Security Essentials for Desktop System Administrators
-
Upload
isabella-jensen -
Category
Documents
-
view
33 -
download
1
description
Transcript of Security Essentials for Desktop System Administrators
Security Essentials for Desktop System Administrators
Security Essentials for Desktop System Administrators
Civilization Is Made Of People …Civilization Is Made Of People …
Civilization is Risk.-- Not Big Brother
Civilization is Risk.-- Not Big Brother
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 33
Dave Barry On Civilization …Dave Barry On Civilization …
New Technology Is Invented LargelyTo Overcome Previous "Advances"
New Technology Is Invented LargelyTo Overcome Previous "Advances"
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 44
Dave Barry On Civilization …Dave Barry On Civilization …
Fields -> Trees -> Caves -> HousesFields -> Trees -> Caves -> Houses
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 55
Dave Barry On Civilization …Dave Barry On Civilization …
Houses -> Windows -> GlassHouses -> Windows -> Glass
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 66
Dave Barry On Civilization …Dave Barry On Civilization …
Glass -> Drapes -> TentsGlass -> Drapes -> Tents
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 77
Dave Barry On Civilization …Dave Barry On Civilization …
Fireplaces -> Microwaves -> Bean BurritosFireplaces -> Microwaves -> Bean Burritos
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 88
Dave Barry On Civilization …Dave Barry On Civilization …
-> ->
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 99
Computer Security …Computer Security …
Essentially A People ProblemEssentially A People Problem
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1010
Internet
A Basic “People Problem”A Basic “People Problem”
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1111
Privacy
Internet
A Slightly More Precise ViewA Slightly More Precise View
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1212
Privacy
Blog Posts (tl;dr)
Bruce SchneierBruce Schneier
Once the technology is in place, there willalways be the temptation to use it ...
(Secrets and Lies, 2000)
Once the technology is in place, there willalways be the temptation to use it ...
(Secrets and Lies, 2000)
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1313
Technology
How Technology WorksHow Technology Works
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1414
SurprisingUses
(Unsurprising Useless Utopias)(Unsurprising Useless Utopias)
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1515
MUDFLAPSSO I HERD U LIEK THEM
MUDFLAPSSO I HERD U LIEK THEM
Surprising Technology UseSurprising Technology Use
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1616
Surprising Technology UseSurprising Technology Use
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1717
Bruce SchneierBruce Schneier
And it is poor civic hygiene to installtechnologies that could somedayfacilitate a police state.
And it is poor civic hygiene to installtechnologies that could somedayfacilitate a police state.
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1818
Technology
Technology And RiskTechnology And Risk
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 1919
SurprisingUses
MaliciousActivity
Grace Hopper
Grace Hopper
Life was simple before World War II.After that we had systems.
Life was simple before World War II.After that we had systems.
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2020
xkcd …xkcd …
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2121
… xkcd… xkcd
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2222
Dealing With RiskDealing With Risk
Recognition | Reduction | RecoveryRecognition | Reduction | Recovery
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2323
Recognizing RisksRecognizing Risks
High BandwidthEnormous StoragePosh .gov Location
Nothing Marketable
High BandwidthEnormous StoragePosh .gov Location
Nothing Marketable
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2424
Recognizing RisksRecognizing Risks
Caching warezSending SPAM
Spreading malwareControlling bots
Caching warezSending SPAM
Spreading malwareControlling bots
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2525
Recognizing RisksRecognizing Risks
Destruction Of DataWaste Of Bandwidth
Waste Of TimeFrustration
Destruction Of DataWaste Of Bandwidth
Waste Of TimeFrustration
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2626
Recognizing RisksRecognizing Risks
Default admin privsVisiting malicious sitesPromiscuous USBingLack of gruntlement
Default admin privsVisiting malicious sitesPromiscuous USBingLack of gruntlement
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2727
Strategic TLA ReservesStrategic TLA Reserves
TLAs not specifically delegated …are reserved to the States, or to the
people.
