welcome [] · 6 security questions to ask it welcome what do you hope to learn today? please take a...
TRANSCRIPT
6 Security Questions to Ask IT
Welcome
What do you hope to learn today?
Please take a moment to fill out the yellow cards.
Our presenters will review the cards to ensure that we cover the topics/areas of interest.
We will collect them before we get started.
Thanks!
Collect ‘Learn Today’ Cards
What do you hope to learn today?
Please take a moment to fill out the yellow cards.
Our presenters will review the cards to ensure that we cover the topics/areas of interest.
We will collect them before we get started.
Thanks!
The 6 Questions:
-Dual Factor Authentication- Host Intrusion- Network Intrusion- Proxying- Password Managers- Securing your Software Development Life Cycle
Question 1: Are you using MultiFactor Authentication? (Easy, not free)1. AKA Dual Factor Authentication, Two Factor Authentication, MFA, 2FA2. Passwords are vulnerable.
1. Guessing2. Brute Force3. Social Engineering4. Keystroke Logger5. Re-Use6. Observation7. Wireless8. Security Questions/Password resets9. Spear Phishing10.DNS Redirection
2FA1. Something You Know
1. Password2. Something you have
1. Finger Printer Reader2. Iris or Retina Scanner3. Token4. Cell Phone with Soft Token5. SMS
DEMO1.Duo Security (With Confluence, Our Wiki)2.Auth Anvil (With Kaseya)
Issues1.Not all 2FA systems work with all applications
(Websites, Email, VPN, RDP, Etc2.The easiest/best systems cost a few dollars/month/user3.Locally Hosted? Better keep up 2FA system!
(Or Know how to disable)4.Cloud Hosted? They go down too.
(Better know how to disable!)5.Lost/Replacement Cell phones6.Very good reporting of who logged in!
Apr 11, 2017 4:03 PM
broswell Confluence Authentication Access GrantedTrusted network
Hunt Valley, MD209.251.37.8
Apr 11, 2017 3:51 PM
erainey Confluence Authentication Access GrantedTrusted network
Hunt Valley, MD209.251.37.8
Apr 11, 2017 3:48 PM
mstough Confluence Authentication Access GrantedUser approved
York, PA174.55.67.131
Duo PushMike's Galaxy s6 (717-8
Question 2: Are you using Host Intrusion? (Easy, Free)
• Alert on significant changes to your Windows, Linux, VMware or Mac Computers
• I prefer OSSEC (Open Source Security• Free!• Server runs on any tiny Linux box Could be $10 Raspberry Pi• Clients for Most Operating Systems
** Alert 1491837854.194: - web,appsec,attack2017 Apr 10 15:24:14 production->/var/log/nginx/access.logRule: 31508 (level 6) -> 'Blacklisted user agent (known malicious user agent).'Src IP: 88.198.66.23088.198.66.230 - - [10/Apr/2017:15:24:14 +0000] "GET /contact/?color=black-white HTTP/1.1" 301 185 "-" "Mozilla/5.0 (compatible; MJ12bot/v1.4.7; http://mj12bot.com/)" "-"
** Alert 1491839124.1381: - syslog,sshd,authentication_success,2017 Apr 10 15:45:24 production->/var/log/secureRule: 5715 (level 3) -> 'SSHD authentication success.'Src IP: 98.233.144.193User: broswellApr 10 15:45:22 production sshd[27920]: Accepted password for broswell from 98.233.144.193 port 52590 ssh2
** Alert 1491843243.4579: mail - syslog,yum,config_changed,2017 Apr 10 16:54:03 production->/var/log/messagesRule: 2933 (level 7) -> 'Yum package updated.'Apr 10 16:54:01 production yum[29021]: Updated: 1:openssl-1.0.1k-15.99.amzn1.x86_64
** Alert 1491843243.4823: mail - syslog,yum,config_changed,2017 Apr 10 16:54:03 production->/var/log/messagesRule: 2933 (level 7) -> 'Yum package updated.'Apr 10 16:54:02 production yum[29021]: Updated: 1:nginx-1.10.2-1.30.amzn1.x86_64
Question 3: Are you using Proxies to protect your Infrastructure?(Easy, Free implementations probably only solve part of problem)1. Definition of Proxies2. Probably already using for Email
1. ProofPoint, Postini, ForeFront etc3. Consider for Websites
1. Incapsula, CloudFlare, AWS Cloudfront, Akamai, Edgecast2. More at
https://en.wikipedia.org/wiki/Content_delivery_network4. Same idea for VoIP, Video with Sip, H323 Proxies
Question 4: Are you using a Network Intrusion System (Free->Expensive, Hard->Very Hard1. Cisco Firepower Services on ASA2. SELKS (Suricata, ElasticSearch, Logstash, Kibana)
1. Crazy amount of malicious traffic on our network in front of firewalls (500 600 events per minute)
2. Manageable but much less interesting and fun behind firewall.
Steve Simons
Team Building
Technology Empowerment
Business Strategy
Business Strategy
• Determine the Right Vision
• Design the Right Process
• Build the Right Team
• Leverage the Right Technology
Restyn enables businesses to become the best version of themselves through insightful leadership and creation of
visionary and grounded enterprise solutions.
