This document provides lessons learned from implementing Active Directory domains in control system environments. It covers topics like time synchronization, DNS, Active Directory replication, domain controller maintenance, backup and restore, user and group guidelines, and ICS group policy. The key lessons are: accurate time sync is critical; DNS configuration on domain controllers must include the loopback address; Active Directory replication links need to be properly configured; flexible single master operations roles should be transferred before domain controller maintenance; individual user accounts should be used instead of shared administrator accounts; and group policy can be used to apply security settings to control systems. The presentation provides guidance on best practices, common problems encountered, and their solutions.
Cyber Security Trends
Business Concerns
Cyber Threats
The Solutions
Security Operation Center
requirement
SOC Architecture model
SOC Implementation
SOC & NOC
SOC & CSIRT
SIEM & Correlation
-----------------------------------------------------------
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device management rather than detecting and responding to cybersecurity incidents. Coordination between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider may offer services from a SOC. A managed service is a shared resource and not solely dedicated to a single organization or entity. Similarly, there is no such thing as a managed SOC.
Most of the technologies, processes and best practices that are used in a SOC are not specific to a SOC. Incident response or vulnerability management remain the same, whether delivered from a SOC or not. It is a meta-topic, involving many security domains and disciplines, and depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution
Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)
مرکز عملیات امنیت
SOC presentation- Building a Security Operations CenterMichael Nickle
Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
Security operations center 5 security controlsAlienVault
An effective Security Operation Center provides the information necessary for organizations to efficiently detect threats and subsequently contain them. While eliminating the threats we face is an impossible goal, reducing the time it takes to respond and contain them is certainly achievable. Learn 5 security controls for an effective security operations center.
Secure by Design - Security Design Principles for the Rest of UsEoin Woods
Security is an ever more important topic for system designers. As our world becomes digital, today’s safely-hidden back office system is tomorrow’s public API, open to anyone on the Internet with a hacking tool and time on their hands. So the days of hoping that security is someone else’s problem are over.
The security community has developed a well understood set of principles used to build systems that are secure (or at least securable) by design, but this topic often isn’t included in the training of software developers, assuming that it’s only relevant to security specialists.
In this talk, we will briefly discuss why security needs to be addressed as part of architecture work and then introduce a set of proven principles for the architecture of secure systems, explaining each in the context of mainstream system design, rather than in the specialised language of security engineering.
This version of the talk was presented at GOTO London in October 2016.
Cyber Security Trends
Business Concerns
Cyber Threats
The Solutions
Security Operation Center
requirement
SOC Architecture model
SOC Implementation
SOC & NOC
SOC & CSIRT
SIEM & Correlation
-----------------------------------------------------------
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device management rather than detecting and responding to cybersecurity incidents. Coordination between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider may offer services from a SOC. A managed service is a shared resource and not solely dedicated to a single organization or entity. Similarly, there is no such thing as a managed SOC.
Most of the technologies, processes and best practices that are used in a SOC are not specific to a SOC. Incident response or vulnerability management remain the same, whether delivered from a SOC or not. It is a meta-topic, involving many security domains and disciplines, and depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution
Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)
مرکز عملیات امنیت
SOC presentation- Building a Security Operations CenterMichael Nickle
Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
Security operations center 5 security controlsAlienVault
An effective Security Operation Center provides the information necessary for organizations to efficiently detect threats and subsequently contain them. While eliminating the threats we face is an impossible goal, reducing the time it takes to respond and contain them is certainly achievable. Learn 5 security controls for an effective security operations center.
Secure by Design - Security Design Principles for the Rest of UsEoin Woods
Security is an ever more important topic for system designers. As our world becomes digital, today’s safely-hidden back office system is tomorrow’s public API, open to anyone on the Internet with a hacking tool and time on their hands. So the days of hoping that security is someone else’s problem are over.
The security community has developed a well understood set of principles used to build systems that are secure (or at least securable) by design, but this topic often isn’t included in the training of software developers, assuming that it’s only relevant to security specialists.
In this talk, we will briefly discuss why security needs to be addressed as part of architecture work and then introduce a set of proven principles for the architecture of secure systems, explaining each in the context of mainstream system design, rather than in the specialised language of security engineering.
This version of the talk was presented at GOTO London in October 2016.
Security Onion includes best-of-breed free and open tools including Suricata, Zeek, Wazuh, the Elastic Stack and many others. We created and maintain Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
Cyber Security is one of the major challenges facing organisations within all industries. This presentation will examine the integration of an Enterprise Architecture approach with an Enterprise Security Architecture approach (TOGAF and SABSA) and propose a generic framework.
Download this presentation at http://opengroup.co.za/presentations
Building a Next-Generation Security Operations Center (SOC)Sqrrl
So, you need to build a Security Operations Center (SOC)? What does that mean? What does the modern SOC need to do? Learn from Dr. Terry Brugger, who has been doing information security work for over 15 years, including building out a SOC for a large Federal agency and consulting for numerous large enterprises on their security operations.
Watch the presentation with audio here: http://info.sqrrl.com/sqrrl-october-webinar-next-generation-soc
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks.
Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack.
The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running.
Let us guide you through your application security testing journey with more key differences between SAST and DAST:
Adopting A Zero-Trust Model. Google Did It, Can You?Zscaler
Based on 6 years of creating zero trust networks at Google, the BeyondCorp framework has led to the popularization of a new network security model within enterprises, called the software-defined perimeter.
Get advice from security gurus on how to get up & running with SIEM quickly and painlessly. You'll learn about log collection, log management, log correlation, integrated data sources and how-to leverage threat intelligence into your SIEM implementation.
The Zero Trust Model of information #security simplifies how #information security is conceptualized by assuming there are no longer “trusted” interfaces, applications, traffic, networks, or users. It takes the old model— “trust but verify”—and inverts it, because recent breaches have proven that when an organization trusts, it doesn’t verify
Liam Randall of Critical Stack at S4x15 Operation Technology Day. Liam is a Bro guru and describes how it can be used to monitor communications, detect attacks and analyze data.
