Published on


Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Andrew Pollack, NCT
  2. 2. <ul><li>English is the only language I speak </li></ul><ul><ul><li>-- Unless you count programming languages </li></ul></ul><ul><li>I will try to speak clearly, but if I am moving too quickly, or too slowly, please make some kind of sign, so I can adjust! </li></ul>
  3. 3. <ul><li>We will all point at you </li></ul><ul><li>Set all noise making toys to “Stun” please </li></ul><ul><li>If you need to type on a laptop or a Blackberry – move toward the back please </li></ul>
  4. 4. <ul><li>Administrator & Developer since version 2.0 </li></ul><ul><li>Products </li></ul><ul><ul><li>NCT Search, NCT Compliance Search, and NCT Simple Sign On, and now Second Signal </li></ul></ul><ul><li>Services </li></ul><ul><ul><li>Site Performance Reviews </li></ul></ul><ul><ul><li>Application Development </li></ul></ul><ul><ul><li>Administrative Overhaul </li></ul></ul><ul><ul><li>Security Review & Penetration Testing </li></ul></ul><ul><li>IBM Lotus Beacon Award Winner </li></ul><ul><li>Firefighter </li></ul><ul><ul><li>Lieutenant of Cumberland, Maine – Engine 1 </li></ul></ul><ul><li>In firefighting, just like Server Administration it's all in the planning </li></ul>
  5. 5. <ul><li>Security From A Big Picture Approach </li></ul><ul><li>Big New Locks on Rusty Old Chains </li></ul><ul><li>What do I look for in a Security Review </li></ul><ul><li>Story Time </li></ul><ul><li>Summary </li></ul>
  6. 6. Are you the weakest link?
  7. 7. <ul><li>How good are your backups? </li></ul><ul><ul><ul><li>A denial of service vector </li></ul></ul></ul><ul><li>Have you switched to IP Telephony? </li></ul><ul><ul><ul><li>Your telephones may now be programmable computers </li></ul></ul></ul><ul><li>Who can access your server room? </li></ul><ul><li>Can your LAN administrators access the file systems on your Domino servers? </li></ul>
  8. 8. <ul><li>From a Security Officer Perspective </li></ul><ul><ul><ul><li>“ There are only two levels of paranoia – absolute, and insufficient.” </li></ul></ul></ul><ul><li>From an End User Perspective </li></ul><ul><ul><ul><li>“ These are my friends and coworkers, I trust them completely” </li></ul></ul></ul><ul><li>There is no perfect balance. You must learn to assess the risk and apply security in layers </li></ul>
  9. 9. <ul><li>Categorize Applications, then apply standard security practices based on the category </li></ul><ul><ul><ul><li>This protects developers and administrators </li></ul></ul></ul><ul><li>Some schemas I’ve seen </li></ul><ul><ul><ul><li>Green, Yellow, Red </li></ul></ul></ul><ul><ul><ul><li>Open, Internal, Confidential, Executive </li></ul></ul></ul><ul><li>Considerations for categorizing risk </li></ul><ul><ul><ul><li>Employee contact data </li></ul></ul></ul><ul><ul><ul><li>Customer list information </li></ul></ul></ul><ul><ul><ul><li>Banking, tax, or medical information </li></ul></ul></ul><ul><ul><ul><li>Company Planning information </li></ul></ul></ul><ul><ul><ul><li>Company financial information </li></ul></ul></ul>
  10. 10. <ul><li>Most security problems come from inside, not outside hackers </li></ul><ul><li>Most administrative failures are infrastructure related, but have security implications </li></ul><ul><li>Sometimes, you need a way to fix it now and explain it later – reporting is critical </li></ul>
