Presented by: CMS Consulting Inc.Visit us online at http://www.cms.ca
Top 10 Security Mistakes
Your Presenter
Brian BourneCMS Consulting Inc, PresidentToronto Area Security Klatch, Co-FounderBlack Arts Illuminated Inc., Director
Fancy CredentialsCISSP, MCT, MCSE:Security
Microsoft Infrastructure and Security ExpertsActive Directory - Windows Server - Exchange - SMS - ISA MOM - Clustering - Office – Desktop Deployment - SQL – Terminal Services - Security Assessments - Lockdown – Wireless
Training by Experts for ExpertsMS Infrastructure – Security - Vista and Office
Deployment
Visit us online: www.cms.caDownloads – Resources – White Papers
For Security SolutionsFor Advanced InfrastructureFor Network SolutionsFor Information WorkerFor Mobility Solutions
CMS Consulting Inc.
1. ~~~~~~~~~2. ~~~ ~~ ~~
3. ~~~~
Agenda Today
Top 10 Security Mistakes Based on the results of numerous health check and assessment service offerings
Top 10 Areas for Security ImprovementBased on feedback from the consulting team at CMS
1. Password Management
This is painfully obvious and still a problem at every customer.Problems include:
Poor policy or poor policy enforcementPassword re-use (eg. FileMaker password = Domain Password = Banking Password)User training – hey, did you know a simple sentence is complex? “My first born is Grant.”Password storage
2. Patches and Upgrade
Typical Issues:No inventory of software and hardware (no idea what to patch)No reporting of patch status or deploymentLegacy software that’s simply unpatchableSoftware that followed the “deploy and forget” methodology
Remember:All software and hardware needs patching, not just Microsoft! Especially security products!
3. NTFS and Share Permissions
Everyone, Full Control, EverywhereAnonymous is part of everyone!
Simple Rules:Permissions are cumulative, except Deny wins.Never grant permissions to users. Grant to groups.Avoid upgrading W2K. Install W2K3 fresh.Use security templates and group policy to set/maintain security
4. Too much privilege!
No one seems to follow the rule of least privilege.Enumerate the following groups:
Enterprise, Domain and Schema AdministratorsServer, Print and Backup Operators
Service Accounts need special treatmentSeparate OU with GPO’s limiting rightsShould be “Administrators”, not DA or EA!
Use OU’s and delegate required administrative functions
5. Administrative Practices
Please don’t use a DA account for day to day activity.Better yet, don’t use a DA from anything but a designated high security, administrative workstation (think about bad things like keyloggers when logging in from untrusted machines)Guard EA accounts!Don’t share the administrator password. At minimum, you want some level of non-repudiation.
6. UnUsed Services
The most common installed and unneeded service? Any guesses? (IIS)Reduce the attack surface! Define Role based Templates
Test, test, testEnforce by GPO!
Good guide to understanding serviceshttp://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/prodspecs/win2ksvc.mspx
7. Auditing and Logging
How will we ever know if something happens?How will we ever be able to piece together “the crime scene” without any evidence?Audit only what’s important. Think beyond Windows events. Applications, firewalls, switches, etc.Consider log shipping also.
8. Missing or Incomplete Backups
System State on all FSMO role holders.Critical data everywhere else.Remember to test procedures with restoresConsider encryption/password protection to prevent unauthorized restoresOffsite storage, secured fireproof vaultPart of a larger Disaster Recovery plan
9. Security Education and Awareness
For IT Staff:Security ArchitectureSecure Operating ProceduresUnderstanding of attack methodsDefence in Depth techniques
For All StaffAwareness trainingEmail and Internet UsageSocial Engineering awareness
10. Incident Response
Have a plan and have training!DO NOT:
Touch the computer.Delete files.Or frankly react in anyway without a carefully thought out and professional approved plan!
1. ~~~~~~~~~2. ~~~ ~~ ~~
3. ~~~~
Bonus Material
Things People Need to Think More About:1. Funding for security2. Application filtering and layer 7 firewalls3. Intrusion detection and prevention4. Incident Response Planning and Training5. Security Policy, Usage Policy6. Log collection, management and co-relation7. Physical controls8. Network controls (who can plug in)9. Firewalls should not look like swiss cheese
(Hint: Use IPSec instead)10. VPN controls and other remote access methods
Security Education Conference in Toronto
November 20 – 21, 2007, MTCC, Toronto, ON, Canadahttp://www.sector.ca/
CMS Training Offerings
INSPIRE Infrastructure Workshop4 days of classroom training - demo intensiveAD, Exchange, ISA, Windows Server, SMS, MOM, Virtual Server
Business Desktop Deployment – Deploying Vista/Office3 days of classroom training - hands on labs (computers provide)Business Desktop Deployment Concepts, Tools, Processes, etc. Vista and Office
Securing Internet Information ServicesSecuring ActiveDirectorySecuring Exchange 2003
1 day classroom training per topic
TRAINING BY EXPERTS FOR EXPERTS
@Contacting Us.
Brian Bourne, President – [email protected] Buren, VP Business Development – [email protected]
CMS Consulting Inc. – http://www.cms.ca/
CMS Training – http://www.cms.ca/training/
Toronto Area Security Klatch – http://www.task.to/
Q & AThank You!
Visit: CMS Consulting at http://www.cms.ca
Join: Toronto Area Security Klatch at http://www.task.to
Register: Security Education in Toronto at http://www.sector.ca
CMS Consulting Inc.