Security Onion includes best-of-breed free and open tools including Suricata, Zeek, Wazuh, the Elastic Stack and many others. We created and maintain Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
Cyber Security is one of the major challenges facing organisations within all industries. This presentation will examine the integration of an Enterprise Architecture approach with an Enterprise Security Architecture approach (TOGAF and SABSA) and propose a generic framework.
Download this presentation at http://opengroup.co.za/presentations
Building a Next-Generation Security Operations Center (SOC)Sqrrl
So, you need to build a Security Operations Center (SOC)? What does that mean? What does the modern SOC need to do? Learn from Dr. Terry Brugger, who has been doing information security work for over 15 years, including building out a SOC for a large Federal agency and consulting for numerous large enterprises on their security operations.
Watch the presentation with audio here: http://info.sqrrl.com/sqrrl-october-webinar-next-generation-soc
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks.
Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack.
The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running.
Let us guide you through your application security testing journey with more key differences between SAST and DAST:
Adopting A Zero-Trust Model. Google Did It, Can You?Zscaler
Based on 6 years of creating zero trust networks at Google, the BeyondCorp framework has led to the popularization of a new network security model within enterprises, called the software-defined perimeter.
Get advice from security gurus on how to get up & running with SIEM quickly and painlessly. You'll learn about log collection, log management, log correlation, integrated data sources and how-to leverage threat intelligence into your SIEM implementation.
The Zero Trust Model of information #security simplifies how #information security is conceptualized by assuming there are no longer “trusted” interfaces, applications, traffic, networks, or users. It takes the old model— “trust but verify”—and inverts it, because recent breaches have proven that when an organization trusts, it doesn’t verify
Liam Randall of Critical Stack at S4x15 Operation Technology Day. Liam is a Bro guru and describes how it can be used to monitor communications, detect attacks and analyze data.
Internet Accessible ICS in Japan (English)Digital Bond
Dale Peterson of Digital Bond gathered reports and examples from Shodan researchers to quantify and describe ICS devices that are connected to the Internet in Japan. It is not a small number and some of the examples are compelling.
Dale Peterson and Corey Thuen pinch hit for Kyle Wilhoit to present his concept of malware incubation. It is creating a realistic environment for malware to be grown so that it can be studied and help with incident response.
Tatsuaki Takebe of Yokogawa Electric Corporation provides the closing keynote with a focus on international standards activity and how it affects the Japanese ICS community.
Vulnerability Inheritance in ICS (English)Digital Bond
Reid Wightman of Digital Bond Labs shows how software libraries integrated into ICS can bring vulnerabilities along with them.
In this case it is the CoDeSys library bringing vulnerabilities to more than 200 products including PLC's from Hitachi and Sanyo-Denki. Reid goes into the vulnerabilities and shows the tools that can exploit the vulnerabilities.
Equally important is the vendor misrepresenting the fact that the vulns were fixed, when they were not. And the vendors, Hitachi and Sanyo-Denki to name two, that did not test the security of the libraries before including them in their products and selling them to customers.
Survey and Analysis of ICS Vulnerabilities (Japanese)Digital Bond
Masaki Kubo of JPCERT provides some statistical analysis of the ICS vulnerabilities. He also looks at the coding errors that caused the vulnerabilities and takes an indepth look at recent Yokogawa vulnerabilities.
ICS Security Training ... What Works and What Is Needed (Japanese)Digital Bond
Tomomi Aoyama of Nagoya Institute of Technology discusses Red/Blue and other types of ICS training. She identifies what is effective and offers suggestions for future training.
The answer is no for about 90% of the cyber assets due to the very minimal risk reduction achieved. Spend your effort elsewhere. Presentation goes over categories of security patching in ICS and recommends prioritized security patching.
Bryan Owen of OSIsoft at S4x15 OTDay.
Bryan shows how to harden a Windows Services generically and then specifically to a service used by OSIsoft's PI Server
Ralph Langner of The Langner Group at S4x15 OTDay.
Ralph explains how the RIPE framework and associated tools and templates can be used to implement and measure an ICS security program. This session was followed by a nuclear plant owner/operator who was implementing RIPE.
Attacking and Defending Autos Via OBD-II from escar AsiaDigital Bond
This presentation from escar Asia does go into detail on the Progressive Snapshot dongle security problems, but it also addresses common issues found in ICS security and the path forward. For example the insecure by design problem, no thought on embedded product security, importance of a security perimeter as the immediate best security solution, and the medium to long term solutions.
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Digital Bond
Wataru Machii of the Nagoya Institute of Technology introduces this novel defensive measure that alters the perimeter defenses or zoning based on the certain operational modes or observed activity.
There are numerous possibilities for this idea.
Remote Control Automobiles at ESCAR US 2015Digital Bond
Corey Thuen of Digital Bond Labs gave this presentation at the Embedded Systems in Cars (ESCAR) US event is May 2015.
He assessed the security, or lack thereof, in the Progressive Snapshot dongle. This is an important example of how an attacker could gain remote access to a car's CANBus.
The last part of the presentation goes over some CANBus tools that are available at Digital Bond's GitHub.
Using Assessment Tools on ICS (English)Digital Bond
Dale Peterson of Digital Bond describes the methodology of using security assessment tools on an operational ICS. He also discusses how to best use the features and functions of these tools.
This presentation explains the ANSI/ISA-99 and IEC 62443 standards for industrial control systems (ICS). It describes the Zone and Conduit security model and how it is used in an plant or factory. As well, the issues of security configuration errors are discussed. A case history of zone security deployment for a Safety Integrated System in a refinery is provided. For additional information see www.tofinosecurity.com.
