SlideShare a Scribd company logo

GrrCon 2014: Security On the Cheap

Download as PPTX, PDF
Joel Cardella
Joel Cardella

This talk is a deeper dive into security basics, where we discuss techniques and tools to shore up your foundational enterprise security

Internet
1 of 47
SECURITY ON THE CHEAP Practical Application Of Back to Basics Methods Joel Cardella GrrCon 2014
BIOGRAPHICAL INFO • Joel Cardella • 20 years in Information Technology .. Blah blah blah • Currently Regional Security Officer for multinational industrial manufacturing organization • Passionate evangelist of infosec • But none of this matters because basics is a common sense method
http://infospectives.me/2014/07/31/modifying-maslow-what-really-drives-your-infosec-needs-the-state-of-security/ Other controls Low Medium High Critical Basic security starts with foundations Cindy Valladares
http://infospectives.me/2014/07/31/modifying-maslow-what-really-drives-your-infosec-needs-the-state-of-security/ Buy latest hyped product Panic Pray Hope Procrastinate Unfortunately… Cindy Valladares
• “…if your roof has leaks, you fix the leaks in the roof before you remodel the house, right ?” • John Pescatore, SANS • http://www.techrepublic.com/blog/tech-decision-maker/it-security-fix-the-leaky-roof-before- remodeling-the-house/ WE ARE ALL SAYING THE SAME THING
BASICS FOCUS Prevention Detection Risk Response Recovery Basics does not address advanced threats!
WHAT RISK CAN WE CONTROL? None of these values is ever zero, but we should work toward zero THREATS X VULNERABILITIES X TIME = RISK No control Indirect Control (Vendor Direct Control reliance) Direct Control (Issuing patches & updates)
SECURITY BASICS • Security requires resources; you must invest to get a return • If you don’t invest the resources, you will increase the vulnerability and likelihood, and thus the risk • If you can’t invest money, then you invest time • NOW: How do we do this cheaply?
INVESTMENT DIRECTION
WHAT ARE YOUR STANDARDS? • Critical Security Controls (SANS 20) • Australian Defence Signals Directorate (DSD)
CSC FIRST FIVE QUICK WINS • For those wanting a highly focused and direct starting point, we have emphasized the “First Five Quick Wins”: sub-controls that have the most immediate impact on preventing attacks. These actions are specially noted in the Controls listings, and consist of: • 1. Application whitelisting (found in CSC 2 / DSD 1); • 2. Use of standard, secure system configurations (found in CSC 3); • 3. Patch application software within 48 hours (found in CSC 4 / DSD 2); • 4. Patch system software within 48 hours (found in CSC 4 / DSD 3); and • 5. Reduced number of users with administrative privileges (found in CSC 3 and CSC • 12 / DSD 4).
THE FIRST FIVE Mitigation strategy Overall security effectiveness User resistance Upfront cost (staff, equipment, technical complexity) Maintenance cost (mainly staff) Helps detect intrusions Helps mitigate intrusion stage 1: code execution Helps mitigate intrusion stage 2: network propagation Helps mitigate intrusion stage 3: data exfiltration Application whitelisting Essential Medium High Medium Yes Yes Yes Yes Standard Configurations Essential Low Medium Medium Possible Yes Yes Yes Patch applications < 48 hrs Essential Low High High No Yes Possible No Patch operating system vulnerabilities < 48 hrs Essential Low Medium Medium No Yes Possible No Restrict administrative privileges Essential Medium Medium Low No Possible Yes No Pareto Principle – 20% of our focus can address 80% of our risk Focusing on these 5 will address 80% of your risk – Australian DSD
FIRST FIVE QUICK WINS • For those wanting a highly focused and direct starting point, we have emphasized the “First Five Quick Wins”: sub-controls that have the most immediate impact on preventing attacks. These actions are specially noted in the Controls listings, and consist of: • 1. Application whitelisting (found in CSC 2 / DSD 1); • 2. Use of standard, secure system configurations (found in CSC 3); • 3. Patch application software within 48 hours (found in CSC 4 / DSD 2); • 4. Patch system software within 48 hours (found in CSC 4 / DSD 3); and • 5. Reduced number of users with administrative privileges (found in CSC 3 and CSC 12 / DSD 4).
QUICK WINS DEEP DIVE • Assess PLAN • Focus DO • Measure CHECK • Remediate ACT