Team Building
Technology Empowerment
Business Strategy
Team Building
• Management Consulting
• Leadership Coaching
• Staffing and Team Development
• Culture Creation/Evolution
Restyn is your source for “In Country Outsourcing", enabling your business to
reach higher and achieve more by involving highly-reputed, experienced, and
knowledgeable advisers.
Team Building
Technology Empowerment
Business Strategy
Team Building
Technology Empowerment
Business Strategy
Technology Empowerment
• People Driven
• Process Aligned
• Strategically Selected
• Architecturally Sound
• Fully Engaged
• Broadly Adopted
Aligning, developing, and implementing best-in-class integrated enterprise solutions can give you the competitive advantage to fulfill
your company’s vision.
Question 5: Password Management
AES-256 bit encryption with PBKDF2 SHA-256, Local Only Encryption, and Two Factor Authentication
Enterprise Features: SSO, User Management, Compliance Reporting, Policy Enforcement
Question 6: Securing Your SDLC
Ultimate Security – Write Only Memory (WOM)
4/13/2017©2017 Restyn, LLC- All Rights Reserved.
CONFIDENTIAL and PROPRIETARY – Do Not Distribute.22
Write-Only Memory (WOM)
“write-only memory: A form of computer memory into which information can be stored but never, ever retrieved, developed under government contract in 1975 by Professor Homberg T. Farnsfarfle. Farnsfarfle's original prototype, approximately one inch on each side, has so far been used to store more than 100 trillion words of surplus federal information. Farnsfarfle's critics have denounced his project as a six-million-dollar boondoggle, but his defenders point out that this excess information would have cost more than 250 billion dollars to store in conventional media.” - Apple IIe Reference Manual (part number A2L2005), page 250.
4/13/2017©2017 Restyn, LLC- All Rights Reserved.
CONFIDENTIAL and PROPRIETARY – Do Not Distribute.23
Obtaining Security
• Do Not Process
• Do Not Store
• Do Not Connect
• Do Not Transmit
• Do Not Receive
• Do Not Grant Access
• Do Not Communicate
• Do Not Code
• Do Not ….
Security is a pursuit, not a destination.
4/13/2017©2017 Restyn, LLC- All Rights Reserved.
CONFIDENTIAL and PROPRIETARY – Do Not Distribute.24
Open Web Application Security Project (OWASP) Top 10
• Injection
• Broken Authentication and Session Management
• Cross-Site Scripting (XSS)
• Insecure Direct Object References
• Security Misconfiguration
• Sensitive Data Exposure
• Missing Function Level Access Control
• Cross-Site Request Forgery (CSRF)
• Using Known Vulnerable Components
• Unvalidated Redirects and Forwards
4/13/2017©2017 Restyn, LLC- All Rights Reserved.
CONFIDENTIAL and PROPRIETARY – Do Not Distribute.25
Basic Areas of Focus
• Governance/Compliance
• Education/Training
• Architecture/Design/Development
• Testing/Review
• Deployment/Change Control
• Configuration/Administration
• Vulnerability/Bug Incident Response
4/13/2017©2017 Restyn, LLC- All Rights Reserved.
CONFIDENTIAL and PROPRIETARY – Do Not Distribute.26
Deploy to PROD
Deploy Solution to QA
Example Software Development Life Cycle
4/13/2017©2016 Restyn, LLC- All Rights Reserved.
CONFIDENTIAL and PROPRIETARY – Do Not Distribute.27
Business Requirements Solution DesignFunctional/Technical
Requirements
Development in DEVTest Development in DEV
Test Solution in QA Bugfixes and Redeploy to QA Deploy to UAT
Test Solution in UATBugfixes and Redeploy to QA
Release Notes PROD Test/Hotfix Training
DEVELOPMENT
UAT STAGE
Build Change Control Into Your Environment
4/13/2017©2016 Restyn, LLC- All Rights Reserved.
CONFIDENTIAL and PROPRIETARY – Do Not Distribute.28
PRODUCTION
QA STAGE
Segregation of Duties
• Business Analysis
• Project Management
• Software Architecture
• Software Development
• Quality Assurance Testing
• User Acceptance Testing
• System Administration
• Change Control
• Security Testing
• Operations Management
• Security Management
• Internal Audit
• External Audit
4/13/2017©2017 Restyn, LLC- All Rights Reserved.
CONFIDENTIAL and PROPRIETARY – Do Not Distribute.29
Build Reviews Into Every Step of the Process
• Risk Analysis
• System Analysis
• Security Requirements
• Architecture/Solution Security Review
• Test Plan Security Review
• Project Plan Security Review
• Static Code Scanning
• Code Security Review
• Configuration Security Review
• Log Analysis / Review
• Bug/Vulnerability Analysis & Review
• Incident Response Review
• Internal and External Process/Controls/Compliance Review
• User Adoption/Training Review
4/13/2017©2017 Restyn, LLC- All Rights Reserved.
CONFIDENTIAL and PROPRIETARY – Do Not Distribute.30
Thank You!www.restyn.com
4/13/2017©2017 Restyn, LLC- All Rights Reserved.
CONFIDENTIAL and PROPRIETARY – Do Not Distribute. 31
Learning Center Offer
Evaluations
Door Prizes
Thank You!