPose a clear and present dangerMust patch by a given date or be blockedHandled via TIssue events

Active exploits declared criticalPose a clear and present dangerMust patch by a given date or be blockedHandled via TIssue events

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6565

Computer Security IncidentsComputer Security Incidents

Report suspicious events to x2345 or computer_security@fnal.govFollow FCIRT instructions during incidentsKeep infected machines off the networkPreserve system for expert investigationNot to be discussed!

Report suspicious events to x2345 or computer_security@fnal.govFollow FCIRT instructions during incidentsKeep infected machines off the networkPreserve system for expert investigationNot to be discussed!

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6666

FCIRTFCIRT

Triage initial reportsCoordinate investigationWork with local Sysadmins, expertsMay take control of affected systemsMaintain confidentiality

Triage initial reportsCoordinate investigationWork with local Sysadmins, expertsMay take control of affected systemsMaintain confidentiality

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6767

Mandatory Sysadmin RegistrationMandatory Sysadmin Registration

All Sysadmins must be registeredPrimary Sysadmin is responsible for configuring and patchinghttp://security.fnal.gov -> “Verify your node registration”

All Sysadmins must be registeredPrimary Sysadmin is responsible for configuring and patchinghttp://security.fnal.gov -> “Verify your node registration”

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6868

Do Not Want: Prohibited ActivitiesDo Not Want: Prohibited Activities

Blatant disregard of computer securityUnauthorized or malicious actionsUnethical behaviorRestricted central servicesSecurity & cracker toolshttp://security.fnal.gov/policies/cpolicy.html

Blatant disregard of computer securityUnauthorized or malicious actionsUnethical behaviorRestricted central servicesSecurity & cracker toolshttp://security.fnal.gov/policies/cpolicy.html

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6969

We Want To Avoid This …We Want To Avoid This …

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 7070

Role of SysadminsRole of Sysadmins

Manage your systems sensibly, securelyServices comply with Strong Auth rulesReport potential incidents to FCIRTAct on relevant bulletinsKeep your eyes open

Manage your systems sensibly, securelyServices comply with Strong Auth rulesReport potential incidents to FCIRTAct on relevant bulletinsKeep your eyes open

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 7171

We Can Do It …We Can Do It …

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 7272

We Can Do It. Statistically.We Can Do It. Statistically.

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 7373

Questions?Questions?

nightwatch@fnal.govfor questions about security policy

computer_security@fnal.govfor reporting security incidents

http://security.fnal.gov/

nightwatch@fnal.govfor questions about security policy

computer_security@fnal.govfor reporting security incidents

http://security.fnal.gov/

December 8, 2011December 8, 2011 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 7474

Security Essentials for Desktop System Administrators

Security Essentials for Desktop System Administrators

Security Essentials for Desktop System Administrators

Security Essentials for Desktop System Administrators