Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Motto Thou shalt never assume The Rogue Warrior's Eight Commandment of SpecWar Richard Marcinko US Navy Seal
Current Threats
Attackers External don’t know anything about your environment can try brute force passwords at most vulnerability scanning Internal most severe threat know their environment have already at least some level of access can steal data they are authorized to read
Protection: External Attackers Firewalls Antispam/Antimalware Software Updates Account Lockout
Current threats Assuming Physical security computers data Passwords cracking, keyloggers Eavesdropping wired/wireless networks Spam/malware directed attacks Remote Access from unsecure computers Data theft by authorized readers currently one of the most underestimated problem
Current Threats
Vulnerabilities Examples: My wife crossing a road PKI misconfiguration in a bank Hidden accounts after virus attack Malicious mail from home vs. from work
Protection: Assumptions Never assume anything Be careful Know your enemy Don’t do anything you don’t understand
Current Threats
Machines Servers rack security Data storage Client computers desktops, notebooks usually caching data Peripherals Remote offices
Network Wireless AirPCap Wired USB Ethernet switch + netbook
Vulnerabilities Computers easily accessed by a lot of people employees maintenance staff theft from branch offices Attacks stealing the whole machine stealing the data only Physical access = local administrator
Protection: Physical access Limit physical access Place computers/storage into secure locations +hardware locks, cables Define security boundaries data stolen passwords compromised Encryption BitLocker, TrueCrypt
Protection: BitLocker Provide password on startup prevents other from becoming an administrator Use TPM Trusted Policy Module stores the password on mother board checks signatures of BIOS, CMOS, MBR, Boot Sector, loader etc. Windows 7 Enterprise/Ultimate
Current Threats
Vulnerabilities Keyloggers software hardware Cache Cracking
Local Password Storage Full-text passwords IE autocomplete password “lockers” fingerprint readers service/scheduled-tasks accounts Password hashes local user accounts all domain accounts on Domain Controllers password caches
Password Cracking Windows MD4 Hashes local storage LAN network capture PPTP VPN Offline Rainbow Tables severe up to 7 characters (minutes)
Protection: Passwords Use smart cards vs. fingerprints convenient (3-5 characters PIN) still secure than passwords Require strong passwords Procedures, policies and audit Never type sensitive passwords on insecure computers Training
Protection: Comparable Algorithm Strengths (SP800-57) StrengthSymetricRSAECDSASHA 80 bit2TDEARSA 1024ECDSA 160SHA bit3TDEARSA 2048ECDSA 224SHA bitAES-128RSA 3072ECDSA 256SHA bitAES-192RSA 7680ECDSA 384SHA bitAES-256RSA 15360ECDSA 512SHA-512
Protection: Smart Cards AlgoritmusPorovnání 10 znaků heslo US-ASCII70 bit SHA-180 bit RSA bit SHA bit AlgoritmusNáročnostDoba 10 znaků heslo US-ASCII let SHA-11024x lepší let RSA x lepší biliónů let SHA-2562^58x lepší-
Protection: Password Policies For the whole domain only Windows 2003 Domain Function Level and older For individual groups/users Granular Password Policies Windows 2008 Domain Functional Level and newer Non-complex password example login: Ondrej password:
Current Threats
Vulnerabilities Free network access No network traffic encryption People ignore warnings ARP poisoning
Protection: Eavesdropping Implement IPSec/SSL encryption Always encrypt WiFi not only require authentication Implement 802.1x for network access Implement ARP protection Train people
Protection: 802.1x Switch PC Printer PC
Current Threats
Secure Socket Layer / IPSec Web Server Client Certificate Public key Private key
Public key Secure Socket Layer Web Server Client Certificate Public key Private key Random Data
Attacking SSL Web Server Client Certificate Public key Private key Attacker False Certificate Public key Private key
SSL Certificate prices Verisign – 1999 300$ year Thawte – 2003 150$ year Go Daddy – 2005 30$ year GlobalSign – 2006 250$ year StartCom – 2009 free
SSL Assurance loopback confirmation Requires just a valid address No assurance about the target identity
EV browsers BrowserVersion Internet Explorer7.0 Opera9.5 Firefox3 Google Chrome- Apple Safari3.2 Apple iPhone3.0
EV Certificate prices Verisign – 1999 1500$ year Thawte – 2003 600$ year Go Daddy – 2005 100$ year GlobalSign – 2006 900$ year StartCom – 2009 50$ year
TMG Forward SSL Inspection
No SSL Inspection
TMG CA Not Trusted
Web Server Certificate
TMG CA Trusted on the Client
Current Threats
Vulnerabilities No real prevention against spam Spam created anonymously no traces/auditing Directed attacks cannot be automatically recognized Users tend to use same passwords for more services Stability and performance
Spam Threats Phishing Hoax think something do something online do something physically! Personal reputation after forwarding
Malware Threats Virus must be first detected after infection! Backdoors just download the real infection does antimalware know what exactly it was? Reinstallation of the whole environment!
Protection: Spam and malware Train people Implement antispam/antimalware Words/Open Relay Lists etc. SenderID
Current Threats
Vulnerabilities Prone to keylogger attacks when used with passwords Can be connected from quite anywhere insecure home computers, internet cafes Some protocols not secure PPTP – passwords hashes offline cracking
Client VPN Comparison VPNConnection requirementsLogon Client Availability Authentic. RDP TCP 3389 server certificate (not required) random keys (D-H) certificate private key (2048bit) Windows XP password smart card RDS/TS Gateway TCP 443 server certificate random keys (D-H) certificate private key (2048bit) Windows XP password smart card PPTPGRE + TCP 1723 depends on password quality vulnerable to offline cracking MS-DOS password smart card L2TP IPSec ESP + UDP 500/4500 server certificate client computer certificate random keys (D-H) certificate private key (2048bit) Windows 98 password smart card SSTP TCP 443 server certificate random keys (D-H) certificate private key (2048bit) Windows Vista password smart card
Protection: Remote Access Use RDP when possible sends only keystrokes and mouse receives only pictures Use L2TP or SSTP IPSec or SSL encrypts the channel with strong random private keys (2048 bit etc.) IPSec requires and limits connection to those who have client computer certificate Implement VPN Quarantine
LAN DirectAccess Client DA Server
Current Threats
Vulnerabilities Authorized users can read print copy send s upload FTP/SSL/VPN
Protection: Authorized users Procedures Limit public online access and services Limit use of removable hardware Use some Rights Management software Data Leakage Protection
Current Threats
Takeaway Anything you don’t have under your direct control is insecure Don’t use insecure computers Use strong passwords or rather smart cards Encrypt data and transmissions Never trust