73 QUICK WINS CSC 1 CSC 2 CSC 3 CSC 4 CSC 5 CSC 6 CSC 7 CSC 8 CSC 9 CSC 10 CSC 11 CSC 12 CSC 13 CSC 14 CSC 15 CSC 16 CSC 17 CSC 18 CSC 19 CSC 20 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 3 3 3 3 3 3 3 3 3 3 3 3 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 6 6 6 6 7 7 7 8 9 CSC 1 CSC 2 CSC 3 CSC 4 CSC 5 CSC 6 CSC 7 CSC 8 CSC 9 CSC 10 CSC 11 CSC 12 CSC 13 CSC 14 CSC 15 CSC 16 CSC 17 CSC 18 CSC 19 CSC 20 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 3 3 3 3 3 3 3 3 3 3 3 3 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 6 6 6 6 7 7 7 8 9 Assess to the level of your risk appetite … your green may not be someone else’s green
TOOLS
CAVEAT EMPTOR • I will not discuss a tool in context of use unless: • I have used it myself and found it to be effective • It is being used effectively by a peer whom I trust • I am going to focus on Windows systems as being higher risk than others, mostly due to proliferation and ubiquity
CHEAP <> FREE • Cheap is not permanent, it is a bridge • Cheap is relative • Included with other stuff (like an EA) • Low cost for an enterprise • Open source / FOSS • Cheap is more expensive in terms of time when used to cut corners
TOOLS FOR CONTROLS • CSC 1 - NMAP • CSC 2 – SCCM • Whitelisting can be implemented using commercial whitelisting tools or application execution tools that come with anti-virus suites and with Windows (Applocker). • CSC 3 – SCCM (for distribution) Lansweeper Unlimited assets scanned at your interval, kept in a historical database for $1995 Prevention Detection Risk Response Recovery
CSC 3 – SECURE CONFIGURATIONS • Establish and ensure the use of standard secure configurations of your operating systems. • Standardized images should represent hardened versions of the underlying operating system and the applications installed on the system. • Hardening typically includes: removal of unnecessary accounts (including service accounts), disabling or removal of unnecessary services, configuring non-executable stacks and heaps, applying patches, closing open and unused network ports, implementing intrusion detection systems and/or intrusion prevention systems, and use of host-based firewalls. • These images should be validated and refreshed on a regular basis to update their security configuration in light of recent vulnerabilities and attack vectors. Prevention Detection Risk Response Recovery
DO YOUR RESEARCH! A simple Google search returns many articles on hardening Windows Prevention Detection Risk Response Recovery
HARDENING EXAMPLES • Uninstall Adobe Reader • Remove Java, or set your browser settings to “Click To Play Plugins” • Remove unnecessary services - http://www.blackviper.com/windows-services/ • EMET - http://support.microsoft.com/kb/2458544 http://www.insanitybit.com/2013/03/27/windows-hardening-guide/ Prevention Detection Risk Response Recovery
CSC 12 – CONTROLLED USE OF ADMIN • In Active Directory, restrict the membership of • Enterprise Admins • Schema Admins • These are the two most powerful security groups in AD • Do NOT allow your admins to have accounts idling in these groups – they can add & remove as needed Prevention Detection Risk Response Recovery
CSC 12 – CONTROLLED USE OF ADMIN • Look at the membership of Domain Admins and Domain Workstation Admins • Create separate accounts for admins, a regular user and an admin account • Don’t name the admin account admin<USERNAME> • Make it distinct but not obvious • Enforce 2nd factor on admin logins? Prevention Detection Risk Response Recovery
FURTHER SHRINK THE ATTACK SURFACE
PREVENT BRUTE FORCING • Winfail2ban (Fail2ban for *NIX) • Scans log files like FTP Logs or Event Viewer and bans IP that make too many password failures • http://winfail2ban.sourceforge.net/ • For webapps, don’t fail password attempts in a predictable way • For example, most Web sites return an "HTTP 401 error" code with a password failure, although some web sites instead return an "HTTP 200 SUCCESS" code but direct the user to a page explaining the failed password attempt. • Vary the behaviors to fool automation • https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks Prevention Detection Risk Response Recovery
EASY 2ND FACTOR • Duo Security has an enterprise plan for $3/user/month • Got a small team? Up to 10 users are free • https://www.duosecurity.com/ • Google authenticator for web apps which use OAUTH tokenization • Authy – http://www.authy.com • Microsoft Phone Factor - http://azure.microsoft.com/en-us/services/multi-factor-authentication/ Prevention Detection Risk Response Recovery
