3. ENVIRONMENT
12 Buildings in a metro area, fiber back to data center and fiber to the net.
7000 users, 6300 students and 700 staff.
Primarily a Microsoft/Cisco house.
35 servers physical/virtual, 3500 XP/Win7-8 desktops and 1000
IPads/Nexu.s
BYOD
4. IT DEPARTMENT
7 VS 7000
• Department Manager who is very technically sound.
• Secretary, who is also technically sound. She is our helpdesk and administers our Cisco
phone system.
• Three desktop technicians. Extremely good, self directed and need very little hand
holding.
• 1 Network Administrator
• 1 System Engineer
• Money is tight, no really it’s tight.
5. DEPARTMENTS
• The usual departments: HR, Finance, PR….along with Academic/Curriculum
Departments, Pupil Services, Student Information, Food Services and Building
Management.
• Departments get their new budgets Aug. 1st.
• Most of their projects hit at once, delivered on August 1 with late August for install.
• There is very little thought given to security as these projects are defined, however they
are extremely supportive and trusting of our advice on security issues.
• August 1st – October 30th is pure chaos.
6. TEACHERS
• They are all very intelligent and have their own style of teaching, just as children have
their own style of learning.
• Spend summers in classes, seminars and gathering new software.
• The above creates a situation where we support 1492 different applications.
• They have little tolerance for security issues such as our web filter or lack of
administrative rights on machines to install software when it interferes with instruction.
7. STUDENTS
• First and foremost, they are why we exist. We serve their needs above all others.
• We answer to their parents and the tax payers of our community. It is their school, not
ours.
• They are children, they are not only learning academics, they are still learning the
boundaries of acceptable computer usage.
• They will try and hack. They will try and beat the web filter. They will try and get advanced
copies of tests. Not because they are evil, they are not, but because they are children.
• They will break stuff for the LOL’s
8. THE THIN RED LINE
• We want to nurture what they are doing.
• I need to know they are trying, to teach them the limits. But if they pull off a
successful breach, if they pull off putting porn all over the screen then they
face suspension or expulsion. If I let them get that far, I have failed them.
• When they succeed at hacking, I have failed them.
11. THREATS
• Outside. Not high value other than phishing our bank accounts..
• Inside. The targets are very tempting to a student.
Tests, grades, attendance, their ‘permanent’ record and PI on staff.
• Surfing. A threat in it’s own. They are children with hormones, porn is high on
the list. Plus interests in music and free games that lead them to a ton of
virus/malware laden websites. Beating the filter is extremely high value. That
leads them to proxies and trying to get staff accounts that have a more
lenient filter.
• BYOD
12. SAVED BY BORIS
(WHO WOULD HAVE THOUGHT THAT)
• Boris’s talk was a watershed moment for me.
• Stop buying sh*t.
• Stick with what you know or you will mess it up.
13. WHAT TO DO?
• Define the attack vectotrs.
• Watch the Red Team. What are they doing, what are they
bragging about. How does that apply to my systems.
• Listservs NTSysAdmin, PatchManagement.org, Blogs.
14. MANAGEMENT BUY IN
• Embrace the audit and get one.
• For us, that becomes a public record. That makes it a very
powerful document. There is no debate, just: Fix it.
15. WHAT HAVE I GOT?
• Document and define every system and every system
interaction.
• Document the software. Powershell queries, SCCM
• Document the traffic.
• Document access. Who needs what, build a list with an eye
towards segmentation.
16. WHAT IS IT DOING?
• Read the logs.
• Logs, logs and more logs. You must audit access success
and failure.
• Web Filter logs. Blocks are a key metric.
17. SECURITY ONION
• Doug Burks is the man.
• Full open source Linux distro so easy even an MCSE can do it.
• Full packet capture
• Snort, Suricata, Bro, Sguil, Squert, Snorby , ELSA and Xplico.
• Pivot from one to the other.
SecurityOnion.Blogspot.Com
18. PATCH IT ALL
• MS08-067
• 90 day patch window on average.
• Remember our documentation? That drives your third party
patching. Build a spreadsheet that lists them, with version and a
clickable link to check for the newest.
• NINITE (couple hundred bucks a month)
• Verify your patches. Powershell: Get-ADComputer | Get-HotFix
19. WEB FILTER
• Yea, people hate them. Sorry about that, talk to Congress.
• Five strikes and you are out.
• A very simple and powerful tool; this dropdown:
21. SERVER HARDENING
• EMET 4.0
• ASA between users and servers.
• Build your severs with segmentation of resources in mind so you can
segment your users. Control that with your ASA and your VLANS.
• Firewall on. Seriously, 2008+ the firewall is automatic.
• Consider taking servers out of the domain. HVAC servers on management
Vlan.
.
22. SERVERS CONT.
• Encrypt your databases.
• Patch them, all of it especially third party software. Veritas <sigh>.
• FSRM on all shares. Block exe’s, bat, dll’s, shortcuts……
• Restricted groups for local admins, disable local admin account.
• Disable cached credentials
• F8 is your friend.
23. DESKTOP HARDENING
• No local admin. Period. Control it with Restricted Groups (replace not add)
• Common images and standardization.
• EMET 4.0
• RDS for Finance.
• Local firewall via gpo. Logging on.
• Event logging with auditing on success and failure.
• Hide last user login
• UAC
• Autorun off
• Software Restrictions
24. MOAR
• Software Restrictions
• Nuke Control Panel items.
• Nuke Explorer search and menu search
• Nuke task manager
• Disable run/cmd/Internet Explorer drives which also kills servername in IE
• No bat files, no VBS in user context
• Hide the system drive.
• IE Maintenance via GPO. Zones, History……
25. JAVA
• EMET kills much of it. It looks for behavior not signatures.
• In other cases egress filtering and/or the web filter. With only 80 and 443 allowed out the
filter sees the exploit phoning home.
26. BYOD/TABLETS
• Get out in front of it, don’t wait for them to dictate how it’s going to happen.
• Today I want to announce our awesome new BYOD program. This is going to rock!!
• Guest Network, straight out to the internet.
• GAFE
• Good luck, enjoy.
• District owned tablets
• Meraki (free)
• Find them and wipe them.
• Tab Pilot.
• Publish apps to the home screen, kill the rest of it.
27. LEVERAGE YOUR SWITCHES-ROUTERS-FW
• SSH only from management network.
• Sticky Macs.
• Kill unused ports.
• Yea, it’s annoying for desktop techs. Talk to the memo.
• Egress filtering.
28. IT NEVER ENDS
• Have management read the memo they gave you dictating ‘fix it’ from the
audit.
• Point out that this takes time, I negotiated 20 percent of my time for this.
One day a week, Wednesday. If my boss pulls me off I ask him to talk to
the memo about it.