Don't trust your vendors - $ecurity can't be bought
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Title of Series | ||
Number of Parts | 254 | |
Author | ||
License | CC Attribution 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
Identifiers | 10.5446/53046 (DOI) | |
Publisher | ||
Release Date | ||
Language |
Content Metadata
Subject Area | ||
Genre | ||
Abstract |
| |
Keywords |
00:00
Information securityRow (database)Event horizonComputer animationJSON
00:21
Level (video gaming)Event horizonInformation securityLecture/Conference
00:38
Process (computing)FamilyInformation securityKey (cryptography)Computer animation
01:02
MereologyDirectory serviceData managementInformation securityGoodness of fitService (economics)WindowCommitment schemeNumberIntegrated development environmentDirection (geometry)Computer animation
01:47
Scaling (geometry)Information securityEnterprise architectureAdditionFamilyPhysical lawComputer animation
02:12
Computer animation
02:34
Type theoryForm (programming)MalwareInformation securityInheritance (object-oriented programming)Reading (process)
03:00
Inheritance (object-oriented programming)Type theoryInformation securityMultiplication sign
03:20
Dependent and independent variablesInformation securityMeasurementDisk read-and-write headBlogIntegrated development environmentInformationComputer animation
04:15
Self-organizationLevel (video gaming)MeasurementSheaf (mathematics)WindowDirectory serviceComputer animation
04:40
FacebookData loggerInformation securityRow (database)Disk read-and-write head
05:09
Dependent and independent variablesSystem administratorInformation securityFile formatComputer animation
05:52
Dependent and independent variablesArithmetic meanMeeting/Interview
06:11
MereologyClient (computing)PasswordArmLocal ringAreaDifferent (Kate Ryan album)
06:38
PasswordWindowInformation securityCodeSystem administratorModal logicSoftware testingComputer animation
07:44
Line (geometry)Multiplication signTask (computing)19 (number)TowerTotal S.A.Vulnerability (computing)WindowProcess (computing)Server (computing)Moment (mathematics)StatisticsInformation securityMereologySelf-organizationNumberCoprocessorIntegrated development environmentOcean current
09:18
Integrated development environmentInformation securityNumberComputer programmingWindowDoubling the cubeArmDemosceneSystem callDiagram
09:36
Self-organizationGraph coloring
09:53
Normal (geometry)Firewall (computing)Server (computing)TelecommunicationCodeInternet service providerWeb browserKey (cryptography)Medical imagingComputer programmingNumberRepository (publishing)Software developerFeasibility studyData managementMereologyBoss CorporationArmPoint (geometry)Group actionFlow separationSound effectLink (knot theory)Computer animation
10:58
Core dumpWindowDirectory serviceHash functionSoftware development kitCore dump1 (number)Element (mathematics)Group actionGame controllerSystem administratorAuthenticationProcess (computing)Endliche ModelltheorieLevel (video gaming)Integrated development environmentClient (computing)PasswordImplementationData managementRepository (publishing)Sheaf (mathematics)Domain nameMultitier architectureServer (computing)Information securityLoginOperator (mathematics)Latent heatBranch (computer science)Term (mathematics)MathematicsArithmetic meanDecision theoryService (economics)UMLDiagram
12:54
Element (mathematics)Group actionAsynchronous Transfer ModePasswordTime domainClient (computing)Server (computing)EncryptionInternetworkingFlash memoryDatabaseComputer networkService (economics)Element (mathematics)System administratorAsynchronous Transfer ModeInformation securityDirectory serviceReduction of orderDescriptive statisticsTask (computing)Scripting languagePublic key certificateGroup actionField (computer science)Local ringService (economics)Multiplication signPasswordEnterprise architectureData managementClient (computing)Server (computing)Graphical user interfaceFlash memoryBranch (computer science)Java appletPartial derivativeConstraint (mathematics)Formal languageGraphics processing unitFerry CorstenEncryptionLoginDatabaseClosed setDomain nameStapeldateiBitRevision controlConnected spaceRegular graphPower (physics)Reading (process)Parameter (computer programming)Sound effectLatent heatProcess (computing)Software testingArithmetic meanDifferent (Kate Ryan album)CountingXML
16:30