THREAT MODELING FOR INCIDENT RESPONSE • Not just for web apps! Threat modeling can be used for incident response & planning • 3 parts 1. Establish attack path 2. Table top exercise to identify controls 3. Create a security exercise that tests the controls along the path • http://www.irongeek.com/i.php?page=videos/circlecitycon2014/117-how-to-create- an-attack-path-threat-model-wolfgang-goerlich Prevention Detection Risk Response Recovery
MORE USEFUL TOOLS
POWERSHELL SCRIPTS • Poshsec project • 63 cmdlets/functions in the PoshSec module • Account Monitoring & Control • Authorized Devices • Forensics • Log Management • Network Baseline • Software Management • Utility Functions • http://www.powershellmagazine.com/2014/07/10/introduction-to-poshsec/ Prevention Detection Risk Response Recovery
NETWORK FORENSICS • Wireshark • Open source multi-platform network protocol analyzer • Hard to learn, easy to use • Then after a while, easy to use once your use cases are established • Time sink but it’s time well spent • https://www.wireshark.org/ Prevention Detection Risk Response Recovery
PASSWORD CRACKING • Cain & Abel • It can recover passwords by • sniffing the network, • cracking encrypted passwords using dictionary, brute-force and cryptanalysis attacks, • recording VoIP conversations, • decoding scrambled passwords, • revealing password boxes, • uncovering cached passwords and • analyzing routing protocols. • http://www.oxid.it/cain.html • Wordlists: http://hashcrack.blogspot.com/p/wordlist-downloads_29.html Prevention Detection Risk Response Recovery
POLICY & GOVERNANCE
OFT OVERLOOKED • Don’t underestimate the power of governance and policy • They can not only help you manage your security workload, they can be used in legal defense
CHANGE MANAGEMENT • Who approves your security changes? • Is this documented and reviewed periodically? • Who reviews your security changes for accuracy? • Who follows up to verify the changes are still accurate? • Document reasons for changes, approvals and mitigations • ARE YOU SURE? Prevention Detection Risk Response Recovery
ESTABLISH A GOVERNANCE CALENDAR • The calendar contains your regular cadence of review activity • You can script reminders to the entities responsible for the review • SharePoint • Google scripts (Google calendar) • Internal calendaring software X • Work this activity into your existing processes so they get prioritized • Time box those activities! • Get SLAs/SLOs for teams on which you rely to perform these activities
Sample Governance Calendar Q1 Q2 Q3 Q4 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec DR Testing Recon Recon Backup testing Backup testing Backup testing AD review AD AD review review Mid year audit Operations Security Data Center Audit SAMPLE GOVERNANCE CALENDAR
WHAT IS THE WEAKEST LINK?
SOCIAL VECTORS • This is the cheapest thing you can address which has the best ROI • TALK TO YOUR USERS! • Don’t lecture • Don’t debate • Give them usable information • Ex: with the busiest shopping day of the year coming up, create a newsletter or workshop that shows how to buy a PC – and subtly include how to secure it Prevention Detection Risk Response Recovery
A WORD ON RECOVERY • There is no “cheap” data recovery option or configuration • Backups must be maintained, tested and verified • Backups are a critical security strategy, but not focused on in the CSC or DSD
These are ideas, pick and choose and twist and tinker and make it work for you
TOOLS & REFERENCES LIST • http://csc-hub.com/ - Ken Evan’s awesome 20 CSC site • http://technet.microsoft.com/en-us/magazine/2007.02.activedirectory.aspx - AD rights delegation • http://sectools.org/ - List of pay and free network tools • http://www.poshsec.com/ - Powershell scripts that support the 20 CSC • http://www.asd.gov.au/infosec/top35mitigationstrategies.htm - Australian DSD Top 35 • http://www.counciloncybersecurity.com – Council on Cybersecurity • http://www.jwgoerlich.us/blogengine/post/2014/04/29/Update-on-Story-Driven- Security.aspx - J. Wolfgang Goerlich and Nick Jacob’s work on effective threat modeling • http://www.theguardian.com/commentisfree/2014/may/06/target-credit-card-data-hackers- retail-industry - Brian Kreb’s op-ed on the Target breach and some of the false pretense
THANK YOU • GrrCon staff, especially EggDropX and P1nkN1ghtmare for making it happen • #misec for being an awesome community • You, for listening and turning your attention to the basics
CONTACT INFO • Twitter: @JoelConverses • Email: jscardella@pobox.com • IRC: FreeNODE #misec (joel_s_c) • Info about misec: www.michsec.org

