SECURE OFFICE
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |
Motto
Thou shalt never assume
The Rogue Warrior's Eight Commandment of SpecWar
Richard MarcinkoUS Navy Seal
THREATSCurrent Threats to a Secure Office
Attackers
External don’t know anything about your
environment can try brute force passwords at most vulnerability scanning
Internal most severe threats know their environment have already at least some level of
access can steal data they are authorized to
read
Protection: External Attackers
Firewalls Antispam/Antimalware Software Updates Account Lockout
Current Internal Threats Assuming Physical security
computers data
Passwords cracking, keyloggers
Eavesdropping wired/wireless networks
Spam/malware directed attacks
Remote Access from unsecure computers
Data theft by authorized readers currently one of the most underestimated problem
ASSUMPTIONSCurrent Threats
Vulnerabilities
Examples: My wife crossing a road PKI misconfiguration in a bank Hidden accounts after virus attack Malicious mail from home vs. from work
Protection: Assumptions
Never assume anything Be careful Know your enemy Don’t do anything you don’t
understand
CASE STUDYCurrent Threats to a Secure Office
Environment
Windows 2008 R2 Datacenter Windows 7 Enterprise Exchange 2010 SharePoint 2010 Hyper-V Office 2010 mobile devices with ActiveSync
PHYSICAL SECURITYCurrent Threats to a Secure Office
Vulnerabilities
Computers easily accessed by a lot of people employees maintenance staff theft from branch offices
Attacks stealing the whole machine stealing the data only
Physical access = local administrator
Machines and Network
Servers rack security
Data storage Client computers
desktops, notebooks usually caching data
Peripherals Remote offices Wireless and wired networks
AirPCap, USB ethernet switch/netbook
Protection: Physical access Limit physical access Place computers/storage into secure
locations +hardware locks, cables
Use notebooks instead of desktops Use remote desktop/terminal Encryption
Protection: BitLocker
Disk partition encryption AES
Provide password on startup prevents others from becoming an administrator
Use TPM prevents owner from becoming an administrator Trusted Platform Module stores the password on motherboard checks signatures of BIOS, CMOS, MBR, Boot
Sector, loader etc.
Protection: BitLocker
Recovery keys in Active Directory Windows 7 Enterprise Gemalto .NET smart-cards
workstations/ntb require S/C to boot manually enrolled combined with user logon certificates
Protection: 802.1x
Network Access Ethernet, WiFi
EAP-TLS Certificate authentication
computer/user computer + user automatic enrollment, AD computer
account
Protection: 802.1x
SwitchManaged Switch
Managed
Switch
PC
PC
PC
PCPrinte
r
PC PC
PC
PC
NETWORK COMMUNICATIONS AND EAVESDROPPING
Current Threats to a Secure Office
Vulnerabilities
Free network access No network traffic encryption People ignore warnings ARP poisoning
Protection: Firewall
Windows Firewall IP/TCP/UDP/ICMP/AH/ESP inspection FTP/PPTP/IPSec pass-through
IP/process filters Network Location Awareness
Blocking client / client traffic
Protection: Eavesdropping
IPSec encryption IP filters Network Location Awareness internal traffic only
Computer certificate authentication automatically enrolled for AC machine
account AES, SHA-2
Protection: SSL Inspection Threat Management Gateway
secure remote access monitor users when “uploading”
Reverse inspection Exchange, SharePoint, Terminal access
Forward Antimalware, URL, classification
Internet
SSL Publishing
TMGLAN
WebServer
Certificate
Certificate
443
443
SSL Certificate prices
Verisign – 1999 300$ year
Thawte – 2003 150$ year
Go Daddy – 2005 30$ year
GlobalSign – 2006 250$ year
StartCom – 2009 free
SSL Assurance
Email loopback confirmation Requires just a valid email address No assurance about the target
identity
EV browsers
Browser VersionInternet Explorer 7.0Opera 9.5Firefox 3Google Chrome -Apple Safari 3.2Apple iPhone 3.0
EV Certificate prices
Verisign – 1999 1500$ year
Thawte – 2003 600$ year
Go Daddy – 2005 100$ year
GlobalSign – 2006 900$ year
StartCom – 2009 50$ year
LAN Internet
Forward SSL Inspection
TMG
Certificate 443Certificate 443
Certificate 443Certificate 443
SSL Inspection (MITM)
WebServer
Client
Certificate
Public key
Private key
AttackerTMG
False Certificate
Public key
Private key
TMG Forward SSL Inspection
No SSL Inspection
TMG CA Not Trusted
TMG CA Not Trusted
Web Server Certificate
TMG CA Trusted on the Client
Protection: Intrusion Prevention
Threat Management Gateway Intrusion Prevention System External/Internal/DMZ only
PASSWORDSCurrent Threats to a Secure Office
Vulnerabilities
Keyloggers software hardware
Cache / Local Storage Cracking
