Upload
scot-boone
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Steve RileySteve RileySenior Program ManagerSenior Program ManagerSecurity Business and Technology UnitSecurity Business and Technology Unit
[email protected]@microsoft.com
Common security screw-Common security screw-ups we have known and ups we have known and seenseen
Security MythsSecurity Myths
© 2005 Microsoft Corporation, All Rights Reserved
Our network is secure,
right?Oh sure, Don’t worry. We have
several firewalls
© 2005 Microsoft Corporation, All Rights Reserved
The TruthThe Truth
Your network is not secure!
At best it is protected
Protected networks are well designed networks
with savvy users
© 2005 Microsoft Corporation, All Rights Reserved
Fundamental TradeoffFundamental Tradeoff
Secure
Usable Cheap
You get to pick any two!You get to pick any two!
© 2005 Microsoft Corporation, All Rights Reserved
AgendaAgenda
10 (more or less) things people do 10 (more or less) things people do that do not improve securitythat do not improve security
© 2005 Microsoft Corporation, All Rights Reserved
Use Some Hardening GuideUse Some Hardening Guide
© 2005 Microsoft Corporation, All Rights Reserved
Rolling Back The GuideRolling Back The Guide
© 2005 Microsoft Corporation, All Rights Reserved
Roles Your System Can Fill NowRoles Your System Can Fill Now
© 2005 Microsoft Corporation, All Rights Reserved
HidingHiding
Rename Administrator accountRename Administrator account““Keeps bad guys away from admin Keeps bad guys away from admin account”account”
Turn off SSID broadcastTurn off SSID broadcast““Ensure nobody finds your AP”Ensure nobody finds your AP”
Do not display last logged on userDo not display last logged on user““Never volunteer the username”Never volunteer the username”
Change your web/ftp bannerChange your web/ftp banner
They’ll find you!Security by
obscurity is weak defense
© 2005 Microsoft Corporation, All Rights Reserved
Policies, Procedures, & Awareness
Policies, Procedures, & Awareness
Make Tons Of Security Changes; Make Tons Of Security Changes; Without A PolicyWithout A PolicyMake Tons Of Security ChangesMake Tons Of Security Changes
Physical SecurityPhysical Security
PerimeterPerimeter
Internal NetworkInternal Network
HostHost
ApplicationApplication
DataData
The “new math” syndrome:
1+1 = [0,-1)
© 2005 Microsoft Corporation, All Rights Reserved
Get Evaluated Based On Number Get Evaluated Based On Number of Tweaks?of Tweaks?
No problems, make harmless onesNo problems, make harmless onesHKLM\Software\Microsoft\Windows NT\CurrentVersion\DisableHackers=1 (REG_DWORD)HKLM\Wetware\Users\SocialEngineering\Enabled=no (REG_SZ)HKCU\Wetware\Users\CurrentUser\PickGoodPassword=1 (REG_BINARY)HKLM\Hardware\CurrentSystem\FullyPatched=yes (REG_SZ)HKLM\Software\AllowBufferOverflows=no (REG_SZ)
© 2005 Microsoft Corporation, All Rights Reserved
Better Yet: Get PromotedBetter Yet: Get Promoted
Sales
Engineering
IT
Tweaks
3rd Quarter ROI Contribution By Area
© 2005 Microsoft Corporation, All Rights Reserved
We Need High SecurityWe Need High Security
Is that what you want?
© 2005 Microsoft Corporation, All Rights Reserved
Consider your needs firstConsider your needs first
© 2005 Microsoft Corporation, All Rights Reserved
Detection Gone BadDetection Gone Bad
Detection Detection Does Not Does Not Always Always WorkWork
Account LockoutAccount Lockout
Account Account Lockout Is Lockout Is
Attack Attack DetectionDetection
© 2005 Microsoft Corporation, All Rights Reserved
Permanent Account LockoutPermanent Account LockoutTermination Notice
Employee Name: Employee ID:
Employee Address: Employee SSN:
Manager Name: Manager ID:
Department:
Termination Effective Date:
Benefits Continuation:
Yes No
Severance Package:
Yes No
Termination Reason: Opening unsolicited e-mail
Sending spam Emanating Viruses Port scanning Attempted unauthorized
access Surfing porn Installing shareware Possession of hacking
tools
Refusal to abide by security policy
Sending unsolicited e-mail
Allowing kids to use company computer to do homework
Disabling virus scanner Running P2P file sharing Unauthorized file/web
serving Annoying the Sysadmin
© 2005 Microsoft Corporation, All Rights Reserved
Physical SecurityPhysical Security
Software Cannot Replace Physical Security
Prevent shutdown without logging onPrevent shutdown without logging onUSB Thumb drivesUSB Thumb drivesRecovery console restrictionsRecovery console restrictionsRestrict undock without logonRestrict undock without logon
© 2005 Microsoft Corporation, All Rights Reserved
Put Things In The Right PlacePut Things In The Right Place
© 2005 Microsoft Corporation, All Rights Reserved
Follow The LeaderFollow The Leader
“Security Expert”: (n) Someone who is quoted in the press
Certified……or just certifiable?
© 2005 Microsoft Corporation, All Rights Reserved
Audit everythingAudit everything
““We need to know exactly what’s We need to know exactly what’s going on”going on”
Will you be able to tell?Will you be able to tell?That’s the tasty one…
© 2005 Microsoft Corporation, All Rights Reserved
Password CrackingPassword Cracking
© 2005 Microsoft Corporation, All Rights Reserved
The real password problemThe real password problem
Hey, I want to authenticateHey, I want to authenticate
Response –E(Hash, nonce)Response –E(Hash, nonce)
OK, here is a nonce, tell me who you areOK, here is a nonce, tell me who you are
ClientClientServerServer
If the bad guys have your hashes you
have already lost!
© 2005 Microsoft Corporation, All Rights Reserved
The Real Password ProblemThe Real Password Problem
Admin password
Admin.R386W
© 2005 Microsoft Corporation, All Rights Reserved
Evolution of the ProblemEvolution of the Problem
© 2005 Microsoft Corporation, All Rights Reserved
What We Tell UsersWhat We Tell Users
© 2005 Microsoft Corporation, All Rights Reserved
What Users SeeWhat Users See
© 2005 Microsoft Corporation, All Rights Reserved
Vendors Can Fix User Security Vendors Can Fix User Security ProblemsProblems
The real problem is uneducated users
Properly configured users are your
strongest defense!
© 2005 Microsoft Corporation, All Rights Reserved
Configuring UsersConfiguring Users
© 2005 Microsoft Corporation, All Rights Reserved
SSH/HTTP/HTTPS is great. We SSH/HTTP/HTTPS is great. We only have to open one port in only have to open one port in the firewallthe firewall
Network and Transport Layers80/tcp(UFBP)
443/tcp(SUFBP)
The Firewall
UFBP
SUFBP
SSH
VPN
Remote
Control
© 2005 Microsoft Corporation, All Rights Reserved
Network Security ClaimsNetwork Security Claims
Our network/software/hardware isOur network/software/hardware isSecureSecureImpenetrableImpenetrableUnbreakableUnbreakable
© 2005 Microsoft Corporation, All Rights Reserved
Network Security ClaimsNetwork Security Claims
© 2005 Microsoft Corporation, All Rights Reserved
NewsflashNewsflash
Security is Security is hard!hard!
There is no There is no easy fixeasy fix
© 2005 Microsoft Corporation, All Rights Reserved
The mythsThe myths1.1. Security guides make your system secureSecurity guides make your system secure2.2. If we hide the bad guys won’t find usIf we hide the bad guys won’t find us3.3. The more tweaks the betterThe more tweaks the better4.4. All environments should follow the advice in All environments should follow the advice in
<insert guide here><insert guide here>5.5. High security is an end goal for all environmentsHigh security is an end goal for all environments6.6. Security tweaks can fix physical security Security tweaks can fix physical security
problemsproblems7.7. The lemming security model - always follow The lemming security model - always follow
expert recommendationsexpert recommendations8.8. We need to audit We need to audit everythingeverything9.9. Password cracking is our biggest problemPassword cracking is our biggest problem10.10. Security tweaks will stop worms and virusesSecurity tweaks will stop worms and viruses11.11. Encrypted attack traffic is much better than clear-Encrypted attack traffic is much better than clear-
text attack traffictext attack traffic
© 2005 Microsoft Corporation, All Rights Reserved
For more informationFor more information
Jesper and Steve Jesper and Steve finally wrote a book!finally wrote a book!
Order online:Order online:http://www.awprofeshttp://www.awprofessional.com/title/0321sional.com/title/0321336437336437Use promo codeUse promo codeJJSR6437JJSR6437
Steve RileySteve [email protected]@microsoft.com
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.