Wise Men TIBCO ADF Webinar- 16 October 2014Wise Men
TIBCO has a broad range of products which are used for developing various types of enterprise solutions such as, EAI, BPM, CEP and MDM. Most of the enterprises follow agile development methodology and need TIBCO applications to be deployed and promoted as quickly as possible while reducing the develop-test-debug-deploy cycle.
Wise Men has the most comprehensive services on the TIBCO platform. We have an “Automated Deployment Framework” that supports most of the frequently used TIBCO products and we have an implementation service for ADF that guarantees the results..
Please join the experts from Wise Men to understand and discover how we can help you save 75% of lifecycle management cost of your TIBCO applications.
Runecast: Simplified Security with Unparalleled Transparency (March 2022)Jason Mashak
Your best future-proofing starts now. Discover, manage, audit and remediate across your hybrid cloud – all via one patented platform. Runecast customers report time savings of 75-90%, security compliance audit readiness, and greatly increased uptime. Enable your IT Security and Operations teams with a single platform for discovering and resolving IT problems you don't yet know about. Ask us about the Runecast Challenge!
Runecast enables organizations with immediate proactive results and ROI in the areas of Cloud Security Posture Management (CSPM), Kubernetes Security Posture Management (KSPM), Governance, Risk Management and Compliance (GRC), IT Operations Management (ITOM), Vulnerability Assessment/Management, Configuration Management and more.
David Cass discusses the role of security and how best practices can be used to accelerate cloud adoption and success.
Learn more by visiting our Bluemix Hybrid page: http://ibm.co/1PKN23h
Speaker: David Cass (Vice President, Cloud and SaaS CISO)
Discussed in this presentation is what’s driving SIP adoption, best practices for company preparedness, how to guide for SIP migration and integration, tips on minimizing security threats and what to look for from a service provider.
Partnership to Capture Indonesia ERP Cloud Trend OpportunitiesSutedjo Tjahjadi
Datacomm, Acumatica & Partners Community gathered to discuss how to foster the adoption of Acumatica ERP Cloud applications in Indonesia Market. The market primary concern is security & datacenter location. Datacomm Cloud Business - (cloud.datacomm.co.id) Enterprise - Secure - Local philosophy was shared to address the issue.
Give ‘Em What They Want! Self-Service Middleware Monitoring in a Shared Servi...SL Corporation
Self-service monitoring dashboards enhance cross-department productivity and reduce information-reporting burden on middleware operations teams.
In this presentation, Intuit shares their professional best practices for providing real-time and historic health and performance information on their shared middleware platform to different groups across the enterprise using RTView® self-service dashboards.
For more information on SL and RTView® Enterprise Monitor™, End-to-End Monitoring and Middleware Monitoring, please visit us at http://www.sl.com.
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
Assessing the Security of Cloud SaaS SolutionsDigital Bond
Matthew Theobald of Schneider Electric presentation at S4x15 OTDay.
This session provided a tutorial on how to evaluate the security of a SaaS solution. These are being increasingly offered for storage, processing and analysis of ICS data.
Corey Thuen of Digital Bond Labs describes in technical detail how Havex/Dragonfly enumerated OPC servers.
Havex is the second ICS malware ever seen in the wild.
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)Digital Bond
Terada-san from Hitachi provides a quick, unsolicited response session on how they investigated systems Shodan identified as Hitachi. They in fact were Advantech systems, and they were tracked down.
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Digital Bond
Dale Peterson of Digital Bond describes how to share Plant data without putting the integrity and availability of ICS at risk. He also describes the dangers of allowing remote access to an ICS.
S4x14 Session: You Name It; We Analyze ItDigital Bond
Jim Gilsinn and Bryan Singer of Kenexis Consulting Corporation had a quick 12-slide/15-minute session on analyzing ICS protocols. Good information on the what and why of pub/sub in these protocols, as well as some protocol plots showing some of the challenges of analyzing these protocols.
Sean McBride of Critical Intelligence goes into some real world examples of success and failure in ICS Vulnerability Analysis. Viewers should be aware there may be a bit of bias to point out shortcomings since this is what Critical Intelligence does for a living, but loyal blog readers and anyone with insight knows the ICS-CERT Alerts and Advisories rarely provide worthwhile analysis.
If you are looking for ICS vulnerability statistical data the first nine slides have very useful charts. The remainder of the presentation goes through some typical and important failures by ICS-CERT and vendor CERTs.
This excellent session by Alexander Bolshev (@dark_k3y) was a very pleasant surprise, and it's a bit frustrating that it is one of the three lost S4x14 videos.
We were concerned that it would be a bit S4x13 / insecure by design / low hanging fruit, but HART has received so little attention that we thought it was worth including in S4x14. HART is widely used in DCS to connect controllers and instruments. The HART Foundation says over 30 million HART devices are deployed.
Alexander covers the protocol in the early slides, but make sure you look at slides 16-21 where he shows how he can change the RTU's Polling Unit ID (who the RTU expects to poll it) to create a man-in-the-middle attack.
There are a number of other HART protocol attacks described, but I was most interested in his HRT Shield board - a high-power low-noise HART modem Arduino shield for sniffing, injecHng, and jamming current loop. He brought over some boards that we are building up to have in our Rack when we go out on an assessment.
I should note, mainly to avoid an email from Jeff, that WirelessHART has integrated security such as source/data authentication and encryption. As we walk through plants and factories we are seeing a number of these WirelessHART devices. They are easy to spot because they can be deployed in the most physically convenient place without worrying about wiring.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
Active Directory in ICS: Lessons Learned From The Field
1. L L d f th Fi ldLessons Learned from the Field
Active Directory in ICS
HPS Industrial Cyber Security Services
DigitalBond S4x15 January 2015
2. AbstractAbstract
• Many control systems don’t have domains or leverage them
l f th ti ti Th i t d d t h lonly for user authentication. They are intended to help
centralize the maintenance and management of a large group of
member computers, as well as huge productivity gains for
administration, implementing change, and consistency. This, p g g , y
session will cover lessons learned of Active Directory domains
and their use with control systems, from someone who deals
only with control system environments. What works, what to
avoid guidance on how to plan & implement certain featuresavoid, guidance on how to plan & implement certain features,
and useful things you may not have known about. This is not an
introduction to Active Directory, it is intended for those that have
familiarity with Active Directory, its purpose, basic administration
d li tand group policy management.