Recommended

API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
Digital Bond
 
Patch Management - 2013
Patch Management - 2013Patch Management - 2013
Patch Management - 2013Vicky Ames
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
EnclaveSecurity
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
n|u - The Open Security Community
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
Lisa Niles
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar Asia
Digital Bond
 
Windows Service Hardening
Windows Service HardeningWindows Service Hardening
Windows Service Hardening
Digital Bond
 
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
Marina Krotofil
 

Recommended

API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
Digital Bond
 
Patch Management - 2013
Patch Management - 2013Patch Management - 2013
Patch Management - 2013Vicky Ames
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
EnclaveSecurity
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
n|u - The Open Security Community
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
Lisa Niles
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar Asia
Digital Bond
 
Windows Service Hardening
Windows Service HardeningWindows Service Hardening
Windows Service Hardening
Digital Bond
 
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
Marina Krotofil
 
System Hardening Recommendations_FINAL
System Hardening Recommendations_FINALSystem Hardening Recommendations_FINAL
System Hardening Recommendations_FINALMartin Evans
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsev
Marina Krotofil
 
Ce hv6 module 65 patch management
Ce hv6 module 65 patch managementCe hv6 module 65 patch management
Ce hv6 module 65 patch management
Vi Tính Hoàng Nam
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
Lisa Niles
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
Digital Bond
 
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
Marina Krotofil
 
Webinar - Patch Management: Keep up with security updates by using SysKit
Webinar - Patch Management: Keep up with security updates by using SysKitWebinar - Patch Management: Keep up with security updates by using SysKit
Webinar - Patch Management: Keep up with security updates by using SysKit
SysKit Ltd
 
Patch Management Best Practices
Patch Management Best Practices Patch Management Best Practices
Patch Management Best Practices
Ivanti
 
4 Best Practices for Patch Management in Education IT
4 Best Practices for Patch Management in Education IT4 Best Practices for Patch Management in Education IT
4 Best Practices for Patch Management in Education ITKaseya
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
edavid2685
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
Frank Avila Zapata
 
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Digital Bond
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Digital Bond
 
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesSecuring your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security Baselines
Frank Lesniak
 
American Bar Assoc. ISC 2009
American Bar Assoc. ISC 2009American Bar Assoc. ISC 2009
American Bar Assoc. ISC 2009
infracritical
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Digital Bond
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
EnergySec
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security
Digital Bond
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
OWASP Delhi
 
Havex Deep Dive (English)
Havex Deep Dive (English)Havex Deep Dive (English)
Havex Deep Dive (English)
Digital Bond
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
Karun Chennuri
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
Black Duck by Synopsys
 

More Related Content

What's hot

System Hardening Recommendations_FINAL
System Hardening Recommendations_FINALSystem Hardening Recommendations_FINAL
System Hardening Recommendations_FINALMartin Evans
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsev
Marina Krotofil
 
Ce hv6 module 65 patch management
Ce hv6 module 65 patch managementCe hv6 module 65 patch management
Ce hv6 module 65 patch management
Vi Tính Hoàng Nam
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
Lisa Niles
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
Digital Bond
 
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
Marina Krotofil
 
Webinar - Patch Management: Keep up with security updates by using SysKit
Webinar - Patch Management: Keep up with security updates by using SysKitWebinar - Patch Management: Keep up with security updates by using SysKit
Webinar - Patch Management: Keep up with security updates by using SysKit
SysKit Ltd
 
Patch Management Best Practices
Patch Management Best Practices Patch Management Best Practices
Patch Management Best Practices
Ivanti
 
4 Best Practices for Patch Management in Education IT
4 Best Practices for Patch Management in Education IT4 Best Practices for Patch Management in Education IT
4 Best Practices for Patch Management in Education ITKaseya
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
edavid2685
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
Frank Avila Zapata
 
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Digital Bond
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Digital Bond
 
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesSecuring your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security Baselines
Frank Lesniak
 
American Bar Assoc. ISC 2009
American Bar Assoc. ISC 2009American Bar Assoc. ISC 2009
American Bar Assoc. ISC 2009
infracritical
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Digital Bond
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
EnergySec
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security
Digital Bond
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
OWASP Delhi
 
Havex Deep Dive (English)
Havex Deep Dive (English)Havex Deep Dive (English)
Havex Deep Dive (English)
Digital Bond
 

What's hot (20)

System Hardening Recommendations_FINAL
System Hardening Recommendations_FINALSystem Hardening Recommendations_FINAL
System Hardening Recommendations_FINAL
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsev
 
Ce hv6 module 65 patch management
Ce hv6 module 65 patch managementCe hv6 module 65 patch management
Ce hv6 module 65 patch management
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
 
Webinar - Patch Management: Keep up with security updates by using SysKit
Webinar - Patch Management: Keep up with security updates by using SysKitWebinar - Patch Management: Keep up with security updates by using SysKit
Webinar - Patch Management: Keep up with security updates by using SysKit
 
Patch Management Best Practices
Patch Management Best Practices Patch Management Best Practices
Patch Management Best Practices
 
4 Best Practices for Patch Management in Education IT
4 Best Practices for Patch Management in Education IT4 Best Practices for Patch Management in Education IT
4 Best Practices for Patch Management in Education IT
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
 
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
 
Securing your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security BaselinesSecuring your Windows Network with the Microsoft Security Baselines
Securing your Windows Network with the Microsoft Security Baselines
 
American Bar Assoc. ISC 2009
American Bar Assoc. ISC 2009American Bar Assoc. ISC 2009
American Bar Assoc. ISC 2009
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
 
Havex Deep Dive (English)
Havex Deep Dive (English)Havex Deep Dive (English)
Havex Deep Dive (English)
 

Similar to GrrCon 2014: Security On the Cheap

IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
Karun Chennuri
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
Black Duck by Synopsys
 
