top 10 security mistakes

19
Presented by: CMS Consulting Inc. Visit us online at http://www.cms.ca Top 10 Security Mistakes

Upload: marli

Post on 24-Feb-2016

36 views

Category:

Documents


0 download

DESCRIPTION

Top 10 Security Mistakes. Presented by: CMS Consulting Inc. Visit us online at http://www.cms.ca. Your Presenter. Brian Bourne CMS Consulting Inc, President Toronto Area Security Klatch, Co-Founder Black Arts Illuminated Inc., Director Fancy Credentials CISSP, MCT, MCSE:Security. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Top 10 Security Mistakes

Presented by: CMS Consulting Inc.Visit us online at http://www.cms.ca

Top 10 Security Mistakes

Page 2: Top 10 Security Mistakes

Your Presenter

Brian BourneCMS Consulting Inc, PresidentToronto Area Security Klatch, Co-FounderBlack Arts Illuminated Inc., Director

Fancy CredentialsCISSP, MCT, MCSE:Security

Page 3: Top 10 Security Mistakes

Microsoft Infrastructure and Security ExpertsActive Directory - Windows Server - Exchange - SMS - ISA MOM - Clustering - Office – Desktop Deployment - SQL – Terminal Services - Security Assessments - Lockdown – Wireless

Training by Experts for ExpertsMS Infrastructure – Security - Vista and Office

Deployment

Visit us online: www.cms.caDownloads – Resources – White Papers

For Security SolutionsFor Advanced InfrastructureFor Network SolutionsFor Information WorkerFor Mobility Solutions

CMS Consulting Inc.

Page 4: Top 10 Security Mistakes

1. ~~~~~~~~~2. ~~~ ~~ ~~

3. ~~~~

Agenda Today

Top 10 Security Mistakes Based on the results of numerous health check and assessment service offerings

Top 10 Areas for Security ImprovementBased on feedback from the consulting team at CMS

Page 5: Top 10 Security Mistakes

1. Password Management

This is painfully obvious and still a problem at every customer.Problems include:

Poor policy or poor policy enforcementPassword re-use (eg. FileMaker password = Domain Password = Banking Password)User training – hey, did you know a simple sentence is complex? “My first born is Grant.”Password storage

Page 6: Top 10 Security Mistakes

2. Patches and Upgrade

Typical Issues:No inventory of software and hardware (no idea what to patch)No reporting of patch status or deploymentLegacy software that’s simply unpatchableSoftware that followed the “deploy and forget” methodology

Remember:All software and hardware needs patching, not just Microsoft! Especially security products!

Page 7: Top 10 Security Mistakes

3. NTFS and Share Permissions

Everyone, Full Control, EverywhereAnonymous is part of everyone!

Simple Rules:Permissions are cumulative, except Deny wins.Never grant permissions to users. Grant to groups.Avoid upgrading W2K. Install W2K3 fresh.Use security templates and group policy to set/maintain security

Page 8: Top 10 Security Mistakes

4. Too much privilege!

No one seems to follow the rule of least privilege.Enumerate the following groups:

Enterprise, Domain and Schema AdministratorsServer, Print and Backup Operators

Service Accounts need special treatmentSeparate OU with GPO’s limiting rightsShould be “Administrators”, not DA or EA!

Use OU’s and delegate required administrative functions

Page 9: Top 10 Security Mistakes

5. Administrative Practices

Please don’t use a DA account for day to day activity.Better yet, don’t use a DA from anything but a designated high security, administrative workstation (think about bad things like keyloggers when logging in from untrusted machines)Guard EA accounts!Don’t share the administrator password. At minimum, you want some level of non-repudiation.

Page 10: Top 10 Security Mistakes

6. UnUsed Services

The most common installed and unneeded service? Any guesses? (IIS)Reduce the attack surface! Define Role based Templates

Test, test, testEnforce by GPO!

Good guide to understanding serviceshttp://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/prodspecs/win2ksvc.mspx

Page 11: Top 10 Security Mistakes

7. Auditing and Logging

How will we ever know if something happens?How will we ever be able to piece together “the crime scene” without any evidence?Audit only what’s important. Think beyond Windows events. Applications, firewalls, switches, etc.Consider log shipping also.

Page 12: Top 10 Security Mistakes

8. Missing or Incomplete Backups

System State on all FSMO role holders.Critical data everywhere else.Remember to test procedures with restoresConsider encryption/password protection to prevent unauthorized restoresOffsite storage, secured fireproof vaultPart of a larger Disaster Recovery plan

Page 13: Top 10 Security Mistakes

9. Security Education and Awareness

For IT Staff:Security ArchitectureSecure Operating ProceduresUnderstanding of attack methodsDefence in Depth techniques

For All StaffAwareness trainingEmail and Internet UsageSocial Engineering awareness

Page 14: Top 10 Security Mistakes

10. Incident Response

Have a plan and have training!DO NOT:

Touch the computer.Delete files.Or frankly react in anyway without a carefully thought out and professional approved plan!

Page 15: Top 10 Security Mistakes

1. ~~~~~~~~~2. ~~~ ~~ ~~

3. ~~~~

Bonus Material

Things People Need to Think More About:1. Funding for security2. Application filtering and layer 7 firewalls3. Intrusion detection and prevention4. Incident Response Planning and Training5. Security Policy, Usage Policy6. Log collection, management and co-relation7. Physical controls8. Network controls (who can plug in)9. Firewalls should not look like swiss cheese

(Hint: Use IPSec instead)10. VPN controls and other remote access methods

Page 16: Top 10 Security Mistakes

Security Education Conference in Toronto

November 20 – 21, 2007, MTCC, Toronto, ON, Canadahttp://www.sector.ca/

Page 17: Top 10 Security Mistakes

CMS Training Offerings

INSPIRE Infrastructure Workshop4 days of classroom training - demo intensiveAD, Exchange, ISA, Windows Server, SMS, MOM, Virtual Server

Business Desktop Deployment – Deploying Vista/Office3 days of classroom training - hands on labs (computers provide)Business Desktop Deployment Concepts, Tools, Processes, etc. Vista and Office

Securing Internet Information ServicesSecuring ActiveDirectorySecuring Exchange 2003

1 day classroom training per topic

TRAINING BY EXPERTS FOR EXPERTS

Page 18: Top 10 Security Mistakes

@Contacting Us.

Brian Bourne, President – [email protected] Buren, VP Business Development – [email protected]

CMS Consulting Inc. – http://www.cms.ca/

CMS Training – http://www.cms.ca/training/

Toronto Area Security Klatch – http://www.task.to/

Page 19: Top 10 Security Mistakes

Q & AThank You!

Visit: CMS Consulting at http://www.cms.ca

Join: Toronto Area Security Klatch at http://www.task.to

Register: Security Education in Toronto at http://www.sector.ca

CMS Consulting Inc.