• 45 minutes
Honeywell
Proprietary
2
2015
3. SpeakerSpeaker
• Donovan Tindill, Senior Security Consultant – Honeywell Industrial
Cyber Security (formerly Matrikon)Cyber Security (formerly Matrikon)
– For almost 15 years, specialized in defending cyber security for
industrial automation & control systems (IACS) to most every industry
and countless ICS.
R ibl f l l j t l i t i i k– Responsible for large scale project planning, enterprise risk
management, security program development, training, vulnerability
assessments, industry compliance, NERC CIP, etc.
– ISA99/IEC62443 contributor, and co-chair of Working Group 6 on IACSg p
patch management.
– Assessed and designed LOTS of ICS networks and domains, cyber
security assessments (people-process-technology), developed ICS
cyber security programs etccyber security programs, etc.
– Email: http://tinyurl.com/DonovanAtHon; Please connect on LinkedIn
and mention this conference.
The views and opinions expressed here are my own and don’t necessarily representThe views and opinions expressed here are my own and don t necessarily represent
the views or opinions of Honeywell.
4. Honeywell Industrial Cyber SecurityHoneywell Industrial Cyber Security
Honeywell Industrial Cyber Security is the leading provider ofy y y g p
cyber security solutions that help protect the
availability, safety, and reliability
of industrial control systems (ICS) and plant operations.
Leveraging our industry leading process control andLeveraging our industry leading process control and
cyber security experience, our expertise, and technology,
we deliver proven solutions designed for thewe deliver proven solutions designed for the
specific needs of process control environments.
Honeywell
Proprietary
4
2015
Cyber Security = Process Availability, Safety and Reliability
5. Honeywell ProtectsHoneywell Protects
From the Inside Out and Outside In
• Build security into our products
Employ same risk-management mechanisms for cyber security– Employ same risk-management mechanisms for cyber security
we design for safe industrial operations
• Strengthen security with proven end-to-end solutions
– Security architecture, security controls and best industrial practices
– Services delivered by global team of experts
A ti d t ti d ili• Assure continued protection and resilience
– Situational awareness
– Monitoring, management and training services
Honeywell
Proprietary
5
2015
6. Industrial Cyber Security Solutions FrameworkIndustrial Cyber Security Solutions Framework
Embedded Security Is Just the Start
SecuritySecurity
AwarenessAwareness
Cyber Security
Assessments, Monitoring
and Situational Awareness
Cyber Security
Assessments, Monitoring
and Situational Awareness
SecuritySecuritySecuritySecurity
TECHNOLOGY
Used to Drive
Secure
Architectural
Leveraging
Network, Host &
Used to Drive
Secure
Architectural
Leveraging
Network, Host & yy
DesignDesign
yy
ControlsControls
Architectural
Design and
Best Practices
Operational
Security Controls
Architectural
Design and
Best Practices
Operational
Security Controls
Honeywell
Proprietary
6
2015
We Address Industrial Cyber Security End-to-End
7. Complete Industrial Cyber Security SolutionsComplete Industrial Cyber Security Solutions
• Security Assessments
• Network & Wireless Assessments
• Security AuditsAssessmentsAssessments
& Audits& Audits
• Current State Analysis
• Design & Optimization
• Zones & Conduits
& Audits& Audits
ArchitectureArchitecture
& Design& Design
ResponseResponse
& Recovery& Recovery
• Backup and Restore
• Incident Response
• Firewall
• Intrusion Prevention
• Access Control
P li D l t
• Continuous Monitoring
• Compliance &
Reporting
• Security Analytics
NetworkNetwork
SecuritySecurity
SituationalSituational
AwarenessAwareness
TECHNOLOGY
• Policy Development
• Patching & Anti-Virus
• Application Whitelisting
• End Node Hardening
• Security Analytics
• Security Information
& Event Management (SIEM)
• Security Awareness Training
EndpointEndpoint
ProtectionProtection
• Portable Media & Device Security
Honeywell
Proprietary
7
2015
8. Managed Industrial Cyber Security ServicesManaged Industrial Cyber Security Services
Secure Connection
Secure tunnel for servicesSecure tunnel for services
Protection Management
Qualified anti-malware files & operating system patchesQ p g y p
Continuous Monitoring and Alerting
Monitoring of system, network & cyber security performance
24/7 alerting against thresholds
Intelligence Reporting
Weekly compliance and quarterly trend reports
Perimeter and Intrusion Management
Firewall: Configuration rules + log file review and reporting
Weekly compliance and quarterly trend reports
Honeywell
Proprietary
8
2015
Firewall: Configuration rules + log file review and reporting
IPS: Signature update validation + log file review and reporting
9. Why Honeywell Industrial Cyber SecurityWhy Honeywell Industrial Cyber Security
Global team of certified experts with deep experience across all industries
Industry Leading People and Experience
Global team of certified experts with deep experience across all industries
100’s of successful PCN / Industrial cyber security projects
Leaders in security standards ISA99 / IEC62443
Proprietary methodologies specific for process control environment & operations
Best practices developed through years of delivering solutions
Industry Leading Processes and Expertise
Best practices developed through years of delivering solutions
Comprehensive understanding of unique process control security requirements
Industry Leading Technology
First to obtain ICS product security certification with ISASecure
Largest R&D investment in cyber security solutions and technology
Strategic partnerships with best in class security product vendors
y g gy
Honeywell
Proprietary
9
2015
Trusted, Proven Solution Provider
g y
10. TopicsTopics
Technical Level
100
Time Synchronization
DNS
AD Replication
DC MaintenanceDC Maintenance
Backup and Restore
200
User and Group Guidelines
ICS Group Policy200 ICS Group Policy
Groups.xml Vulnerability
300
DC Through Firewall
Fine Grained Password Policies
400 AppLocker
If common sense were common we wouldn’t have to fix these over and
Honeywell
Proprietary
10
2015
If common sense were common, we wouldn t have to fix these over and
over…
11. TerminologyTerminology
• NTDS – NT Directory ServicesNTDS NT Directory Services
• AD – Active Directory (aka. NTDS)
• DC – Domain ControllerDC Domain Controller
• FSMO – Flexible Single Master Operation
• DNS Domain Naming Service• DNS – Domain Naming Service
• GPO – Group Policy Object
• SCW Security Configuration Wizard• SCW – Security Configuration Wizard
Honeywell
Proprietary
11
2015
13. Time SynchronizationTime Synchronization
• Accurate time sync is a fundamental component of AD
h i i Ti d if l i d i dauthentication. Time drift can result in domain decay
and mysterious authentication issues if it exceeds 4
minutes between domain members.