Service (economics)Computer networkPlastikkarteEncryptionInternetworkingJava appletReduction of orderFlash memoryDatabaseType theoryService (economics)1 (number)Group actionData managementNormal (geometry)Message passingMeasurementPasswordWindowPlastikkarteSocial classDomain nameSystem administratorCore dumpMultiplication signPrime ideal40 (number)Endliche ModelltheorieArithmetic meanComputer animation
18:06
EmailOffice suiteCircleInformation securityTorusRight angleWave packetWindowLecture/Conference
18:50
Service (economics)Data storage deviceGroup actionView (database)Task (computing)System administratorFormal languageLocal ringComputer animation
19:19
Self-organizationSelf-organizationMultiplication signComputer animation
20:09
Computer clusterComputer animation
Transcript: English(auto-generated)
00:20
Okay, I'm very happy to announce to you the talk security cannot be bought How do you buy it? She's a regular at cars events since 2007 and she's a security engineer who's managing corporate IT So my this the stage is yours
00:45
Three years ago. I was lucky enough to start a new job in a company Where when it came to modern IT infrastructure was a late boomer Family run company in the business for over 70 years So security didn't have a high value
01:03
Even only IT only got higher importance in about 2010. Imagine that Luckily luckily for me again There was full management commitment on security when I started in that company
01:22
Just to give you some numbers about the company right now We have around 150 Windows service and about 2000 Active Directory users. So it's not a small company anymore Active Directory is a good keyword today in this talk. We will solely focus on Windows Active Directory
01:42
Environments, but some parts could be interesting for non Active Directory environments as well When it comes to security requirements, we have to imagine a scale on the one end of the scale They are like banks high-tech industry electricity suppliers
02:02
But on that other end of that scale, there are small and medium enterprises additional enterprises Low tech companies or family-run companies and today we will focus on the first third of the scale for that low-tech industry companies because their requirements are way different from that high-tech industry companies and
02:25
As I have worked in such a company for three years I want to share my knowledge I gained in this three years with you today first we need to define what is the threat we protect ourselves from and
02:41
In this type of companies, it's not Targeted in targeted industrial sabotage because to be honest, we would have no chance at all. No chance What we protect these companies from is shotgun attacks mailing the form of automated malware
03:01
Can't we just Install a super fancy security solution or two or three right and then we are safe No Unfortunately, we have limited resources and these super fancy solutions. They need both people and money And in some in these type of companies
03:21
There isn't even one full-time employee Responsible for security and also money sometimes is an issue. I am a passionate climber and When I'm in front of a wall like this Sometimes I cannot see a way through it seems impossible for me to climb and the same goes for tech measures to improve security
03:49
There is so much information nowadays that occurs in a blessing There's reddit blogs Conferences so you stand in front of you and IT environment That's that wall and you've just silly enough ideas in your head
04:04
but you just don't know where or how to start and Today in this talk. I want to share the knowledge or want to show you a path through that wall So here are three sections. We want to climb together today. It's people
04:23
Organization and of course tech tech measures Let's start with people first why people because behind that Windows Active Directory user accounts are people the colleagues you work with are people your customers are
04:40
People I know it's very very very tempting something happened again Company got hacked millions of credit data records leaked That's what you want to do, right? Facebook the thing is
05:01
Security people tend to believe everyone else is stupid incompetent sleazy lazy, whatever But it doesn't matter if it's because of missing knowledge missing technology or even laziness because in the end
05:20
You are responsible for the security in your company You're responsible for your company not getting hacked And how do you think a sysadmin will feel if you face palmet him if you blame him? Will he ensure working with you? Will he even come up with your own with his own ideas or?