Local Password Storage
Full-text passwords IE autocomplete password “lockers” fingerprint readers service/scheduled-tasks accounts
Password hashes local user accounts all domain accounts on Domain
Controllers password caches
Password Cracking
Windows MD4 Hashes local storage LAN network capture PPTP VPN
Offline Rainbow Tables
severe up to 7 characters (minutes)
Protection: Passwords
Use smart cards convenient (3-5 characters PIN) Gemalto .NET without installation
Require strong passwords admin accounts
Procedures, policies and audit Never type sensitive passwords on
insecure computers Training
Protection: Comparable Algorithm Strengths (SP800-57)
Strength Symetric RSA ECDSA SHA
80 bit 2TDEA RSA 1024 ECDSA 160 SHA-1
112 bit 3TDEA RSA 2048 ECDSA 224 SHA-224
128 bit AES-128 RSA 3072 ECDSA 256 SHA-256
192 bit AES-192 RSA 7680 ECDSA 384 SHA-384
256 bit AES-256 RSA 15360 ECDSA 512 SHA-512
Protection: Smart Cards
Algoritmus Porovnání10 znaků heslo US-ASCII 70 bitSHA-1 80 bitRSA 2048 112 bitSHA-256 128 bit
Algoritmus Náročnost Doba10 znaků heslo US-ASCII 1 2 500 let
SHA-1 1024x lepší 2 600 000 let
RSA 2048 4 398 046 511 104x lepší 11 000 biliónů let
SHA-256 2^58x lepší -
Protection: Password Policies For individual groups/users
Granular Password Policies Windows 2008 Domain Functional Level
and newer Non-complex password example
login: Ondrej password: #.LonDo-NN.sea-s0n58
Complex password example September2011
SPAM/MALWARECurrent Threats to a Secure Office
Spam threats
No real prevention against spam Spam created anonymously
no traces/auditing Directed attacks cannot be
automatically recognized
Malware Threats
Virus must be first detected after infection!
Backdoors just download the real infection does antimalware know what exactly it
was? Reinstallation of the whole password
domain! users tend to use same passwords for
more services Stability and performance
Protection: Spam and malware Train people Implement antispam/antimalware
Words/Open Relay Lists etc. SenderID Forefront Protection for Exchange Forefront Protection for SharePoint Forefront Threat Management Gateway Forefront Endpoint Protection
+ network traffic scanning
Antimalware
Antispam
REMOTE ACCESSCurrent Threats to a Secure Office
Vulnerabilities
Prone to keylogger attacks when used with passwords
Can be connected from quite anywhere insecure home computers, internet cafes
Some protocols not secure PPTP – passwords hashes offline cracking
Client VPN ComparisonVPN Connection requirements Security
Client Availability
Authentic.
RDPTCP 3389server certificate (not required)
random keys (D-H)certificate private key (2048bit)
Windows XP
passwordsmart card
RDS/TS Gateway
TCP 443server certificate
random keys (D-H)certificate private key (2048bit)
Windows XP
passwordsmart card
PPTP GRE + TCP 1723depends on password qualityvulnerable to offline cracking
MS-DOSpasswordsmart card
L2TP
IPSec ESP + UDP 500/4500server certificateclient computer certificate
random keys (D-H)certificate private key (2048bit)
Windows 98
passwordsmart card
SSTP TCP 443server certificate
random keys (D-H)certificate private key (2048bit)
Windows Vista
passwordsmart card
Direct Access
IPv6 IPSec tunnelIPv6 over IPv4 tunneling
random keys (D-H)certificate private key (2048bit)
Windows 7
machine certificate + Kerberos
Protection: Remote Access
Use RDP when possible sends only keystrokes and mouse receives only pictures
Use L2TP or SSTP IPSec or SSL encrypts the channel with strong random
private keys (2048 bit etc.) IPSec requires and limits connection to those
who have client computer certificate Implement Network Access Protection
(NAP)
Protection: Direct Access
IPv6 client / IPv6 gateway Tunneling over IPv4
6to4, Teredo, ISATAP, IP-HTTPS NAT64 + DNS64
Unified Access Gateway Always on Authentication
machine certificates user Kerberos authentication
LAN
DirectAccessClien
tClient
Client DA
Server
AUTHORIZED USERSCurrent Threats to a Secure Office
Vulnerabilities
Authorized users can read print copy send emails upload FTP/SSL/VPN
Protection: Authorized users Procedures Limit public online access and services Limit use of removable hardware Limit use of unapproved software
AppLocker, Software Restriction Policies Monitor and audit
Email Journaling TMG URL logs
Use some Rights Management software Data Leakage Protection
WHAT’S MISSINGCurrent Threats to a Secure Office
What’s missing
User monitoring RDP, keystrokes, etc.
File/folder encryption EFS is very limited in features
RMS for more applications currently only Office
Better smart/card experience Better certificate restrictions Alternative logon methods (e.g. SMS)
THANK YOU!
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |