6 Security Questions to Ask IT

Welcome

What do you hope to learn today?

Please take a moment to fill out the yellow cards.

Our presenters will review the cards to ensure that we cover the topics/areas of interest.

We will collect them before we get started.

Thanks!

Collect ‘Learn Today’ Cards

What do you hope to learn today?

Please take a moment to fill out the yellow cards.

Our presenters will review the cards to ensure that we cover the topics/areas of interest.

We will collect them before we get started.

Thanks!

The 6 Questions:

-Dual Factor Authentication- Host Intrusion- Network Intrusion- Proxying- Password Managers- Securing your Software Development Life Cycle

Question 1: Are you using MultiFactor Authentication? (Easy, not free)1. AKA Dual Factor Authentication, Two Factor Authentication, MFA, 2FA2. Passwords are vulnerable.

1. Guessing2. Brute Force3. Social Engineering4. Keystroke Logger5. Re-Use6. Observation7. Wireless8. Security Questions/Password resets9. Spear Phishing10.DNS Redirection

2FA1. Something You Know

1. Password2. Something you have

1. Finger Printer Reader2. Iris or Retina Scanner3. Token4. Cell Phone with Soft Token5. SMS

DEMO1.Duo Security (With Confluence, Our Wiki)2.Auth Anvil (With Kaseya)

Issues1.Not all 2FA systems work with all applications

(Websites, Email, VPN, RDP, Etc2.The easiest/best systems cost a few dollars/month/user3.Locally Hosted? Better keep up 2FA system!

(Or Know how to disable)4.Cloud Hosted? They go down too.

(Better know how to disable!)5.Lost/Replacement Cell phones6.Very good reporting of who logged in!

Apr 11, 2017 4:03 PM

broswell Confluence Authentication Access GrantedTrusted network

Hunt Valley, MD209.251.37.8

Apr 11, 2017 3:51 PM

erainey Confluence Authentication Access GrantedTrusted network

Hunt Valley, MD209.251.37.8

Apr 11, 2017 3:48 PM

mstough Confluence Authentication Access GrantedUser approved

York, PA174.55.67.131

Duo PushMike's Galaxy s6 (717-8

Question 2: Are you using Host Intrusion? (Easy, Free)

• Alert on significant changes to your Windows, Linux, VMware or Mac Computers

• I prefer OSSEC (Open Source Security• Free!• Server runs on any tiny Linux box Could be $10 Raspberry Pi• Clients for Most Operating Systems

** Alert 1491837854.194: - web,appsec,attack2017 Apr 10 15:24:14 production->/var/log/nginx/access.logRule: 31508 (level 6) -> 'Blacklisted user agent (known malicious user agent).'Src IP: 88.198.66.23088.198.66.230 - - [10/Apr/2017:15:24:14 +0000] "GET /contact/?color=black-white HTTP/1.1" 301 185 "-" "Mozilla/5.0 (compatible; MJ12bot/v1.4.7; http://mj12bot.com/)" "-"

** Alert 1491839124.1381: - syslog,sshd,authentication_success,2017 Apr 10 15:45:24 production->/var/log/secureRule: 5715 (level 3) -> 'SSHD authentication success.'Src IP: 98.233.144.193User: broswellApr 10 15:45:22 production sshd[27920]: Accepted password for broswell from 98.233.144.193 port 52590 ssh2

** Alert 1491843243.4579: mail - syslog,yum,config_changed,2017 Apr 10 16:54:03 production->/var/log/messagesRule: 2933 (level 7) -> 'Yum package updated.'Apr 10 16:54:01 production yum[29021]: Updated: 1:openssl-1.0.1k-15.99.amzn1.x86_64

** Alert 1491843243.4823: mail - syslog,yum,config_changed,2017 Apr 10 16:54:03 production->/var/log/messagesRule: 2933 (level 7) -> 'Yum package updated.'Apr 10 16:54:02 production yum[29021]: Updated: 1:nginx-1.10.2-1.30.amzn1.x86_64

Question 3: Are you using Proxies to protect your Infrastructure?(Easy, Free implementations probably only solve part of problem)1. Definition of Proxies2. Probably already using for Email

1. ProofPoint, Postini, ForeFront etc3. Consider for Websites

1. Incapsula, CloudFlare, AWS Cloudfront, Akamai, Edgecast2. More at

https://en.wikipedia.org/wiki/Content_delivery_network4. Same idea for VoIP, Video with Sip, H323 Proxies

Question 4: Are you using a Network Intrusion System (Free->Expensive, Hard->Very Hard1. Cisco Firepower Services on ASA2. SELKS (Suricata, ElasticSearch, Logstash, Kibana)

1. Crazy amount of malicious traffic on our network in front of firewalls (500 600 events per minute)

2. Manageable but much less interesting and fun behind firewall.

Steve Simons

Team Building

Technology Empowerment

Business Strategy

Business Strategy

• Determine the Right Vision

• Design the Right Process

• Build the Right Team

• Leverage the Right Technology

Restyn enables businesses to become the best version of themselves through insightful leadership and creation of

visionary and grounded enterprise solutions.

