Download - Dark alleys-2015
Dark Alleys of the Internet
Updated 2015For System and Network
Administrators
Do the Right Thing!
Attack Statistics» AU Border Firewall
» Over 34,000 blocked connections per minute (taken 7/28/2015 at 2pm)
» WordFence for WordPress• 100+ blocked login attempts (10 per incident)
per day to a personal, unpublicized WP site over 3 days
Passwords on a Sticky Note?How to stop the sharing
madness
Passwords» No reason to share passwords
because you can use:• Shared files/folders• Permissions settings• Remote Desktop• E-mail Proxy• Web 2.0 products
Managing Passwords» Trade-offs
• Different passwords for different systems• Require passwords to change
» Password Managers• KeePass• LastPass• LifeHacker Choices
• http://lifehacker.com/lifehacker-faceoff-the-best-password-managers-compare-1682443320
» Creating memorable passphrases• “1wb0rniDaleCH.” (I was born in Dale County
Hospital.)
Network ProtocolsHelp protect users
Secure All Protocols
»Telnet -> SSH»FTP -> SFTP»SSL Certificates
• LDAP -> LDAPS• HTTP -> HTTPS
»Require Secure Protocols for authenticated Applications
Plain-text Protocols
Secure Protocol
SSL Certificates» Recognized
Certificate Authority -$$
» Pre-installed• Verisign• CyberTrust• Thawte
» Self-signed Certificates – free
» Manual Install• eXtension• AU
VS
Root Certificates
» Internet Explorer• Internet
Options• Content• Certificates
Self-Signed Certificates
» Products• Microsoft Certificate Authority• Mac OS - Keychain• Linux - OpenSSL
» Trouble is that people do BYOD and then get certificate errors. Training people to accept errors is bad.
Secure Network Access
For the Road Warriors
Virtual Private Network
» VPN provides unlimited access to campus network
» Prevent eavesdropping» Treat off-campus just like WiFi
An insecure transmission medium
Public/Private WiFi» Restrict open WiFi ports/protocols» Encourage VPN
• Better encryption• Unrestricted access• Restrict OS announcements• Gain benefit of University border firewall• Restrict services to internal Ips
» Enable Security• Prevent stealing bandwidth• Add some security to insecure sites
Remote Access» Remote Desktop» Bomgar, LogMeIn, etc» Shared space access» Printer access» Internal websites
Other References» Bruce Schneier’s
http://www.schneier.com» SANS’ “@RISK: The Consensus
Security Alert”
Thank YouUntil it goes missing, security is a boring obstacle to productivity in the minds of most people. Don’t be most people.