secure office

Motto

Thou shalt never assume

The Rogue Warrior's Eight Commandment of SpecWar

Richard MarcinkoUS Navy Seal

THREATSCurrent Threats to a Secure Office

Attackers

External don’t know anything about your

environment can try brute force passwords at most vulnerability scanning

Internal most severe threats know their environment have already at least some level of

access can steal data they are authorized to

read

Protection: External Attackers

Firewalls Antispam/Antimalware Software Updates Account Lockout

Current Internal Threats Assuming Physical security

computers data

Passwords cracking, keyloggers

Eavesdropping wired/wireless networks

Spam/malware directed attacks

Remote Access from unsecure computers

Data theft by authorized readers currently one of the most underestimated problem

ASSUMPTIONSCurrent Threats

Vulnerabilities

Examples: My wife crossing a road PKI misconfiguration in a bank Hidden accounts after virus attack Malicious mail from home vs. from work

Protection: Assumptions

Never assume anything Be careful Know your enemy Don’t do anything you don’t

understand

CASE STUDYCurrent Threats to a Secure Office

Environment

Windows 2008 R2 Datacenter Windows 7 Enterprise Exchange 2010 SharePoint 2010 Hyper-V Office 2010 mobile devices with ActiveSync

PHYSICAL SECURITYCurrent Threats to a Secure Office

Vulnerabilities

Computers easily accessed by a lot of people employees maintenance staff theft from branch offices

Attacks stealing the whole machine stealing the data only

Physical access = local administrator

Machines and Network

Servers rack security

Data storage Client computers

desktops, notebooks usually caching data

Peripherals Remote offices Wireless and wired networks

AirPCap, USB ethernet switch/netbook

Protection: Physical access Limit physical access Place computers/storage into secure

locations +hardware locks, cables

Use notebooks instead of desktops Use remote desktop/terminal Encryption

Protection: BitLocker

Disk partition encryption AES

Provide password on startup prevents others from becoming an administrator

Use TPM prevents owner from becoming an administrator Trusted Platform Module stores the password on motherboard checks signatures of BIOS, CMOS, MBR, Boot

Sector, loader etc.

Protection: BitLocker

Recovery keys in Active Directory Windows 7 Enterprise Gemalto .NET smart-cards

workstations/ntb require S/C to boot manually enrolled combined with user logon certificates

Protection: 802.1x

Network Access Ethernet, WiFi

EAP-TLS Certificate authentication

computer/user computer + user automatic enrollment, AD computer

account

Protection: 802.1x

SwitchManaged Switch

Managed

Switch

PC

PC

PC

PCPrinte

r

PC PC

PC

PC

NETWORK COMMUNICATIONS AND EAVESDROPPING

Current Threats to a Secure Office

Vulnerabilities

Free network access No network traffic encryption People ignore warnings ARP poisoning

Protection: Firewall

Windows Firewall IP/TCP/UDP/ICMP/AH/ESP inspection FTP/PPTP/IPSec pass-through

IP/process filters Network Location Awareness

Blocking client / client traffic

Protection: Eavesdropping

IPSec encryption IP filters Network Location Awareness internal traffic only

Computer certificate authentication automatically enrolled for AC machine

account AES, SHA-2

Protection: SSL Inspection Threat Management Gateway

secure remote access monitor users when “uploading”

Reverse inspection Exchange, SharePoint, Terminal access

Forward Antimalware, URL, classification

Internet

SSL Publishing

TMGLAN

WebServer

Certificate

Certificate

443

443

SSL Certificate prices

Verisign – 1999 300$ year

Thawte – 2003 150$ year

Go Daddy – 2005 30$ year

GlobalSign – 2006 250$ year

StartCom – 2009 free

SSL Assurance

Email loopback confirmation Requires just a valid email address No assurance about the target

identity

EV browsers

Browser VersionInternet Explorer 7.0Opera 9.5Firefox 3Google Chrome -Apple Safari 3.2Apple iPhone 3.0

EV Certificate prices

Verisign – 1999 1500$ year

Thawte – 2003 600$ year

Go Daddy – 2005 100$ year

GlobalSign – 2006 900$ year

StartCom – 2009 50$ year

LAN Internet

Forward SSL Inspection

TMG

Certificate 443Certificate 443

Certificate 443Certificate 443

SSL Inspection (MITM)

WebServer

Client

Certificate

Public key

Private key

AttackerTMG

False Certificate

Public key

Private key

TMG Forward SSL Inspection

No SSL Inspection

TMG CA Not Trusted

Web Server Certificate

TMG CA Trusted on the Client

Protection: Intrusion Prevention

Threat Management Gateway Intrusion Prevention System External/Internal/DMZ only

PASSWORDSCurrent Threats to a Secure Office

Vulnerabilities

Keyloggers software hardware

Cache / Local Storage Cracking

Local Password Storage

Full-text passwords IE autocomplete password “lockers” fingerprint readers service/scheduled-tasks accounts

