We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Don't trust your vendors - $ecurity can't be bought

00:00

Formal Metadata

Title
Don't trust your vendors - $ecurity can't be bought
Title of Series
Number of Parts
254
Author
License
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
The comprehensive, seamless, real-time, IoT capable, AI Intelligence Next-Gen Sandbox Platform Cyber Security Solution with Blockchain, Big Data and Deep learning. Nowadays tons of security buzzwords like these are used to sell products into corporate environments. All this technologies have something in common: They probably cost a fortune and unfortunately often ending up as "shelfware". Or nobody is understanding them anymore. Resulting in high expenses, but no improvement of security because of misconfiguration or lack of interest. This is not a talk against security solution vendors - It is talk about promoting to keep an eye on the fundamentals. Ideas and hints provided here are not only the base layer of defense, but also low-cost, low-technology and heck effective against the majority of threats. The talk is not about security management, but will include suggestion how to organize a security team. This is a foundation talk for the many of our ordinary companies running Active Directory/Windows and mostly on-prem infrastructure. The ones which security requirements are not military or high-technology. And it is exactly these companies which are often victims of shotgun approach attacks. It is a talk for SMEs and for companies who simply want to improve their security defense, do their fundamentals and not break the bank for it. Cut the bullshit bingo, let's start improving security defense in an ordinary company. Low-cost, low-technology and heck effective against the majority of threats. This is a security defense & security foundation talk.
Keywords
Information securityRow (database)Event horizonComputer animationJSON
Level (video gaming)Event horizonInformation securityLecture/Conference
Process (computing)FamilyInformation securityKey (cryptography)Computer animation
MereologyDirectory serviceData managementInformation securityGoodness of fitService (economics)WindowCommitment schemeNumberIntegrated development environmentDirection (geometry)Computer animation
Scaling (geometry)Information securityEnterprise architectureAdditionFamilyPhysical lawComputer animation
Computer animation
Type theoryForm (programming)MalwareInformation securityInheritance (object-oriented programming)Reading (process)
Inheritance (object-oriented programming)Type theoryInformation securityMultiplication sign
Dependent and independent variablesInformation securityMeasurementDisk read-and-write headBlogIntegrated development environmentInformationComputer animation
Self-organizationLevel (video gaming)MeasurementSheaf (mathematics)WindowDirectory serviceComputer animation
FacebookData loggerInformation securityRow (database)Disk read-and-write head
Dependent and independent variablesSystem administratorInformation securityFile formatComputer animation
Dependent and independent variablesArithmetic meanMeeting/Interview
MereologyClient (computing)PasswordArmLocal ringAreaDifferent (Kate Ryan album)
PasswordWindowInformation securityCodeSystem administratorModal logicSoftware testingComputer animation
Line (geometry)Multiplication signTask (computing)19 (number)TowerTotal S.A.Vulnerability (computing)WindowProcess (computing)Server (computing)Moment (mathematics)StatisticsInformation securityMereologySelf-organizationNumberCoprocessorIntegrated development environmentOcean current
Integrated development environmentInformation securityNumberComputer programmingWindowDoubling the cubeArmDemosceneSystem callDiagram
Self-organizationGraph coloring
Normal (geometry)Firewall (computing)Server (computing)TelecommunicationCodeInternet service providerWeb browserKey (cryptography)Medical imagingComputer programmingNumberRepository (publishing)Software developerFeasibility studyData managementMereologyBoss CorporationArmPoint (geometry)Group actionFlow separationSound effectLink (knot theory)Computer animation
Core dumpWindowDirectory serviceHash functionSoftware development kitCore dump1 (number)Element (mathematics)Group actionGame controllerSystem administratorAuthenticationProcess (computing)Endliche ModelltheorieLevel (video gaming)Integrated development environmentClient (computing)PasswordImplementationData managementRepository (publishing)Sheaf (mathematics)Domain nameMultitier architectureServer (computing)Information securityLoginOperator (mathematics)Latent heatBranch (computer science)Term (mathematics)MathematicsArithmetic meanDecision theoryService (economics)UMLDiagram