  11. 11. <ul><li>Internal Employee Mistakes </li></ul><ul><ul><ul><li>Taking customer data to work out of the office </li></ul></ul></ul><ul><ul><ul><li>Password Sharing </li></ul></ul></ul><ul><ul><ul><li>Unattended Workstations </li></ul></ul></ul><ul><li>Abuse of Administrative Authority </li></ul><ul><ul><ul><li>Reading people’s mail files </li></ul></ul></ul><ul><ul><ul><li>Sending communication on behalf of someone else </li></ul></ul></ul><ul><ul><ul><li>Intercepting Logs, Complaints, or Bad News </li></ul></ul></ul><ul><ul><ul><li>Altering ‘metrics’ in help desk and other applications </li></ul></ul></ul><ul><li>Insufficient Termination Procedures </li></ul><ul><ul><ul><li>Former Administrators or Employees Retaining Access </li></ul></ul></ul><ul><li>Unauthorized Copying of Data </li></ul><ul><ul><ul><li>Employees taking the customer list as they resign </li></ul></ul></ul>
  12. 12. <ul><li>In Firefighting, we say “Try before you pry!” </li></ul><ul><li>You’re only as secure as your certifiers </li></ul><ul><li>Quit worrying about visible hash values unless everything else is locked down first </li></ul><ul><li>When in doubt, log and report </li></ul>
  13. 13. Policies & Procedures Matter
  14. 14. <ul><li>In a REVIEW </li></ul><ul><ul><li>I ask you questions and believe your answers </li></ul></ul><ul><ul><li>Typically 2 Days Talking + a Document </li></ul></ul><ul><ul><li>Cooperative Effort with the Administrative Team </li></ul></ul><ul><ul><li>Cannot be certified </li></ul></ul><ul><li>In an AUDIT </li></ul><ul><ul><li>I assume you my be wrong </li></ul></ul><ul><ul><li>Trust, but verify </li></ul></ul><ul><ul><li>Tends to be somewhat adversarial </li></ul></ul><ul><ul><li>Very Expensive, but certified accurate </li></ul></ul>
  15. 15. <ul><li>From the Root Certifier on Down </li></ul><ul><ul><ul><li>If you’re not using the CA, every admin you’ve ever had probably has a copy </li></ul></ul></ul><ul><ul><ul><li>If your certifiers are ‘potentially compromised’ almost everything else we lock down is potential still vulnerable </li></ul></ul></ul><ul><li>User Certificates (ID Files) </li></ul><ul><ul><ul><li>Who can assign them? </li></ul></ul></ul><ul><ul><ul><li>What is the process for recovery (lost password or ID) </li></ul></ul></ul><ul><ul><ul><li>Do you REALLY still keep copies of them somewhere? </li></ul></ul></ul>
  16. 16. <ul><li>Do you track every database? </li></ul><ul><ul><ul><li>“ Owner” of the application </li></ul></ul></ul><ul><ul><ul><li>Responsible developer? </li></ul></ul></ul><ul><ul><ul><li>Expected size & activity </li></ul></ul></ul><ul><ul><ul><li>ACL Requirements </li></ul></ul></ul><ul><ul><ul><li>Scheduled Agent Requirements </li></ul></ul></ul><ul><ul><ul><li>Security Level Category </li></ul></ul></ul><ul><li>Update tracking information every “N” months </li></ul>
  17. 17. <ul><li>People tend to accumulate group membership </li></ul><ul><ul><ul><li>This makes them ideal targets </li></ul></ul></ul><ul><li>Do you track every group? </li></ul><ul><ul><ul><li>“ Owner” of the group </li></ul></ul></ul><ul><ul><ul><li>Security Level Category </li></ul></ul></ul><ul><li>Update tracking information every “N” months </li></ul><ul><ul><ul><li>Group owner should “sign-off” on the accuracy periodically </li></ul></ul></ul>
  18. 18. <ul><li>Avoid Designer & Manager Access in ANY database on Production servers </li></ul><ul><ul><ul><li>VERY easy to crash servers </li></ul></ul></ul><ul><ul><ul><li>VERY easy to destroy data </li></ul></ul></ul><ul><ul><ul><li>VERY easy to exploit users </li></ul></ul></ul>