HMI/SCADA 리스크 감소
HMI/SCADA 리스크 감소HMI/SCADA 리스크 감소
HMI/SCADA 리스크 감소
GE코리아
 
Building an application security program
Building an application security programBuilding an application security program
Building an application security program
Outpost24
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
Jim Kaplan CIA CFE
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Teemu Tiainen
 
4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less work4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less work
Ievgenii Katsan
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Simon Storm
 
The Great Disconnect of Data Protection: Perception, Reality and Best Practices
The Great Disconnect of Data Protection: Perception, Reality and Best PracticesThe Great Disconnect of Data Protection: Perception, Reality and Best Practices
The Great Disconnect of Data Protection: Perception, Reality and Best Practices
iland Cloud
 
Představení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruPředstavení Oracle SPARC Miniclusteru
Představení Oracle SPARC Miniclusteru
MarketingArrowECS_CZ
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
Lisa Niles
 
RP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdfRP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdf
wardell henley
 
What is dr and bc 12-2017
What is dr and bc 12-2017What is dr and bc 12-2017
What is dr and bc 12-2017
Atef Yassin
 
8 Essential DevOps Tools for Salesforce
8 Essential DevOps Tools for Salesforce8 Essential DevOps Tools for Salesforce
8 Essential DevOps Tools for Salesforce
AutoRABIT
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud
CloudPassage
 
Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!
MarketingArrowECS_CZ
 
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
Mike Spaulding
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
Rochester Security Summit
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
Black Duck by Synopsys
 

Similar to GrrCon 2014: Security On the Cheap (20)

IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?PCI and Vulnerability Assessments - What’s Missing?
PCI and Vulnerability Assessments - What’s Missing?
 
HMI/SCADA 리스크 감소
HMI/SCADA 리스크 감소HMI/SCADA 리스크 감소
HMI/SCADA 리스크 감소
 
Building an application security program
Building an application security programBuilding an application security program
Building an application security program
 
Cyber security series administrative control breaches
Cyber security series administrative control breaches Cyber security series administrative control breaches
Cyber security series administrative control breaches
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
 
4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less work4 florin coada - dast automation, more value for less work
4 florin coada - dast automation, more value for less work
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
Agile and Continuous Delivery for Audits and Exams - DC Continuous Delivery M...
 
The Great Disconnect of Data Protection: Perception, Reality and Best Practices
The Great Disconnect of Data Protection: Perception, Reality and Best PracticesThe Great Disconnect of Data Protection: Perception, Reality and Best Practices
The Great Disconnect of Data Protection: Perception, Reality and Best Practices
 
Představení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruPředstavení Oracle SPARC Miniclusteru
Představení Oracle SPARC Miniclusteru
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #3
 
RP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdfRP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdf
 
What is dr and bc 12-2017
What is dr and bc 12-2017What is dr and bc 12-2017
What is dr and bc 12-2017
 
8 Essential DevOps Tools for Salesforce
8 Essential DevOps Tools for Salesforce8 Essential DevOps Tools for Salesforce
8 Essential DevOps Tools for Salesforce
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud
 
Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!
 
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 

More from Joel Cardella

GrrCON 2018: Stop boiling the ocean!
GrrCON 2018: Stop boiling the ocean!GrrCON 2018: Stop boiling the ocean!
GrrCON 2018: Stop boiling the ocean!
Joel Cardella
 
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not Learned
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not LearnedGRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not Learned
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not Learned
Joel Cardella
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
Joel Cardella
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To Basics
Joel Cardella
 
WCC 2014: Globalization and cloud services for the enterprise
WCC 2014: Globalization and cloud services for the enterpriseWCC 2014: Globalization and cloud services for the enterprise
WCC 2014: Globalization and cloud services for the enterprise
Joel Cardella
 
GRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of usersGRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of users
Joel Cardella
 
WCC 2013: The internet of everything
WCC 2013: The internet of everythingWCC 2013: The internet of everything
WCC 2013: The internet of everything
Joel Cardella
 
WCC 2012: General security introduction for non-security students
WCC 2012: General security introduction for non-security studentsWCC 2012: General security introduction for non-security students
WCC 2012: General security introduction for non-security students
Joel Cardella
 
2nd FACTOR: The Story of Mat Honan
2nd FACTOR: The Story of Mat Honan2nd FACTOR: The Story of Mat Honan
2nd FACTOR: The Story of Mat Honan
Joel Cardella
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics security
Joel Cardella
 

More from Joel Cardella (10)

GrrCON 2018: Stop boiling the ocean!
GrrCON 2018: Stop boiling the ocean!GrrCON 2018: Stop boiling the ocean!
GrrCON 2018: Stop boiling the ocean!
 