• Actual Event:
– One group of computers cannot authenticate with other PCs
in the same domain. Some logons work, some don’t, not
i t t th i tconsistent across the environment.
– Root Cause: Time drift greater than 5 minutes between DCs
results in replication failure, domain members polarize with a
DC and ‘islands’ of authentication resultDC and islands of authentication result.
– Solution: It’s ugly! Force demotion of bad DC, fix time sync,
promote to DC again.
Honeywell
Proprietary
13
2015
14. Time SynchronizationTime Synchronization
• Identify the ‘PDC Emulator’ role. It is the timeIdentify the PDC Emulator role. It is the time
master for the entire domain.
• Get a GPS or other accurate (i.e., Stratum) time( , )
source; otherwise, the cheap clock on
motherboard is used.
• w32tm /config /manualpeerlist:“X.X.X.X Y.Y.Y.Y” /syncfromflags:manual
/reliable:yes /update
• w32tm /query /status
• w32tm /query /peers
Honeywell
Proprietary
14
2015
Sources:
- How to configure an authoritative time server in Windows Server, http://support.microsoft.com/kb/816042.
15. Domain Naming Service (DNS)
Ft McMurray Oilsands Conference
2015
15
2009
What’s your address again?
16. Domain Naming Service (DNS)Domain Naming Service (DNS)
• DNS allows humans to use hostnames to communicate with network
devices. AD uses DNS to store DC roles, help DCs find each other,
and domain members find DCs.
• Every DC has a copy of the same DNS database and is continuously
synchronized.
• If a domain controller cannot
communicate with DNS,
you’re in trouble!
• If a domain member cannot
communicate with DNS, only
previously cached credentials
will work.
Honeywell
Proprietary
16
2015
17. DNSDNS
• Actual Event:
– Domain controller network driver update/change fails, after
reboot it cannot find peer DNS server, cannot logon!
– Root Cause: Its local IP address was not included in DNSRoot Cause: Its local IP address was not included in DNS
server list.
– Solution: DNS1 should be neighbor DC, DNS2 should be
another neighbor, DNS3 should be 127.0.0.1. Have at least 2another neighbor, DNS3 should be 127.0.0.1. Have at least 2
real DNS servers, last one loopback IP.
– When a DC first boots, it is member only. It must first find
other DCs thru DNS and replicate DNS & NTDS databases,other DCs thru DNS and replicate DNS & NTDS databases,
before it can authorize itself to authenticate users (including
logons at console). Otherwise really slow or failed logon.
– Always stagger DC reboots!
Honeywell
Proprietary
17
2015
Always stagger DC reboots!
Sources:
-DNS servers on NIC should include 127.0.0.1 but not as first entry, http://technet.microsoft.com/en-us/library/ff807362(v=ws.10).aspx.
-Microsoft Best Practice for DC DNS settings, http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx#dnsbest.
18. DNSDNS
• Replicate to all DNS servers in forest.p
• Dynamic Updates: Secure Only
– ipconfig /registerdns (used to refresh local DNS records on-demand)
T i / i f ll f d d• Turn on aging/scavenging for all forward and
reverse lookup zones (i.e., check the box).
• Zone Transfers: Explicitly• Zone Transfers: Explicitly
specify servers or turn off.
• In ICS, you can delete list of, y
root hint servers. Stops
DNS noise before firewall.
Honeywell
Proprietary
18
2015
20. Sites and Services (NTDS Replication)Sites and Services (NTDS Replication)
• AD Sites and Services is used to specify theAD Sites and Services is used to specify the
interval, protocol, and links for AD database
(which may contain DNS) to replicate between
domain controllers.
• If subnets are specified and associated with sites
(e.g., an area of the plant), members will prefer
DCs in their subnet/site.
Li k t ti ll t d f ll h d• Links are automatically created as full mesh and
replicated every 3 hours.
Honeywell
Proprietary
20
2015
21. Sites and Services (NTDS Replication)Sites and Services (NTDS Replication)
• Actual Event:
– User accounts created on specific domain controller
never work in other areas of the plant.
Root Cause: NTDS replication links missing– Root Cause: NTDS replication links missing.
– Solution: Re-architect links, verify all DCs
participate in bi-directional replication.
– Some scenarios require custom
NTDS replication architecture
• In ICS 15 minute replication• In ICS, 15 minute replication
interval is fine (default 180).
• repadmin /syncall
Honeywell
Proprietary
21
2015
p y
23. DC MaintenanceDC Maintenance
• Actual Event:
– Patches are installed on DC holding FSMO roles, during
reboot it suffers critical failure and will not boot.
– If FSMO roles are forcibly seized and transferred to anotherIf FSMO roles are forcibly seized and transferred to another
DC while it is offline, its hostname is now blacklisted. Must
force removal of DC role and reinstall OS with new
hostname.