05:41
Will he rather play hide-and-seek with you? So honestly Stop complaining Complaining is not acting and not acting is not taking responsibility and not taking responsibility
06:01
Is failing? That's all what's to say there To add a little practical example what I mean with that Imagine you wanted to introduce labs in your company or probably some of you already have local area password solution where there's
06:21
for each client a Different password and it's resets. It's automatically so imagine you would have One password for all your clients and you can be the up in there. It's maybe not that good so you try you could either go to your sysadmins and you really like come out that labs needs to be installed or
06:47
Maybe you could talk to them listen to them and They probably understand the necessity behind it if you explained to them because it's just sometimes just missing knowledge
07:00
But they should have is you cannot copy the password from the lab school to a password request in Windows So when secure desktop is enabled, you can see it's it's black. You can't do this, but once you disable secure desktop, that's possible Unfortunately, that's not the password dialogue but in just imagine one and
07:22
The question here is now will be disabled secure desktop. We lose a security feature Or would we keep it if we if we secured if we disable secure desktop we then? Code each other's labs have the full support of all the tech guys. What would you choose?
07:46
When it comes to people and working together with people We need to visualize what we want with them Do you want to work in the 1950? Henry Ford assembly line where you just do one task the whole time
08:02
Or would you prefer to work in a modern Japanese assembly line where you work together with your colleagues? Where you can bring up your own ideas? In next part we're going to talk about how to introduce this Japanese assembly line in our security organization
08:26
When we think about our security organization, there's two requirements we need to fulfill number one see the overall process like in the assembly line and number two have goals and have an end in mind
08:40
See and that's the thing security never has an end, right? It's a continuous process. It goes on forever But that's not a concept you can sell People Work like this. We want task. We want to complete the task We want to go home be happy if you achieve something today
09:02
So our job here now is Create these achievement moments. How do we do that? Here's three suggestions Make the current status visible this means create Statistics meaningful statistics, here's an example total vulnerabilities in the Windows Server
09:23
Environment you can see how this goes down Make a common goal like it always must be below 500 whatever number two Create brick programs make the goals visible For example, we wanted to improve in in Windows environment security
09:41
So we draw this fancy little bricks there was goals behind that things we wanted to discuss and once it's done It was colors print that out. You can put it somewhere in the office. It's made visible Number three at one point you probably already have a lot of ideas at best not only yours
10:01
so but also from your colleagues or your boss and You need to prioritize them because you can never do all of them But before you prioritize them You need to collect them and group them. What we use there is called red man. It's actually from Software development so we will have several ideas collector and we would also rate them
10:25
You can see it on the right side like a feasibility and effectiveness Unfortunately, this is not a talk about risk management. So I just added the link on how we do that at the end of the slides So for this for this part
10:41
prioritization is the key and That all comes up in three steps like these are Going building up on each other. It's past present and future in the past. You see what you did in the current status the brick programs Define what you do now your goals and the idea repository is your future what you want to do
11:07
Let's climb our last section together when I talk about tech and Windows Active Directory environments and Attack that's used very often is either pass the hash or pass the ticket
11:24
It's meaning you don't try to steal a password you try to steal a password Hash or a cabaret ticket from the other kit authentication process So the first core principle to defend against this is to see it here model
11:40
That's also published and very well documented by Microsoft. So what did you you split your assets in three different levels? sometimes more and Typically these levels would be to secure your domain controllers tier 1 your servers and tier 3 your admin clients or clients And on each level you have a user so you don't only have one user you have two three four five users and
12:08
the next step is you Restrict access. So this is the technical implementation of the need-to-know principle. That's so often in security management So tier 0 admin cannot login in a tier 1 or tier 2 device
12:28
Because these core principle is of course not the only thing we can do. I prepared some quick wins I believe easy to implement and do not cost anything These three my three favorite ones when it comes to free tools use delegation
12:44
There are count operators. It's a group in Active Directory where you can Add and remove group or membership and because permissions are often Steered given by Active Directory groups. That's a sensible group and you could use delegation best done with PowerShell
13:03