Password hashes local user accounts all domain accounts on Domain

Controllers password caches

Password Cracking

Windows MD4 Hashes local storage LAN network capture PPTP VPN

Offline Rainbow Tables

severe up to 7 characters (minutes)

Protection: Passwords

Use smart cards convenient (3-5 characters PIN) Gemalto .NET without installation

Require strong passwords admin accounts

Procedures, policies and audit Never type sensitive passwords on

insecure computers Training

Protection: Comparable Algorithm Strengths (SP800-57)

Strength Symetric RSA ECDSA SHA

80 bit 2TDEA RSA 1024 ECDSA 160 SHA-1

112 bit 3TDEA RSA 2048 ECDSA 224 SHA-224

128 bit AES-128 RSA 3072 ECDSA 256 SHA-256



Protection: Smart Cards

Algoritmus Porovnání10 znaků heslo US-ASCII 70 bitSHA-1 80 bitRSA 2048 112 bitSHA-256 128 bit

Algoritmus Náročnost Doba10 znaků heslo US-ASCII 1 2 500 let

SHA-1 1024x lepší 2 600 000 let

RSA 2048 4 398 046 511 104x lepší 11 000 biliónů let

SHA-256 2^58x lepší -

Protection: Password Policies For individual groups/users

Granular Password Policies Windows 2008 Domain Functional Level

and newer Non-complex password example

login: Ondrej password: #.LonDo-NN.sea-s0n58

Complex password example September2011

SPAM/MALWARECurrent Threats to a Secure Office

Spam threats

No real prevention against spam Spam created anonymously

no traces/auditing Directed attacks cannot be

automatically recognized

Malware Threats

Virus must be first detected after infection!

Backdoors just download the real infection does antimalware know what exactly it

was? Reinstallation of the whole password

domain! users tend to use same passwords for

more services Stability and performance

Protection: Spam and malware Train people Implement antispam/antimalware

Words/Open Relay Lists etc. SenderID Forefront Protection for Exchange Forefront Protection for SharePoint Forefront Threat Management Gateway Forefront Endpoint Protection

+ network traffic scanning

Antimalware

Antispam

REMOTE ACCESSCurrent Threats to a Secure Office

Vulnerabilities

Prone to keylogger attacks when used with passwords

Can be connected from quite anywhere insecure home computers, internet cafes

Some protocols not secure PPTP – passwords hashes offline cracking

Client VPN ComparisonVPN Connection requirements Security

Client Availability

Authentic.

RDPTCP 3389server certificate (not required)

random keys (D-H)certificate private key (2048bit)

Windows XP

passwordsmart card

RDS/TS Gateway

TCP 443server certificate


Windows XP

passwordsmart card

PPTP GRE + TCP 1723depends on password qualityvulnerable to offline cracking

MS-DOSpasswordsmart card

L2TP

IPSec ESP + UDP 500/4500server certificateclient computer certificate


Windows 98

passwordsmart card

SSTP TCP 443server certificate


Windows Vista

passwordsmart card

Direct Access

IPv6 IPSec tunnelIPv6 over IPv4 tunneling


Windows 7

machine certificate + Kerberos

Protection: Remote Access

Use RDP when possible sends only keystrokes and mouse receives only pictures

Use L2TP or SSTP IPSec or SSL encrypts the channel with strong random

private keys (2048 bit etc.) IPSec requires and limits connection to those

who have client computer certificate Implement Network Access Protection

(NAP)

Protection: Direct Access

IPv6 client / IPv6 gateway Tunneling over IPv4

6to4, Teredo, ISATAP, IP-HTTPS NAT64 + DNS64

Unified Access Gateway Always on Authentication

machine certificates user Kerberos authentication

LAN

DirectAccessClien

tClient

Client DA

Server

AUTHORIZED USERSCurrent Threats to a Secure Office

Vulnerabilities

Authorized users can read print copy send emails upload FTP/SSL/VPN

Protection: Authorized users Procedures Limit public online access and services Limit use of removable hardware Limit use of unapproved software

AppLocker, Software Restriction Policies Monitor and audit

Email Journaling TMG URL logs

Use some Rights Management software Data Leakage Protection

WHAT’S MISSINGCurrent Threats to a Secure Office

What’s missing

User monitoring RDP, keystrokes, etc.

File/folder encryption EFS is very limited in features

RMS for more applications currently only Office

Better smart/card experience Better certificate restrictions Alternative logon methods (e.g. SMS)

secure office

Documents