“BOR” (10th Amendment)
TLAs not specifically delegated …are reserved to the States, or to the
people.
“BOR” (10th Amendment)
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2828
TCB? DID!TCB? DID!
Integrated Security Management (ISM)
Defense In Depth (DID)
Integrated Security Management (ISM)
Defense In Depth (DID)
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 2929
Reducing Risks: DIDReducing Risks: DID
Perimeter ControlsAuto-blocking
Mail virus scanningCentral Authentication
(via LDAP/Kerberos)
Perimeter ControlsAuto-blocking
Mail virus scanningCentral Authentication
(via LDAP/Kerberos)
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3030
Reducing Risks: DIDReducing Risks: DID
Patch and configuration mgmtCritical Vulnerabilities
Prompt response via FCIRTIntelligent and informed usersGeneral and special enclaves
Patch and configuration mgmtCritical Vulnerabilities
Prompt response via FCIRTIntelligent and informed usersGeneral and special enclaves
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3131
Reducing Risks: DIDReducing Risks: DID
Computer Security not an add-onNot “one-size-fits-all”
Largely common sense
Computer Security not an add-onNot “one-size-fits-all”
Largely common sense
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3232
Reducing Risks: ISM PerimeterReducing Risks: ISM Perimeter
Exploitable protocols blockedRegistered web servers allowed
Dynamic blocks on exploitsSome carefully configured services
allowed (like Skype)
Exploitable protocols blockedRegistered web servers allowed
Dynamic blocks on exploitsSome carefully configured services
allowed (like Skype)
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3333
Reducing Risks: ISM AuthReducing Risks: ISM Auth
Primary passwords off the netSingle turn-off point
No visible services without StrongAuthLab systems scanned for compliance
Primary passwords off the netSingle turn-off point
No visible services without StrongAuthLab systems scanned for compliance
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3434
Recovery: ISMRecovery: ISM
General Computer Security CoordinatorsWork with Computer Security Team
Disseminate informationDeal with incidents
See http://security.fnal.gov/ for list
General Computer Security CoordinatorsWork with Computer Security Team
Disseminate informationDeal with incidents
See http://security.fnal.gov/ for list
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3535
What About Us Users?What About Us Users?
Malicious Surprises aboundUse reasonable caution
Use up-to-date virus scanning
Malicious Surprises aboundUse reasonable caution
Use up-to-date virus scanning
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3636
Users: We Get MailUsers: We Get Mail
Can you trust the so-called sender?Can you trust the so-called sender?Received: from [123.28.41.241] (unknown [123.28.41.241]) by hepa1.fnal.gov
(Postfix) with ESMTP id 808F76F247 for <[email protected]>; Thu, 01 Apr 2010 09:41:02 -0500 (CDT)
From: Wayne E Baisley <[email protected]>To: Wayne E Baisley <[email protected]>
route: 123.28.32.0/19descr: VietNam Post and Telecom Corporation (VNPT)address: Lo IIA Lang Quoc te Thang Long, Cau Giay, Ha Noi
Can you trust the so-called sender?Can you trust the so-called sender?Received: from [123.28.41.241] (unknown [123.28.41.241]) by hepa1.fnal.gov
(Postfix) with ESMTP id 808F76F247 for <[email protected]>; Thu, 01 Apr 2010 09:41:02 -0500 (CDT)
From: Wayne E Baisley <[email protected]>To: Wayne E Baisley <[email protected]>
route: 123.28.32.0/19descr: VietNam Post and Telecom Corporation (VNPT)address: Lo IIA Lang Quoc te Thang Long, Cau Giay, Ha Noi
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3737
Users: We Get MailUsers: We Get Mail
You haven’t won $10MRampant account hijacking
Don’t open (most) attachmentsBest not to click links in mail
Disable scripting for mail
You haven’t won $10MRampant account hijacking
Don’t open (most) attachmentsBest not to click links in mail
Disable scripting for mail
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3838
Royko any social engineering attemptsProtect your Kerberos password
and it will protect youDon’t run unkerberized network services
(like telnet or read/write ftp)
Royko any social engineering attemptsProtect your Kerberos password
