top 10 security mistakes

Presented by: CMS Consulting Inc.Visit us online at http://www.cms.ca

Top 10 Security Mistakes

Your Presenter

Brian BourneCMS Consulting Inc, PresidentToronto Area Security Klatch, Co-FounderBlack Arts Illuminated Inc., Director

Fancy CredentialsCISSP, MCT, MCSE:Security

Microsoft Infrastructure and Security ExpertsActive Directory - Windows Server - Exchange - SMS - ISA MOM - Clustering - Office – Desktop Deployment - SQL – Terminal Services - Security Assessments - Lockdown – Wireless

Training by Experts for ExpertsMS Infrastructure – Security - Vista and Office

Deployment

Visit us online: www.cms.caDownloads – Resources – White Papers

For Security SolutionsFor Advanced InfrastructureFor Network SolutionsFor Information WorkerFor Mobility Solutions

CMS Consulting Inc.

1. ~~~~~~~~~2. ~~~ ~~ ~~

3. ~~~~

Agenda Today

Top 10 Security Mistakes Based on the results of numerous health check and assessment service offerings

Top 10 Areas for Security ImprovementBased on feedback from the consulting team at CMS

1. Password Management

This is painfully obvious and still a problem at every customer.Problems include:

Poor policy or poor policy enforcementPassword re-use (eg. FileMaker password = Domain Password = Banking Password)User training – hey, did you know a simple sentence is complex? “My first born is Grant.”Password storage

2. Patches and Upgrade

Typical Issues:No inventory of software and hardware (no idea what to patch)No reporting of patch status or deploymentLegacy software that’s simply unpatchableSoftware that followed the “deploy and forget” methodology

Remember:All software and hardware needs patching, not just Microsoft! Especially security products!

3. NTFS and Share Permissions

Everyone, Full Control, EverywhereAnonymous is part of everyone!

Simple Rules:Permissions are cumulative, except Deny wins.Never grant permissions to users. Grant to groups.Avoid upgrading W2K. Install W2K3 fresh.Use security templates and group policy to set/maintain security

4. Too much privilege!

No one seems to follow the rule of least privilege.Enumerate the following groups:

Enterprise, Domain and Schema AdministratorsServer, Print and Backup Operators

Service Accounts need special treatmentSeparate OU with GPO’s limiting rightsShould be “Administrators”, not DA or EA!

Use OU’s and delegate required administrative functions

5. Administrative Practices

Please don’t use a DA account for day to day activity.Better yet, don’t use a DA from anything but a designated high security, administrative workstation (think about bad things like keyloggers when logging in from untrusted machines)Guard EA accounts!Don’t share the administrator password. At minimum, you want some level of non-repudiation.

6. UnUsed Services

The most common installed and unneeded service? Any guesses? (IIS)Reduce the attack surface! Define Role based Templates

Test, test, testEnforce by GPO!

Good guide to understanding serviceshttp://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/prodspecs/win2ksvc.mspx

7. Auditing and Logging

How will we ever know if something happens?How will we ever be able to piece together “the crime scene” without any evidence?Audit only what’s important. Think beyond Windows events. Applications, firewalls, switches, etc.Consider log shipping also.

8. Missing or Incomplete Backups

System State on all FSMO role holders.Critical data everywhere else.Remember to test procedures with restoresConsider encryption/password protection to prevent unauthorized restoresOffsite storage, secured fireproof vaultPart of a larger Disaster Recovery plan

9. Security Education and Awareness

For IT Staff:Security ArchitectureSecure Operating ProceduresUnderstanding of attack methodsDefence in Depth techniques

For All StaffAwareness trainingEmail and Internet UsageSocial Engineering awareness

10. Incident Response

Have a plan and have training!DO NOT:

Touch the computer.Delete files.Or frankly react in anyway without a carefully thought out and professional approved plan!

1. ~~~~~~~~~2. ~~~ ~~ ~~

3. ~~~~

Bonus Material

Things People Need to Think More About:1. Funding for security2. Application filtering and layer 7 firewalls3. Intrusion detection and prevention4. Incident Response Planning and Training5. Security Policy, Usage Policy6. Log collection, management and co-relation7. Physical controls8. Network controls (who can plug in)9. Firewalls should not look like swiss cheese

(Hint: Use IPSec instead)10. VPN controls and other remote access methods

Security Education Conference in Toronto

November 20 – 21, 2007, MTCC, Toronto, ON, Canadahttp://www.sector.ca/

CMS Training Offerings

INSPIRE Infrastructure Workshop4 days of classroom training - demo intensiveAD, Exchange, ISA, Windows Server, SMS, MOM, Virtual Server

Business Desktop Deployment – Deploying Vista/Office3 days of classroom training - hands on labs (computers provide)Business Desktop Deployment Concepts, Tools, Processes, etc. Vista and Office

Securing Internet Information ServicesSecuring ActiveDirectorySecuring Exchange 2003

1 day classroom training per topic

TRAINING BY EXPERTS FOR EXPERTS

@Contacting Us.

Brian Bourne, President – brian@cms.caRobert Buren, VP Business Development – robert@cms.ca

CMS Consulting Inc. – http://www.cms.ca/

CMS Training – http://www.cms.ca/training/

Toronto Area Security Klatch – http://www.task.to/

Q & AThank You!

Visit: CMS Consulting at http://www.cms.ca

Join: Toronto Area Security Klatch at http://www.task.to

Register: Security Education in Toronto at http://www.sector.ca

CMS Consulting Inc.