– Root Cause: FSMO roles were not transferred before
maintenance occurred on DC.
– Solution: Transfer roles before/after using PowerShell:Solution: Transfer roles before/after using PowerShell:
• Import-Module ActiveDirectory
• Move-ADDirectoryServerOperationMasterRole -Identity “ServerName”
-OperationMasterRole 0,1,2,3,4
• netdom query fsmo
Honeywell
Proprietary
23
2015
netdom query fsmo
Sources:
-Transfer or Seize FSMO Roles, https://support.microsoft.com/kb/255504/en-us,
- How to remove data in Active Directory after an unsuccessful domain controller demotion , https://support.microsoft.com/kb/216498.
- Why not to reuse server names, http://www.jackcobben.nl/?page_id=403.
24. Backup and Restore
Ft McMurray Oilsands Conference
2015
24
2009
Prepared for Failure
25. Backup and RestoreBackup and Restore
• DCs are peers that share and continuously replicate the
AD d t b C t tl h i !AD database. Constantly changing!
• Disk images (e.g., Acronis, Ghost, Clonedisk) of your DCs
should not be used for restoration as it will include stale
f AD d t b A f b k i k !copy of AD database. Age of backup is key!
• Microsoft only supports Windows Server Backup Full
System and ‘System State’ backups, which contains Active
Directory contentsDirectory contents.
• Schedule backup from 2+ DCs, store on different server, at
least once per day. Also, use ntdsutil for ad-hoc
snapshots Used by Directory Service Repair Modesnapshots. Used by Directory Service Repair Mode.
• Microsoft recommends ntdsutil to remove failed DCs,
then clean OS install and dcpromo for new ones.
Honeywell
Proprietary
25
2015
Sources:
-AD Backup and Restore, http://technet.microsoft.com/en-us/magazine/2008.05.adbackup.aspx. System State Recovery of a Domain Controller; Taking Active Directory Snapshots.
26. Users and Groups
Ft McMurray Oilsands Conference
2015
26
2009
“We use Administrator for everything”
27. User and Group GuidelinesUser and Group Guidelines
• Don’t use domain or local Administrator account toDon t use domain or local Administrator account to
run any applications!
– Not due to security risk, but to decouple dependency
upon it for password changes.
• Rename local Administrator (e.g., LocalAdmin)
d d i Ad i i t t ( Ad i i)and rename domain Administrator (e.g., Admini).
• Avoid use of local or domain administrator
t l i di id ll i daccounts, rely upon individually assigned user
accounts with similar privilege.
Honeywell
Proprietary
27
2015
28. User and Group GuidelinesUser and Group Guidelines
• Create two (2) user accounts per person.Create two (2) user accounts per person.
– User-level account (e.g., jdoe) with application
privileges. Standard password.
– Admin-level accounts (e.g., admin_jdoe) with
administrator privileges. Strong password.
Logon regularly with user level account use admin level– Logon regularly with user-level account, use admin-level
only when needed. Works very well with Windows
2008/Vista/7 UAC).
Honeywell
Proprietary
28
2015
29. User and Group GuidelinesUser and Group Guidelines
• Create ‘Service’ user accounts for each major application
( hi t i i t f d t b h d l d t k(e.g., historian interfaces, databases, scheduled tasks,
OPC services, backup software) so they can be used for
running DCOM and Windows Services.
Examples: dc backup task acronis backup service– Examples: dc_backup_task, acronis_backup_service,
historian_opc_service
• Running programs and services as Administrator is the
single biggest reason why password changes don’tsingle biggest reason why password changes don t
happen!
– Changing Administrator password in many environments will
require, or result in, process shutdown.
• Application specific service accounts clearly identify their
purpose and localizes their impact if/when their passwords
are changed.
Honeywell
Proprietary
29
2015
30. User and Group GuidelinesUser and Group Guidelines
• Restricted Resource group: grants a specificRestricted Resource group: grants a specific
access level to a specific device/ system/
application. Defined owner for each.
• Control System
– Product Admins
– Engineers
• Domain Members
– Domain Administrators
– Remote Desktop Users
– Supervisors
– Operators
• Domain Controllers
– Domain Users
• Network Infrastructure
– Read-Only
– Enterprise Admins
– Administrators
– Group Policy Mgrs
– Password Update
– Read-Write
• Applications
– Administrators
E i / D l
Honeywell
Proprietary
30
2015
– Engineers / Developers
– Users
32. Group Policy SettingsGroup Policy Settings
• Group Policies allow single step roll out of computer
i l ll d i bsettings to select or all domain members.
• GPO settings can be applied to users and computers,
commonly based on group membership ory g p p
organizational unit.
– Windows 2008 Active Directory and Group Policy
Preferences allows almost limitless selection criteria. With
t h th t d b Wi d XPpatches, they are supported by Windows XP+.
• Examples:
– Password policy, security logging policy, disable unnecessaryy y gg g y y
services, disable unnecessary Windows components and
features, local group membership, Windows Firewall rules,
Start Menu and Desktop appearance, startup scripts, etc.
Honeywell
Proprietary
32
2015
Sources:
-Group Policy Preferences, Windows 2008, http://technet.microsoft.com/en-us/library/cc731892(v=ws.10).aspx.
-Group Policy Preferences, Windows 2012, http://technet.microsoft.com/en-us/library/dn581922.aspx
-Group Policy Preferences Patch, for Windows XP, 2003, and Vista: http://technet.microsoft.com/en-us/library/cc731892(v=ws.10).aspx.
33. Recommended Group Policy SettingsRecommended Group Policy Settings
• Minimum password length, complexity, and age
E bl it diti ( t l t t t l• Enable security auditing (account logon events, account mgmt, logon
events, policy change, system events)
• Increase default event log file size.
• Disable LM authentication potentially NTLMDisable LM authentication, potentially NTLM.