and it will protect youDon’t run unkerberized network services
(like telnet or read/write ftp)
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 3939
Users: Security IncidentsUsers: Security Incidents
Report suspicious stuff tox2345 or [email protected]
Follow FCIRT instructions during incidents Keep infected machines off the network Preserve system for expert investigation
Report suspicious stuff tox2345 or [email protected]
Follow FCIRT instructions during incidents Keep infected machines off the network Preserve system for expert investigation
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4040
Users: DataUsers: Data
Decide what data requires protectionHow to be recovered, if neededArrange backups with Sysadmins
Or do your own backupsOccasionally test retrieval
Decide what data requires protectionHow to be recovered, if neededArrange backups with Sysadmins
Or do your own backupsOccasionally test retrieval
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4141
The Incidental ComputistThe Incidental Computist
Some non-Lab-business Surprising Useallowed in the guidelines:
http://security.fnal.gov/ProperUse.htm
Some non-Lab-business Surprising Useallowed in the guidelines:
http://security.fnal.gov/ProperUse.htm
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4242
Activities to AvoidActivities to Avoid
Anything that is illegalProhibited by Lab/DOE policy
Embarrassing to the LabInterferes with job performanceConsumes excessive resources
Anything that is illegalProhibited by Lab/DOE policy
Embarrassing to the LabInterferes with job performanceConsumes excessive resources
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4343
Activities to AvoidActivities to Avoid
Services like Skype and BitTorrentnot forbidden but very easy to misuse!
(Better off with iPhone/Droid/etc.)
Services like Skype and BitTorrentnot forbidden but very easy to misuse!
(Better off with iPhone/Droid/etc.)
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4444
Data PrivacyData Privacy
Generally, Fermilab respects privacyYou are required to do likewise
Exemptions for Sysadmins and SecurityOthers must have Directorate approval
Generally, Fermilab respects privacyYou are required to do likewise
Exemptions for Sysadmins and SecurityOthers must have Directorate approval
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4545
Privacy of Email and FilesPrivacy of Email and Files
May not use information in another person’s files seen incidental to any activity (legitimate or not) for any
purpose, w/o either explicit permission of the owner or a “reasonable belief the file was meant to be accessed by others.”
May not use information in another person’s files seen incidental to any activity (legitimate or not) for any
purpose, w/o either explicit permission of the owner or a “reasonable belief the file was meant to be accessed by others.”
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4646
Offensive MaterialsOffensive Materials
Material on a computer ≈ Material in a deskThis is a line management concernNot computer security issues per se
Material on a computer ≈ Material in a deskThis is a line management concernNot computer security issues per se
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4747
Software LicensingSoftware Licensing
Fermilab is strongly committed to respecting intellectual property rights
Use of unlicensed commercial software is a direct violation of lab policy
Fermilab is strongly committed to respecting intellectual property rights
Use of unlicensed commercial software is a direct violation of lab policy
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4848
Summary: User ResponsibilitiesSummary: User Responsibilities
Appropriate use of computing resourcesEnsuring your data is backed up
Respecting others’ privacyProtecting Personal Information (course)
Reporting incidents promptly
Appropriate use of computing resourcesEnsuring your data is backed up
Respecting others’ privacyProtecting Personal Information (course)
Reporting incidents promptly
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 4949
Which Brings Us To SysadminsWhich Brings Us To Sysadmins
That wrench ain’t gonna swing itself.That wrench ain’t gonna swing itself.
