system admin security training

System Admin Security Training

Orange Team

Overview System Admin Duties Employee Documents and Security Controls Security Threats Threat Mitigation Incident Response

System Admin Duties Perform backup and restore data Add and remove users Add and remove hardware and software Configure and maintain hardware and software General user support Maintain documentation and licenses Negotiate with vendors System planning Security management

System Admin Duties Monitor system resource usage and performance Detect and correct problems Optimize performance Manage resources Automate tasks Determine and enforce usage policy Educate users Corporate priority liaison

A Lot Of Things To Do… … and it’s better to do them securely! “Bake in” security Can’t anticipate all problems Can limit the problems you have

Perform Backup and Restore Data

Encrypt backups Secure storage

o Physical access controlo Environmental protections

Controlled restorationso No network connectionso Clean destination (no malware)o Verified assistance

Add and Remove Hardware and

Software Old accounts can be used as backdoor Completely remove old access rights Add users while adhering to…

o Need-to-knowo Minimum privilege

Add and Remove Hardware and

Software Inform users of potential outages Secure install

o Configure firsto Attach to network as late as possible

Secure removalo Install replacements firsto Avoid loss of functionalityo Dispose securely (data retrieval)

Configure and Maintain Hardware and Software

Keep copies of configurations Configure new elements before attaching to

network Use standard maintenance routines

o Documento Update

Verified assistance

General User Support Beware of social engineering Callers provide credentials

o Educate users to safeguard credentialso Do not prompt

Safeguard credentialso Do not reveal unnecessarilyo Protect methods for credential creation

Maintain Documentation and

Licenses Document procedureso New SA educationo Consistencyo Audit Assurance

Do not use illegitimate softwareo Cheapero Unethicalo Illegalo Insecure

Negotiate With Vendors

Licensed products can get expensive Minimize the cost of secure behavior Vendor relationships are important

o Inform them of security concernso Request new products/solutionso Receive updated hard/firm/softwareo Continued business is valued and will be rewarded

System Planning Scaling

o Security problems and solutions scale differentlyo New node = new possible failureo New AV != more secure

Assessing new technologyo Anticipate problemso “Shinier” does not mean “safer”

Anticipating and avoiding problemso Malware/attack trendso Follow day-to-day guidelines strictly

Security Management “An ounce of prevention is worth a pound of

cure.” Prioritize security Ideal management solution

o Simpleo Reproducible o Covers security needs

Your job, not the users

Monitor System Resource Usage and Performance

Do not invade privacy Use data to…

o Identify future purchaseso Notice potential threats

• Excessive or unusual usage• Antivirus logs

o Ensure expectations are met (SLA)

Detect and Correct Problems

Use system monitoring devices Preemptive corrections

o Patchingo Updatingo Upgrading

Reactive correctionso See incident response

Optimize Performance Users get frustrated with poor system

performance Users will optimize for themselves

o Non-complianceo Installing adware/freewareo Working around slow or ineffective processes

Don’t optimize by removing/compromising security

Manage Resources Know what you have and use Bad situations

o Unaccounted-for router on networko Unconfigured workstationo Ordering unneeded license keys

Wasting resources leads to budget cuts and layoffs

Misplacing resources leads to vulnerabilities

Automate Tasks Script day-to-day tasks Focus extra time on harder tasks Don’t introduce security holes

o Unauthorized use of privileged scripts/programso Scripts disabling security featureso Testing/Debugging/Configuration programs used on ‘live’

network

Determine and Enforce Usage Policy

Correct usage is essential Meaningless without enforcement

Educate Users A smart user is a safe user Eliminate “low hanging fruit”

o Social engineeringo Bad linkso Phishing emailso Removal media

Corporate Priority Liaison

Competing goalso Management’s budgeto Your securityo Customer’s service needso Employee convenience

Security needs to wino Sell to managemento Educate users

Employee Documents Acceptable Use Policy (AUP) Service Level Agreement (SLA) Non-Disclosure Agreement (NDA) Employee Contract

Your responsibility to enact if there are no documents.

Security Controls Need-to-know Security awareness training Separation of duties Job rotation Vacations Auditing/reviews

Security Threats External

o Hackingo E-mail attacks

Internalo Malwareo Ignoranceo Insider

Security Threats: Hacking

Exploitation of web services Poorly configured gateways Use of backdoors

o Social engineeringo Previous intrusiono Internal corroborator

Security Threats: E-mail

Phishing Spam Trojans Viruses

Security Threats: Malware

Many sourceso Hackingo Insidero Ignorance

Spreads quickly Use up resources

Security Threats: Ignorance Clicking bad links Poor e-mail discretion Downloading malware USB attacks

Security Threats: Insider

Usually hardest to detecto They know the systemo Sometimes privileged user

Disgruntled employee Abuse of trust

Threat Mitigation Preparation

o Security practiceso Education

Incident Response Plano If none, create one

Form a Computer Security Incident Response Teamo Individuals capable of correct responseo Include members of management

Incident Response Identify Initial Response

o Record basic detailso Assemble CSIRTo Notify important individuals

Formulate strategy Investigate

o Thorough data collectiono Determine what/who/how

Report Resolve

Rules To Work By A smart user is a safe user Policy enforcement is the first step to a secure

system Put security first in everything you do

BibliographyMandia, Kevin, Chris Prosise, and Matt Pepe. Incident Response & Computer Forensics. Second ed. N.p.: Brandon A. Nordin, n.d. 11-32. Print.