• Disable unnecessary services. In ICS, you can disable:
– WinHTTP Auto-Proxy, SSDP Discovery, Smart Card, HomeGroup Listener,
HomeGroup Provider
Security Configuration Wizard (SCW) is excellent at hardening Windows Server– Security Configuration Wizard (SCW) is excellent at hardening Windows Server
2003 SP1 and newer (e.g., Disables unnecessary services; Windows Firewall
rules; prepare Group Policies)
• Disable unnecessary Windows components and features. In ICS, you
can disable:can disable:
– AutoPlay, Games, Desktop Gadgets, NetMeeting, Outlook Express,
HomeGroup, Windows Messenger, Windows Media Player, Windows Media
Center,
• Uninstall unnecessary software (e g Adobe Java Office)
Honeywell
Proprietary
33
2015
• Uninstall unnecessary software (e.g., Adobe, Java, Office).
Sources:
-Security Configuration Wizard, http://technet.microsoft.com/en-us/library/cc754997.aspx
34. Advanced Group Policy SettingsAdvanced Group Policy Settings
• Modify allow/deny User Rights Assignment for:
– Logon locally (e.g., keyboard console)
– Remote Desktop
– Access Computer via network (e.g., Network Share, DCOM Service)
– Logon As Service– Logon As Service
– Logon As Batch (i.e., Scheduled Task)
• Windows Firewall rules. In ICS, you might choose to control
which IP address ranges (e.g., Local Subnet) can access:g ( g , )
– Network Discovery, Remote Desktop, File & Print Sharing,
– Part of SCW
• AppLocker application execution rules. In ICS, you can use
A L k ’ hit li ti li tiAppLocker as poor man’s whitelisting application.
– More on this in later slides…
• Do not perform above on production environment without prior
testing!!!
Honeywell
Proprietary
34
2015
testing!!!
35. Groups xml VulnerabilityGroups.xml Vulnerability
• If you use Group Policy Preferences to automateIf you use Group Policy Preferences to automate
resetting of local user passwords – Don’t!
• The encryption used in the groups.xml file is weakyp g p
and disabled in MS14-025.
• Implement via PowerShell scriptp p
– See MS14-025
Honeywell
Proprietary
35
2015
Sources:
-How To Automate Changing The Local Administrator Password, http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx.
-MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege, http://support.microsoft.com/kb/2962486,
37. DC Through FirewallDC Through Firewall
• DCs will often be in different zones and across firewalls. Really they
should be in enclaves due to their importanceshould be in enclaves due to their importance.
• Domain Controller Default Ports: KB179442
– DNS TCP/UDP53
– NTP TCP/UDP123
– Kerberos TCP/UDP88
– RPC TCP135
– NetBIOS UDP137-138, TCP139
– File Sharing TCP445File Sharing TCP445
– kpasswd TCP/UDP464
– http-rpc-epmap TCP594
– Global Catalog TCP3268
RPC (Windows 2003/XP and older): TCP1025 5000– RPC (Windows 2003/XP and older): TCP1025-5000
– RPC (Windows 2008/Vista and newer): TCP49152-65535
– Not Used in Field: UDP500, TCP636, TCP3269, UDP4500, UDP5355,
TCP9389 (based on actual results 2008R2 at ICS site)
Honeywell
Proprietary
37
2015
Sources:
-Service overview and network port requirements for Windows, http://support.microsoft.com/kb/832017.
-How to configure a firewall for domains and trusts, http://support.microsoft.com/kb/179442.
38. DC Through FirewallDC Through Firewall
• Registry changes can be applied to changeRegistry changes can be applied to change
dynamic ports to fixed, or specify smaller range.
• Set NTDS to 32901
• Set NTFRS to 32902
• Set NetLogon to 32903Set NetLogon to 32903
• Set DFSR to 32904 (if used)
• Set WMI to 32905 (if used)Set WMI to 32905 (if used)
Sources:
Restricting Active Directory RPC traffic to a specific port http://support microsoft com/kb/224196
Honeywell
Proprietary
38
2015
-Restricting Active Directory RPC traffic to a specific port , http://support.microsoft.com/kb/224196.
-How to restrict FRS replication traffic to a specific static port , http://support.microsoft.com/kb/319553.
-Configuring DFSR to a Static Port, http://blogs.technet.com/b/askds/archive/2009/07/16/configuring-dfsr-to-a-static-port-the-rest-of-the-story.aspx.
-Setting Up a Fixed Port for WMI, http://msdn.microsoft.com/en-us/library/bb219447(v=vs.85).aspx.
-IANA ports 32897-33122 Unassigned, http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt.
39. DC Through FirewallDC Through Firewall
• KB154596: Configureg
RPC/DCOM range by
Registry or
dcomcnfg exedcomcnfg.exe
– TCP 45000-45999
– 1000 ports is sufficient for
most applicationsmost applications.
• Used by all listening
RPC services.
• Best effect on Win2003 and
earlier OS as it moves away
from 1025-5000
Honeywell
Proprietary
39
2015
from 1025-5000.
Sources:
-How to configure RPC dynamic port allocation to work with firewalls, http://support.microsoft.com/kb/154596.
-IANA ports, http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt.
40. DC Through FirewallDC Through Firewall
• Before:Before:
RPC RangeRPC Range
49152-65535
Honeywell
Proprietary
40
2015
41. DC Through FirewallDC Through Firewall
• After:After:
Registry HacksRegistry Hacks
32901-32905
RPC Range
45000-45999
Honeywell
Proprietary
41
2015
42. Fine Grained Password Policies
Ft McMurray Oilsands Conference
2015
42
2009
Something for Everyone
43. Fine Grained Password PoliciesFine Grained Password Policies
• By default, there is only one domain password policy.y , y p p y
• Starting Windows 2008 domain functional level,
different password policies can apply to different AD
usersusers.
– Set your Default: 12-char, 60-day expiry, never lockout.
• Defined by Default Domain Policy
Ad i L l 20 h 180 d i– Admin Level: 20-char, 180-day expiry.