  19. 19. <ul><li>ECL’s are the single most important protection you have against intentional exploitation </li></ul><ul><li>Use “Design Signature” ID files and allow ONLY those to perform higher risk activities </li></ul><ul><li>Do not give “Design Signature” ID files to developers. An ADMIN must sign a changed application to move it to production </li></ul>
  20. 20. <ul><li>Never Allow End Users to Design or Manage their own databases </li></ul><ul><li>Local Databases must be encrypted </li></ul><ul><li>Local hard disks should be encrypted </li></ul><ul><li>Use password management policies </li></ul>
  21. 21. <ul><li>I love being told </li></ul><ul><ul><li>“ HTTP Isn’t Running on our Servers” </li></ul></ul><ul><ul><li>“ SMTP Isn’t Running on our Servers” </li></ul></ul><ul><ul><li>“ LDAP Isn’t Running on our Servers” </li></ul></ul><ul><li>Translated, this means “We’re not bothering to manage the HTTP password” </li></ul><ul><li>I can usually find one of these running on at least one of their servers </li></ul>
  22. 22. <ul><li>Set up exactly as a new temporary employee </li></ul><ul><li>Repeat testing a new full time employee </li></ul><ul><li>Bring a copy of Designer on USB drive </li></ul><ul><ul><ul><li>Never assume Designer is unavailable </li></ul></ul></ul><ul><li>ECL is the first thing I check </li></ul><ul><ul><ul><li>If mine is set too open, most employees will be as well </li></ul></ul></ul><ul><li>CATALOG.NSF makes a great shopping list </li></ul><ul><ul><ul><li>Shows me important databases </li></ul></ul></ul><ul><ul><ul><li>Shows me databases with groups in common </li></ul></ul></ul><ul><li>Browsing Groups tells me who’s got what access </li></ul>
  23. 23. Also known as “There he goes again….”
  24. 24. <ul><li>The most simple form of attack </li></ul><ul><li>“ I’ve forgotten my password” </li></ul><ul><li>Similar “Human Engineering” Attacks </li></ul>
  25. 25. <ul><li>Not Domino Specific </li></ul><ul><li>Very well secured network environment </li></ul><ul><li>Very good physical security </li></ul><ul><li>More than 75% success rate </li></ul>
  26. 26. <ul><li>Send a message to someone with a link </li></ul><ul><li>The link is actually a hotspot </li></ul><ul><li>The hotspot actually opens the page indicated </li></ul><ul><li>The hotspot also does other things </li></ul><ul><li>User Impersonation Attack </li></ul><ul><li>Very Difficult To Spot </li></ul>
  27. 29. <ul><li>220 mail.domain.ext ESMTP Sendmail (version); (date) </li></ul><ul><li>HELO </li></ul><ul><li>250 mail.domain.ext Hello [], pleased to meet you </li></ul><ul><li>MAIL FROM: mail@domain.ext </li></ul><ul><li>250 2.1.0 mail@domain.ext... Sender ok </li></ul><ul><li>RCPT TO: mail@otherdomain.ext </li></ul><ul><li>250 2.1.0 mail@otherdomain.ext... Recipient ok </li></ul><ul><li>Subject: whatever you want </li></ul><ul><li>250 2.1.0 mail@domain.ext... Subject ok </li></ul><ul><li>This is the message body... </li></ul><ul><li>. </li></ul><ul><li>250 2.0.0 ???????? Message accepted for delivery </li></ul><ul><li>Quit </li></ul><ul><li>221 2.0.0 mail.domain.ext closing connection </li></ul><ul><li>Connection closed by foreign host. </li></ul>
  28. 30. <ul><li>Stop using big new locks on rusty old chains </li></ul><ul><li>Get control over your certifiers </li></ul><ul><li>Get control over your developers </li></ul><ul><li>Get control over your users & their local data storage devices </li></ul><ul><li>Get control over the databases & groups you’ve got deployed on your servers </li></ul>