Element (mathematics)Group actionAsynchronous Transfer ModePasswordTime domainClient (computing)Server (computing)EncryptionInternetworkingFlash memoryDatabaseComputer networkService (economics)Element (mathematics)System administratorAsynchronous Transfer ModeInformation securityDirectory serviceReduction of orderDescriptive statisticsTask (computing)Scripting languagePublic key certificateGroup actionField (computer science)Local ringService (economics)Multiplication signPasswordEnterprise architectureData managementClient (computing)Server (computing)Graphical user interfaceFlash memoryBranch (computer science)Java appletPartial derivativeConstraint (mathematics)Formal languageGraphics processing unitFerry CorstenEncryptionLoginDatabaseClosed setDomain nameStapeldateiBitRevision controlConnected spaceRegular graphPower (physics)Reading (process)Parameter (computer programming)Sound effectLatent heatProcess (computing)Software testingArithmetic meanDifferent (Kate Ryan album)CountingXML
Service (economics)Computer networkPlastikkarteEncryptionInternetworkingJava appletReduction of orderFlash memoryDatabaseType theoryService (economics)1 (number)Group actionData managementNormal (geometry)Message passingMeasurementPasswordWindowPlastikkarteSocial classDomain nameSystem administratorCore dumpMultiplication signPrime ideal40 (number)Endliche ModelltheorieArithmetic meanComputer animation
EmailOffice suiteCircleInformation securityTorusRight angleWave packetWindowLecture/Conference
Service (economics)Data storage deviceGroup actionView (database)Task (computing)System administratorFormal languageLocal ringComputer animation
Self-organizationSelf-organizationMultiplication signComputer animation
Computer clusterComputer animation
Transcript: English(auto-generated)
Okay, I'm very happy to announce to you the talk security cannot be bought How do you buy it? She's a regular at cars events since 2007 and she's a security engineer who's managing corporate IT So my this the stage is yours
Three years ago. I was lucky enough to start a new job in a company Where when it came to modern IT infrastructure was a late boomer Family run company in the business for over 70 years So security didn't have a high value
Even only IT only got higher importance in about 2010. Imagine that Luckily luckily for me again There was full management commitment on security when I started in that company
Just to give you some numbers about the company right now We have around 150 Windows service and about 2000 Active Directory users. So it's not a small company anymore Active Directory is a good keyword today in this talk. We will solely focus on Windows Active Directory
Environments, but some parts could be interesting for non Active Directory environments as well When it comes to security requirements, we have to imagine a scale on the one end of the scale They are like banks high-tech industry electricity suppliers
But on that other end of that scale, there are small and medium enterprises additional enterprises Low tech companies or family-run companies and today we will focus on the first third of the scale for that low-tech industry companies because their requirements are way different from that high-tech industry companies and
As I have worked in such a company for three years I want to share my knowledge I gained in this three years with you today first we need to define what is the threat we protect ourselves from and
In this type of companies, it's not Targeted in targeted industrial sabotage because to be honest, we would have no chance at all. No chance What we protect these companies from is shotgun attacks mailing the form of automated malware
Can't we just Install a super fancy security solution or two or three right and then we are safe No Unfortunately, we have limited resources and these super fancy solutions. They need both people and money And in some in these type of companies
There isn't even one full-time employee Responsible for security and also money sometimes is an issue. I am a passionate climber and When I'm in front of a wall like this Sometimes I cannot see a way through it seems impossible for me to climb and the same goes for tech measures to improve security
There is so much information nowadays that occurs in a blessing There's reddit blogs Conferences so you stand in front of you and IT environment That's that wall and you've just silly enough ideas in your head
but you just don't know where or how to start and Today in this talk. I want to share the knowledge or want to show you a path through that wall So here are three sections. We want to climb together today. It's people
Organization and of course tech tech measures Let's start with people first why people because behind that Windows Active Directory user accounts are people the colleagues you work with are people your customers are
People I know it's very very very tempting something happened again Company got hacked millions of credit data records leaked That's what you want to do, right? Facebook the thing is
Security people tend to believe everyone else is stupid incompetent sleazy lazy, whatever But it doesn't matter if it's because of missing knowledge missing technology or even laziness because in the end
You are responsible for the security in your company You're responsible for your company not getting hacked And how do you think a sysadmin will feel if you face palmet him if you blame him? Will he ensure working with you? Will he even come up with your own with his own ideas or?