• Create and Assign to Group ‘Pass 20c 180d NoLock DL Group’
– Service Accts: 32-char, never auto-expire, never lockout.
• Create and Assign to Global Group ‘Pass 32c NoExpire NoLock DL Group’• Create and Assign to Global Group Pass 32c NoExpire NoLock DL Group
• Implemented manually with ADSIedit in Windows
2008; Wizard-driven in 2012. Rely on SIEM to detect
Honeywell
Proprietary
43
2015
Sources:
-Fine Grained Password Policies, Windows 2008, http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx.
multiple logons
44. Fine Grained Password PoliciesFine Grained Password Policies
Parameter Admin Level Policy Service Accounts
Common-Name Passwd-20char-MaxAge180d-
NoLockout
Passwd-32char-NoMaxAge-
NoLockoutNoLockout NoLockout
msDS-PasswordSettingsPrecedence 8 5
(low number is higher precedence)
msDS-
P dR ibl E ti E bl
False
PasswordReversibleEncryptionEnable
d
msDS-PasswordHistoryLength 20 32
msDS-PasswordComplexityEnabled TruemsDS PasswordComplexityEnabled True
msDS-MinimumPasswordAge “-864000000000”, 9-zeros, 1 day
msDS-MaximumPasswordAge “-155520000000000”
10-zeros, 180 days
“-9223372036854775808”
never expire10 zeros, 180 days never expire
msDS-LockoutTreshold 0
msDS-LockoutObservationWindow 0
msDS LockoutDuration 0
Honeywell
Proprietary
44
2015
msDS-LockoutDuration 0
msDS-PSOAppliesTo Windows Account:
Pass 20c 180d NoLock DL Group
Windows Account: Pass 32c
NoExpire NoLock DL Group
45. Fine Grained Password PoliciesFine Grained Password Policies
• ‘Pass 20c 180d NoLock DL Group’ members:Pass 20c 180d NoLock DL Group members:
– Administrators, Domain Admins, Backup Operators,
Schema Admins, Enterprise Admins, Account
Operators, Server Operators,
– DCS Administrators, Network Admins,
Any other application specific groups or user accounts– Any other application-specific groups or user accounts
with privilege to change the system.
• ‘Pass 32c NoExpire NoLock DL Group’ members:Pass 32c NoExpire NoLock DL Group members:
– Service Accounts
Honeywell
Proprietary
45
2015
47. AppLockerAppLocker
• Poor man’s application white listing to ensure onlyPoor man s application white listing to ensure only
specified executables, scripts, and installers run.
• It’s free-but:
– No “learning mode” or management tools.
– Weaker protections than commercial white listing
solutions (e.g., injection, overflows)
• Use-cases: Windows 7 Ent, 2008 R2, and higher
– Application inventory, unwanted software,
standardization, change control, etc.
– DMZ Hosts Engineering Stations Operator Stations
Honeywell
Proprietary
47
2015
DMZ Hosts, Engineering Stations, Operator Stations
Sources:
-AppLocker Step-by-Step Guide, http://technet.microsoft.com/en-us/library/dd723686(v=ws.10).aspx.
48. AppLocker Base PolicyAppLocker Base Policy
• Create group policy, link it to specific OU where the
C ill b l dtest Computer will be located.
• Computer Policy > Windows > Security > Application
Control Policies:
– Executable Rules:
• Allow BUILTINAdministrators All Files
• Allow Everyone All files in the Windows folder
– Requires testing per-site to determine what executables are used commonlyRequires testing per site to determine what executables are used commonly.
– Windows Installer Rules:
• Allow BUILTINAdministrators All Windows Installer files
– Script Rules:
• Allow BUILTINAdministrators All Scripts
• Application Identity service Startup Mode: Auto
• Group Policy loopback processing mode: Replace
Honeywell
Proprietary
48
2015
p y p p g p
49. AppLocker Per-App PolicyAppLocker Per App Policy
1) Identify the application you want to run (e.g.,
R D k C i )Remote Desktop Connection)
2) Create Global Group (e.g., RDP Client Run) and
add users.
3) Create GPO (e.g., RDP Client Run GPO), link to
same OU as base AppLocker policy.
4) Modify GPO with Executable Rule allowing global4) Modify GPO with Executable Rule allowing global
group to access specified executables (e.g.,
mstsc.exe).
a Some applications may require multiple executables toa. Some applications may require multiple executables to
function (will be confirmed during testing).
5) Logon as Test User > Execute > Check Logs >
Tune GPO
Honeywell
Proprietary
49
2015
Tune GPO.
50. AppLockerAppLocker
• With Loopback processing, only affects specifiedp p g, y p
computers in the OU, and only users when they logon
to that computer.
• One GPO and group per application Once setup just• One GPO and group per application. Once setup, just
add users to the AD group as well as link GPO to
OUs.
– Will need AppLocker GPOs for antivirus, backup tools, etc.
• Ensures change control procedures are followed!
• When implemented by qualified personnel with• When implemented by qualified personnel with
testing discipline will increase system performance,
reliability, and security posture.
Honeywell
Proprietary
50
2015
51. QuestionsQuestions
• Time Synchronization
• DNS
• AD Replication
• DC Maintenance
• Backup and Restore
• User and Group Guidelines
• ICS Group Policy
• Groups.xml Vulnerability
• DC Through Firewall
• Fine Grained Password Policies
• AppLocker
The views and opinions expressed here are my own and don’t necessarily represent
Honeywell
Proprietary
51
2015
The views and opinions expressed here are my own and don t necessarily represent
the views or opinions of Honeywell.
52. Th k YThank You
• Donovan Tindill, Senior Security Consultant
• Email: http://tinyurl com/DonovanAtHon; Please• Email: http://tinyurl.com/DonovanAtHon; Please
connect on LinkedIn and mention this conference.
• Credits: Connor, Liam, Roger J.