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not Learned
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not LearnedGRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not Learned
GRRCON 2017 - Shuttle Columbia - Risk Management Lessons That Were Not Learned
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
 
TACOM 2014: Back To Basics
TACOM 2014: Back To BasicsTACOM 2014: Back To Basics
TACOM 2014: Back To Basics
 
WCC 2014: Globalization and cloud services for the enterprise
WCC 2014: Globalization and cloud services for the enterpriseWCC 2014: Globalization and cloud services for the enterprise
WCC 2014: Globalization and cloud services for the enterprise
 
GRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of usersGRRCON 2013: Imparting security awareness to all levels of users
GRRCON 2013: Imparting security awareness to all levels of users
 
WCC 2013: The internet of everything
WCC 2013: The internet of everythingWCC 2013: The internet of everything
WCC 2013: The internet of everything
 
WCC 2012: General security introduction for non-security students
WCC 2012: General security introduction for non-security studentsWCC 2012: General security introduction for non-security students
WCC 2012: General security introduction for non-security students
 
2nd FACTOR: The Story of Mat Honan
2nd FACTOR: The Story of Mat Honan2nd FACTOR: The Story of Mat Honan
2nd FACTOR: The Story of Mat Honan
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics security
 

Recently uploaded

Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
VivekSinghShekhawat2
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
natyesu
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 

Recently uploaded (20)

Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 

GrrCon 2014: Security On the Cheap

  • 1. SECURITY ON THE CHEAP Practical Application Of Back to Basics Methods Joel Cardella GrrCon 2014
  • 2. BIOGRAPHICAL INFO • Joel Cardella • 20 years in Information Technology .. Blah blah blah • Currently Regional Security Officer for multinational industrial manufacturing organization • Passionate evangelist of infosec • But none of this matters because basics is a common sense method
  • 3.
  • 6.
  • 7. • “…if your roof has leaks, you fix the leaks in the roof before you remodel the house, right ?” • John Pescatore, SANS • http://www.techrepublic.com/blog/tech-decision-maker/it-security-fix-the-leaky-roof-before- remodeling-the-house/ WE ARE ALL SAYING THE SAME THING
  • 8. BASICS FOCUS Prevention Detection Risk Response Recovery Basics does not address advanced threats!
  • 9. WHAT RISK CAN WE CONTROL? None of these values is ever zero, but we should work toward zero THREATS X VULNERABILITIES X TIME = RISK No control Indirect Control (Vendor Direct Control reliance) Direct Control (Issuing patches & updates)
  • 10. SECURITY BASICS • Security requires resources; you must invest to get a return • If you don’t invest the resources, you will increase the vulnerability and likelihood, and thus the risk • If you can’t invest money, then you invest time • NOW: How do we do this cheaply?
  • 12. WHAT ARE YOUR STANDARDS? • Critical Security Controls (SANS 20) • Australian Defence Signals Directorate (DSD)
  • 13. CSC FIRST FIVE QUICK WINS • For those wanting a highly focused and direct starting point, we have emphasized the “First Five Quick Wins”: sub-controls that have the most immediate impact on preventing attacks. These actions are specially noted in the Controls listings, and consist of: • 1. Application whitelisting (found in CSC 2 / DSD 1); • 2. Use of standard, secure system configurations (found in CSC 3); • 3. Patch application software within 48 hours (found in CSC 4 / DSD 2); • 4. Patch system software within 48 hours (found in CSC 4 / DSD 3); and • 5. Reduced number of users with administrative privileges (found in CSC 3 and CSC • 12 / DSD 4).
  • 14. THE FIRST FIVE Mitigation strategy Overall security effectiveness User resistance Upfront cost (staff, equipment, technical complexity) Maintenance cost (mainly staff) Helps detect intrusions Helps mitigate intrusion stage 1: code execution Helps mitigate intrusion stage 2: network propagation Helps mitigate intrusion stage 3: data exfiltration Application whitelisting Essential Medium High Medium Yes Yes Yes Yes Standard Configurations Essential Low Medium Medium Possible Yes Yes Yes Patch applications < 48 hrs Essential Low High High No Yes Possible No Patch operating system vulnerabilities < 48 hrs Essential Low Medium Medium No Yes Possible No Restrict administrative privileges Essential Medium Medium Low No Possible Yes No Pareto Principle – 20% of our focus can address 80% of our risk Focusing on these 5 will address 80% of your risk – Australian DSD
  • 15. FIRST FIVE QUICK WINS • For those wanting a highly focused and direct starting point, we have emphasized the “First Five Quick Wins”: sub-controls that have the most immediate impact on preventing attacks. These actions are specially noted in the Controls listings, and consist of: • 1. Application whitelisting (found in CSC 2 / DSD 1); • 2. Use of standard, secure system configurations (found in CSC 3); • 3. Patch application software within 48 hours (found in CSC 4 / DSD 2); • 4. Patch system software within 48 hours (found in CSC 4 / DSD 3); and • 5. Reduced number of users with administrative privileges (found in CSC 3 and CSC 12 / DSD 4).
  • 16.
  • 17. QUICK WINS DEEP DIVE • Assess PLAN • Focus DO • Measure CHECK • Remediate ACT
  • 18. 73 QUICK WINS CSC 1 CSC 2 CSC 3 CSC 4 CSC 5 CSC 6 CSC 7 CSC 8 CSC 9 CSC 10 CSC 11 CSC 12 CSC 13 CSC 14 CSC 15 CSC 16 CSC 17 CSC 18 CSC 19 CSC 20 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 3 3 3 3 3 3 3 3 3 3 3 3 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 6 6 6 6 7 7 7 8 9 CSC 1 CSC 2 CSC 3 CSC 4 CSC 5 CSC 6 CSC 7 CSC 8 CSC 9 CSC 10 CSC 11 CSC 12 CSC 13 CSC 14 CSC 15 CSC 16 CSC 17 CSC 18 CSC 19 CSC 20 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 3 3 3 3 3 3 3 3 3 3 3 3 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 6 6 6 6 7 7 7 8 9 Assess to the level of your risk appetite … your green may not be someone else’s green
  • 19. TOOLS
  • 20. CAVEAT EMPTOR • I will not discuss a tool in context of use unless: • I have used it myself and found it to be effective • It is being used effectively by a peer whom I trust • I am going to focus on Windows systems as being higher risk than others, mostly due to proliferation and ubiquity
  • 21. CHEAP <> FREE • Cheap is not permanent, it is a bridge • Cheap is relative • Included with other stuff (like an EA) • Low cost for an enterprise • Open source / FOSS • Cheap is more expensive in terms of time when used to cut corners
  • 22. TOOLS FOR CONTROLS • CSC 1 - NMAP • CSC 2 – SCCM • Whitelisting can be implemented using commercial whitelisting tools or application execution tools that come with anti-virus suites and with Windows (Applocker). • CSC 3 – SCCM (for distribution) Lansweeper Unlimited assets scanned at your interval, kept in a historical database for $1995 Prevention Detection Risk Response Recovery
  • 23. CSC 3 – SECURE CONFIGURATIONS • Establish and ensure the use of standard secure configurations of your operating systems. • Standardized images should represent hardened versions of the underlying operating system and the applications installed on the system. • Hardening typically includes: removal of unnecessary accounts (including service accounts), disabling or removal of unnecessary services, configuring non-executable stacks and heaps, applying patches, closing open and unused network ports, implementing intrusion detection systems and/or intrusion prevention systems, and use of host-based firewalls. • These images should be validated and refreshed on a regular basis to update their security configuration in light of recent vulnerabilities and attack vectors. Prevention Detection Risk Response Recovery
  • 24. DO YOUR RESEARCH! A simple Google search returns many articles on hardening Windows Prevention Detection Risk Response Recovery
  • 25. HARDENING EXAMPLES • Uninstall Adobe Reader • Remove Java, or set your browser settings to “Click To Play Plugins” • Remove unnecessary services - http://www.blackviper.com/windows-services/ • EMET - http://support.microsoft.com/kb/2458544 http://www.insanitybit.com/2013/03/27/windows-hardening-guide/ Prevention Detection Risk Response Recovery