Will he rather play hide-and-seek with you? So honestly Stop complaining Complaining is not acting and not acting is not taking responsibility and not taking responsibility
Is failing? That's all what's to say there To add a little practical example what I mean with that Imagine you wanted to introduce labs in your company or probably some of you already have local area password solution where there's
for each client a Different password and it's resets. It's automatically so imagine you would have One password for all your clients and you can be the up in there. It's maybe not that good so you try you could either go to your sysadmins and you really like come out that labs needs to be installed or
Maybe you could talk to them listen to them and They probably understand the necessity behind it if you explained to them because it's just sometimes just missing knowledge
But they should have is you cannot copy the password from the lab school to a password request in Windows So when secure desktop is enabled, you can see it's it's black. You can't do this, but once you disable secure desktop, that's possible Unfortunately, that's not the password dialogue but in just imagine one and
The question here is now will be disabled secure desktop. We lose a security feature Or would we keep it if we if we secured if we disable secure desktop we then? Code each other's labs have the full support of all the tech guys. What would you choose?
When it comes to people and working together with people We need to visualize what we want with them Do you want to work in the 1950? Henry Ford assembly line where you just do one task the whole time
Or would you prefer to work in a modern Japanese assembly line where you work together with your colleagues? Where you can bring up your own ideas? In next part we're going to talk about how to introduce this Japanese assembly line in our security organization
When we think about our security organization, there's two requirements we need to fulfill number one see the overall process like in the assembly line and number two have goals and have an end in mind
See and that's the thing security never has an end, right? It's a continuous process. It goes on forever But that's not a concept you can sell People Work like this. We want task. We want to complete the task We want to go home be happy if you achieve something today
So our job here now is Create these achievement moments. How do we do that? Here's three suggestions Make the current status visible this means create Statistics meaningful statistics, here's an example total vulnerabilities in the Windows Server
Environment you can see how this goes down Make a common goal like it always must be below 500 whatever number two Create brick programs make the goals visible For example, we wanted to improve in in Windows environment security
So we draw this fancy little bricks there was goals behind that things we wanted to discuss and once it's done It was colors print that out. You can put it somewhere in the office. It's made visible Number three at one point you probably already have a lot of ideas at best not only yours
so but also from your colleagues or your boss and You need to prioritize them because you can never do all of them But before you prioritize them You need to collect them and group them. What we use there is called red man. It's actually from Software development so we will have several ideas collector and we would also rate them
You can see it on the right side like a feasibility and effectiveness Unfortunately, this is not a talk about risk management. So I just added the link on how we do that at the end of the slides So for this for this part
prioritization is the key and That all comes up in three steps like these are Going building up on each other. It's past present and future in the past. You see what you did in the current status the brick programs Define what you do now your goals and the idea repository is your future what you want to do
Let's climb our last section together when I talk about tech and Windows Active Directory environments and Attack that's used very often is either pass the hash or pass the ticket
It's meaning you don't try to steal a password you try to steal a password Hash or a cabaret ticket from the other kit authentication process So the first core principle to defend against this is to see it here model
That's also published and very well documented by Microsoft. So what did you you split your assets in three different levels? sometimes more and Typically these levels would be to secure your domain controllers tier 1 your servers and tier 3 your admin clients or clients And on each level you have a user so you don't only have one user you have two three four five users and
the next step is you Restrict access. So this is the technical implementation of the need-to-know principle. That's so often in security management So tier 0 admin cannot login in a tier 1 or tier 2 device
Because these core principle is of course not the only thing we can do. I prepared some quick wins I believe easy to implement and do not cost anything These three my three favorite ones when it comes to free tools use delegation
There are count operators. It's a group in Active Directory where you can Add and remove group or membership and because permissions are often Steered given by Active Directory groups. That's a sensible group and you could use delegation best done with PowerShell
There's a GUI but this partial it's better. So let's say that from a specific country a branch as this I mean can just Work on specific oaths to add or remove membership partial constraints language mode like partial is often used in attacks what you can do is
with a GPU That the partial cannot you exit all comment on execute all comments But of course, this is only a small security improvement because that can be reversed but against more aware That's a very good start and the third one. It has the biggest bar
Reduce membership in high valley groups. That's a task that has no and no goal Administrators enterprise administrator Shima administrators STM administrators check these groups all the time There are four more I just want to quickly note I'm not talking about them because 20 minutes is not enough
Maybe passwords in group policy preferences is something just quickly. There is in group policy preferences Sometimes are clear text passwords with a script. You can just check that regularly Of course password manager and in password policy is nothing new, but it's easy and it's free
There are also so-called trackable quick wins Because many coping companies don't have a security Seem like because it's expensive but you can build up your own security monitoring monitoring and there are five Trackable quick wins that I believe are nice And What we do is like we have shuttle tasks and these execute a PowerShell script
For example, we check if the SL certificates are running out We check if to this previously managed high privilege groups users I edit if a domain admin logs in because I believe nobody needs to be domain admin
So I want to know when somebody uses its domain admin. I also gave up my domain up member for Christmas There are sometimes passwords in Active Directory description fields because that's convenient, right? And of course if a new admin is added to a local client or service because we don't want that
If you have a little bit more time four of them Reduce Java and flash, of course, no client and no server needs flash anymore. It's actually going to die in of 2020 Java should just be installed on request, of course
The SMB Versions and the encryption as well as the database connection. You just have to check them all the time What's going on and where are the passwords passwords hashes? That's one close to my heart. I'm sure that one For accounts there's five different or six different GPUs where I can limit what can be done
Or how that account can be used so for users, I believe Only log on locally should be allowed like RDP or running a scheduled task or service is unnecessary For admins, I could imagine I think through RDP should be as well as allowed and for service accounts
These are used as service accounts So these should just be allowed to run services or batch shop, which is a scheduled task of course every service account is different so you need to Define it for each account The three last ones the most important one we already talked about labs the GMSA is a group managed service account
We want to get rid of these normal service accounts. There's one password for the account never changed It's a never expire and everybody knows it. Sometimes these are service accounts or even domain admins So what you can do is use this group managed service account where the password is
Managed by the Active Directory and nobody knows it anymore and also gets changed regularly or If you can't do that reduce permissions Do these logon restrictions logon times so we have about 10% of group managed service accounts And we are kind on the in a class
Carpet and can't really find more to switch What's the most important? Measure after that core principle should actually should look like this because if you use smart cards So many attacks don't work anymore
Especially for admins and thing is that's the only measure almost lights Which is not for free, but a modern a modern smart card cost about $40 so even if you have 20 30 50 people in IT, that's very very affordable and With Windows it's a charm to roll out
You just install it and it's just usable at the end of the day and the end of the talk we always need to ask ourselves did we do the right thing and How do we know if we did the right thing? Let's go full circle again and listen to the people
For me if we did the right thing and I know when somebody Puts himself on that security train and as one of my colleagues who wrote that email where he said I Just removed the last Windows XP machine, and I didn't tell him to do that
He was just really really proud and he sent out this email and I have 1015 printed emails like this on my on my desk in the office a Second one which I really really enjoyed by another colleague. I told you we have this monitoring Wherever you get alarmed when there's a new admin local admin
So that guy found it out and contact the guy who's responsible in that country and I said Why why is the local admin? Please explain it to me. We don't accept local admins and I just I just love What language he used for this and you know, we we just created this monitoring and it's so nice to see how people
Actually use it in a day to day use sir Talk is over. Just to sum it up. What's the three ideas we have when we talk about people? We should stop complaining and start listening When did we talk about organization?
We say make it visible And we talk about tech Keys the prairie session Thank you Thank You Marilis for your talk. So unfortunately, we don't have time for questions for this talk
so as always