There's a GUI but this partial it's better. So let's say that from a specific country a branch as this I mean can just Work on specific oaths to add or remove membership partial constraints language mode like partial is often used in attacks what you can do is
13:21
with a GPU That the partial cannot you exit all comment on execute all comments But of course, this is only a small security improvement because that can be reversed but against more aware That's a very good start and the third one. It has the biggest bar
13:40
Reduce membership in high valley groups. That's a task that has no and no goal Administrators enterprise administrator Shima administrators STM administrators check these groups all the time There are four more I just want to quickly note I'm not talking about them because 20 minutes is not enough
14:03
Maybe passwords in group policy preferences is something just quickly. There is in group policy preferences Sometimes are clear text passwords with a script. You can just check that regularly Of course password manager and in password policy is nothing new, but it's easy and it's free
14:21
There are also so-called trackable quick wins Because many coping companies don't have a security Seem like because it's expensive but you can build up your own security monitoring monitoring and there are five Trackable quick wins that I believe are nice And What we do is like we have shuttle tasks and these execute a PowerShell script
14:45
For example, we check if the SL certificates are running out We check if to this previously managed high privilege groups users I edit if a domain admin logs in because I believe nobody needs to be domain admin
15:01
So I want to know when somebody uses its domain admin. I also gave up my domain up member for Christmas There are sometimes passwords in Active Directory description fields because that's convenient, right? And of course if a new admin is added to a local client or service because we don't want that
15:23
If you have a little bit more time four of them Reduce Java and flash, of course, no client and no server needs flash anymore. It's actually going to die in of 2020 Java should just be installed on request, of course
15:40
The SMB Versions and the encryption as well as the database connection. You just have to check them all the time What's going on and where are the passwords passwords hashes? That's one close to my heart. I'm sure that one For accounts there's five different or six different GPUs where I can limit what can be done
16:02
Or how that account can be used so for users, I believe Only log on locally should be allowed like RDP or running a scheduled task or service is unnecessary For admins, I could imagine I think through RDP should be as well as allowed and for service accounts
16:23
These are used as service accounts So these should just be allowed to run services or batch shop, which is a scheduled task of course every service account is different so you need to Define it for each account The three last ones the most important one we already talked about labs the GMSA is a group managed service account
16:46
We want to get rid of these normal service accounts. There's one password for the account never changed It's a never expire and everybody knows it. Sometimes these are service accounts or even domain admins So what you can do is use this group managed service account where the password is
17:02
Managed by the Active Directory and nobody knows it anymore and also gets changed regularly or If you can't do that reduce permissions Do these logon restrictions logon times so we have about 10% of group managed service accounts And we are kind on the in a class
17:22
Carpet and can't really find more to switch What's the most important? Measure after that core principle should actually should look like this because if you use smart cards So many attacks don't work anymore
17:42
Especially for admins and thing is that's the only measure almost lights Which is not for free, but a modern a modern smart card cost about $40 so even if you have 20 30 50 people in IT, that's very very affordable and With Windows it's a charm to roll out
18:01
You just install it and it's just usable at the end of the day and the end of the talk we always need to ask ourselves did we do the right thing and How do we know if we did the right thing? Let's go full circle again and listen to the people
18:23
For me if we did the right thing and I know when somebody Puts himself on that security train and as one of my colleagues who wrote that email where he said I Just removed the last Windows XP machine, and I didn't tell him to do that
18:41
He was just really really proud and he sent out this email and I have 1015 printed emails like this on my on my desk in the office a Second one which I really really enjoyed by another colleague. I told you we have this monitoring Wherever you get alarmed when there's a new admin local admin
19:00
So that guy found it out and contact the guy who's responsible in that country and I said Why why is the local admin? Please explain it to me. We don't accept local admins and I just I just love What language he used for this and you know, we we just created this monitoring and it's so nice to see how people
19:22
Actually use it in a day to day use sir Talk is over. Just to sum it up. What's the three ideas we have when we talk about people? We should stop complaining and start listening When did we talk about organization?
19:42
We say make it visible And we talk about tech Keys the prairie session Thank you Thank You Marilis for your talk. So unfortunately, we don't have time for questions for this talk
20:05
so as always