  • 26. CSC 12 – CONTROLLED USE OF ADMIN • In Active Directory, restrict the membership of • Enterprise Admins • Schema Admins • These are the two most powerful security groups in AD • Do NOT allow your admins to have accounts idling in these groups – they can add & remove as needed Prevention Detection Risk Response Recovery
  • 27. CSC 12 – CONTROLLED USE OF ADMIN • Look at the membership of Domain Admins and Domain Workstation Admins • Create separate accounts for admins, a regular user and an admin account • Don’t name the admin account admin<USERNAME> • Make it distinct but not obvious • Enforce 2nd factor on admin logins? Prevention Detection Risk Response Recovery
  • 28. FURTHER SHRINK THE ATTACK SURFACE
  • 29. PREVENT BRUTE FORCING • Winfail2ban (Fail2ban for *NIX) • Scans log files like FTP Logs or Event Viewer and bans IP that make too many password failures • http://winfail2ban.sourceforge.net/ • For webapps, don’t fail password attempts in a predictable way • For example, most Web sites return an "HTTP 401 error" code with a password failure, although some web sites instead return an "HTTP 200 SUCCESS" code but direct the user to a page explaining the failed password attempt. • Vary the behaviors to fool automation • https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks Prevention Detection Risk Response Recovery
  • 30. EASY 2ND FACTOR • Duo Security has an enterprise plan for $3/user/month • Got a small team? Up to 10 users are free • https://www.duosecurity.com/ • Google authenticator for web apps which use OAUTH tokenization • Authy – http://www.authy.com • Microsoft Phone Factor - http://azure.microsoft.com/en-us/services/multi-factor-authentication/ Prevention Detection Risk Response Recovery
  • 31. THREAT MODELING FOR INCIDENT RESPONSE • Not just for web apps! Threat modeling can be used for incident response & planning • 3 parts 1. Establish attack path 2. Table top exercise to identify controls 3. Create a security exercise that tests the controls along the path • http://www.irongeek.com/i.php?page=videos/circlecitycon2014/117-how-to-create- an-attack-path-threat-model-wolfgang-goerlich Prevention Detection Risk Response Recovery
  • 33. POWERSHELL SCRIPTS • Poshsec project • 63 cmdlets/functions in the PoshSec module • Account Monitoring & Control • Authorized Devices • Forensics • Log Management • Network Baseline • Software Management • Utility Functions • http://www.powershellmagazine.com/2014/07/10/introduction-to-poshsec/ Prevention Detection Risk Response Recovery
  • 34. NETWORK FORENSICS • Wireshark • Open source multi-platform network protocol analyzer • Hard to learn, easy to use • Then after a while, easy to use once your use cases are established • Time sink but it’s time well spent • https://www.wireshark.org/ Prevention Detection Risk Response Recovery
  • 35. PASSWORD CRACKING • Cain & Abel • It can recover passwords by • sniffing the network, • cracking encrypted passwords using dictionary, brute-force and cryptanalysis attacks, • recording VoIP conversations, • decoding scrambled passwords, • revealing password boxes, • uncovering cached passwords and • analyzing routing protocols. • http://www.oxid.it/cain.html • Wordlists: http://hashcrack.blogspot.com/p/wordlist-downloads_29.html Prevention Detection Risk Response Recovery
  • 37. OFT OVERLOOKED • Don’t underestimate the power of governance and policy • They can not only help you manage your security workload, they can be used in legal defense
  • 38. CHANGE MANAGEMENT • Who approves your security changes? • Is this documented and reviewed periodically? • Who reviews your security changes for accuracy? • Who follows up to verify the changes are still accurate? • Document reasons for changes, approvals and mitigations • ARE YOU SURE? Prevention Detection Risk Response Recovery
  • 39. ESTABLISH A GOVERNANCE CALENDAR • The calendar contains your regular cadence of review activity • You can script reminders to the entities responsible for the review • SharePoint • Google scripts (Google calendar) • Internal calendaring software X • Work this activity into your existing processes so they get prioritized • Time box those activities! • Get SLAs/SLOs for teams on which you rely to perform these activities
  • 40. Sample Governance Calendar Q1 Q2 Q3 Q4 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec DR Testing Recon Recon Backup testing Backup testing Backup testing AD review AD AD review review Mid year audit Operations Security Data Center Audit SAMPLE GOVERNANCE CALENDAR
  • 41. WHAT IS THE WEAKEST LINK?
  • 42. SOCIAL VECTORS • This is the cheapest thing you can address which has the best ROI • TALK TO YOUR USERS! • Don’t lecture • Don’t debate • Give them usable information • Ex: with the busiest shopping day of the year coming up, create a newsletter or workshop that shows how to buy a PC – and subtly include how to secure it Prevention Detection Risk Response Recovery
  • 43. A WORD ON RECOVERY • There is no “cheap” data recovery option or configuration • Backups must be maintained, tested and verified • Backups are a critical security strategy, but not focused on in the CSC or DSD
  • 44. These are ideas, pick and choose and twist and tinker and make it work for you
  • 45. TOOLS & REFERENCES LIST • http://csc-hub.com/ - Ken Evan’s awesome 20 CSC site • http://technet.microsoft.com/en-us/magazine/2007.02.activedirectory.aspx - AD rights delegation • http://sectools.org/ - List of pay and free network tools • http://www.poshsec.com/ - Powershell scripts that support the 20 CSC • http://www.asd.gov.au/infosec/top35mitigationstrategies.htm - Australian DSD Top 35 • http://www.counciloncybersecurity.com – Council on Cybersecurity • http://www.jwgoerlich.us/blogengine/post/2014/04/29/Update-on-Story-Driven- Security.aspx - J. Wolfgang Goerlich and Nick Jacob’s work on effective threat modeling • http://www.theguardian.com/commentisfree/2014/may/06/target-credit-card-data-hackers- retail-industry - Brian Kreb’s op-ed on the Target breach and some of the false pretense
  • 46. THANK YOU • GrrCon staff, especially EggDropX and P1nkN1ghtmare for making it happen • #misec for being an awesome community • You, for listening and turning your attention to the basics
  • 47. CONTACT INFO • Twitter: @JoelConverses • Email: jscardella@pobox.com • IRC: FreeNODE #misec (joel_s_c) • Info about misec: www.michsec.org