Team Building

Technology Empowerment

Business Strategy

Team Building

• Management Consulting

• Leadership Coaching

• Staffing and Team Development

• Culture Creation/Evolution

Restyn is your source for “In Country Outsourcing", enabling your business to

reach higher and achieve more by involving highly-reputed, experienced, and

knowledgeable advisers.

Team Building

Technology Empowerment

Business Strategy

Team Building

Technology Empowerment

Business Strategy

Technology Empowerment

• People Driven

• Process Aligned

• Strategically Selected

• Architecturally Sound

• Fully Engaged

• Broadly Adopted

Aligning, developing, and implementing best-in-class integrated enterprise solutions can give you the competitive advantage to fulfill

your company’s vision.

Question 5: Password Management

AES-256 bit encryption with PBKDF2 SHA-256, Local Only Encryption, and Two Factor Authentication

Enterprise Features: SSO, User Management, Compliance Reporting, Policy Enforcement

Question 6: Securing Your SDLC

Ultimate Security – Write Only Memory (WOM)

4/13/2017©2017 Restyn, LLC- All Rights Reserved.

CONFIDENTIAL and PROPRIETARY – Do Not Distribute.22

Write-Only Memory (WOM)

“write-only memory: A form of computer memory into which information can be stored but never, ever retrieved, developed under government contract in 1975 by Professor Homberg T. Farnsfarfle. Farnsfarfle's original prototype, approximately one inch on each side, has so far been used to store more than 100 trillion words of surplus federal information. Farnsfarfle's critics have denounced his project as a six-million-dollar boondoggle, but his defenders point out that this excess information would have cost more than 250 billion dollars to store in conventional media.” - Apple IIe Reference Manual (part number A2L2005), page 250.

4/13/2017©2017 Restyn, LLC- All Rights Reserved.

CONFIDENTIAL and PROPRIETARY – Do Not Distribute.23

Obtaining Security

• Do Not Process

• Do Not Store

• Do Not Connect

• Do Not Transmit

• Do Not Receive

• Do Not Grant Access

• Do Not Communicate

• Do Not Code

• Do Not ….

Security is a pursuit, not a destination.

4/13/2017©2017 Restyn, LLC- All Rights Reserved.

CONFIDENTIAL and PROPRIETARY – Do Not Distribute.24

Open Web Application Security Project (OWASP) Top 10

• Injection

• Broken Authentication and Session Management

• Cross-Site Scripting (XSS)

• Insecure Direct Object References

• Security Misconfiguration

• Sensitive Data Exposure

• Missing Function Level Access Control

• Cross-Site Request Forgery (CSRF)

• Using Known Vulnerable Components

• Unvalidated Redirects and Forwards

4/13/2017©2017 Restyn, LLC- All Rights Reserved.

CONFIDENTIAL and PROPRIETARY – Do Not Distribute.25

Basic Areas of Focus

• Governance/Compliance

• Education/Training

• Architecture/Design/Development

• Testing/Review

• Deployment/Change Control

• Configuration/Administration

• Vulnerability/Bug Incident Response

4/13/2017©2017 Restyn, LLC- All Rights Reserved.

CONFIDENTIAL and PROPRIETARY – Do Not Distribute.26

Deploy to PROD

Deploy Solution to QA

Example Software Development Life Cycle

4/13/2017©2016 Restyn, LLC- All Rights Reserved.

CONFIDENTIAL and PROPRIETARY – Do Not Distribute.27

Business Requirements Solution DesignFunctional/Technical

Requirements

Development in DEVTest Development in DEV

Test Solution in QA Bugfixes and Redeploy to QA Deploy to UAT

Test Solution in UATBugfixes and Redeploy to QA

Release Notes PROD Test/Hotfix Training

DEVELOPMENT

UAT STAGE

Build Change Control Into Your Environment

4/13/2017©2016 Restyn, LLC- All Rights Reserved.

CONFIDENTIAL and PROPRIETARY – Do Not Distribute.28

PRODUCTION

QA STAGE

Segregation of Duties

• Business Analysis

• Project Management

• Software Architecture

• Software Development

• Quality Assurance Testing

• User Acceptance Testing

• System Administration

• Change Control

• Security Testing

• Operations Management

• Security Management

• Internal Audit

• External Audit

4/13/2017©2017 Restyn, LLC- All Rights Reserved.

CONFIDENTIAL and PROPRIETARY – Do Not Distribute.29

Build Reviews Into Every Step of the Process

• Risk Analysis

• System Analysis

• Security Requirements

• Architecture/Solution Security Review

• Test Plan Security Review

• Project Plan Security Review

• Static Code Scanning

• Code Security Review

• Configuration Security Review

• Log Analysis / Review

• Bug/Vulnerability Analysis & Review

• Incident Response Review

• Internal and External Process/Controls/Compliance Review

• User Adoption/Training Review

4/13/2017©2017 Restyn, LLC- All Rights Reserved.

CONFIDENTIAL and PROPRIETARY – Do Not Distribute.30

Thank You!www.restyn.com

4/13/2017©2017 Restyn, LLC- All Rights Reserved.

CONFIDENTIAL and PROPRIETARY – Do Not Distribute. 31

Learning Center Offer

Evaluations

Door Prizes

Thank You!