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5050
Sysadmins Get Risk-RoledSysadmins Get Risk-Roled
System manager for securityAssist and instruct users to do it right
Vigilant observer of your systems (and sometimes user) behavior
System manager for securityAssist and instruct users to do it right
Vigilant observer of your systems (and sometimes user) behavior
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5252
Patch/Configuration ManagementPatch/Configuration Management
Baselines: Linux, Mac, WindowsAll systems must meet their baseline
All systems must be regularly patchedNon-essential services off
Windows, especially, must run AV
Baselines: Linux, Mac, WindowsAll systems must meet their baseline
All systems must be regularly patchedNon-essential services off
Windows, especially, must run AV
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5353
Patch/Configuration ManagementPatch/Configuration Management
All systems must run up-to-date,supported version of the OS
Exceptions/Exemptions:Documented case why OS is “stuck”
Patch and manage as securely
All systems must run up-to-date,supported version of the OS
Exceptions/Exemptions:Documented case why OS is “stuck”
Patch and manage as securely
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5454
Critical VulnerabilitiesCritical Vulnerabilities
Active exploits declared criticalPose a clear and present danger
Must patch by a given date or be blockedHandled via TIssue events
Active exploits declared criticalPose a clear and present danger
Must patch by a given date or be blockedHandled via TIssue events
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5555
NOISE, n.NOISE, n.
…The chief product and authenticatingsign of civilization.
Ambrose Bierce, The Devil’s Dictionary
…The chief product and authenticatingsign of civilization.
Ambrose Bierce, The Devil’s Dictionary
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5656
Computer Security IncidentsComputer Security Incidents
Must report all suspicious activityIf urgent -- Service Desk at x2345
Or to system manager(if immediately available)
Not to be discussed!
Must report all suspicious activityIf urgent -- Service Desk at x2345
Or to system manager(if immediately available)
Not to be discussed!
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5757
Computer Security IncidentsComputer Security Incidents
Non-urgent to [email protected]
Fermi Computer Incident Response Team (FCIRT) will investigate
Non-urgent to [email protected]
Fermi Computer Incident Response Team (FCIRT) will investigate
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5858
Recovery: FCIRTRecovery: FCIRT
Triage initial reportsCoordinate investigation
Work with local SysadminsCall in technical experts
Triage initial reportsCoordinate investigation
Work with local SysadminsCall in technical experts
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 5959
Recovery: FCIRTRecovery: FCIRT
May take control of affected systemsMaintain confidentiality
May take control of affected systemsMaintain confidentiality
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6060
Mandatory Sysadmin RegistrationMandatory Sysadmin Registration
All Sysadmins must be registeredPrimary Sysadmin is responsible for
configuring and patchinghttp://security.fnal.gov ->
“Verify your node registration”
All Sysadmins must be registeredPrimary Sysadmin is responsible for
configuring and patchinghttp://security.fnal.gov ->
“Verify your node registration”
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6161
Major applicationsMajor applications
Critical to the mission of the LabRequire moderate level security controlsEach MA has its own security plan with
enhanced / compensatory security controls
Critical to the mission of the LabRequire moderate level security controlsEach MA has its own security plan with
enhanced / compensatory security controls
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6262
Security Essentials for Grid System Administrators CourseSecurity Essentials for Grid System Administrators Course
Credentials other than Fermilab Kerberos
Fermi Grid infrastructure (GUMS / VOMS)
Developer of grid middleware
Credentials other than Fermilab Kerberos
Fermi Grid infrastructure (GUMS / VOMS)
Developer of grid middleware
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6363
Grid Security TrainingGrid Security Training
Grid Resource Users also requiretraining on PKI Authentication
Grid Resource Users also requiretraining on PKI Authentication
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6464
Do Not Want: Prohibited ActivitiesDo Not Want: Prohibited Activities
Blatant disregard of computer securityUnauthorized or malicious actions
Unethical behaviorRestricted central services
Security & cracker toolshttp://security.fnal.gov/policies/cpolicy.html
Blatant disregard of computer securityUnauthorized or malicious actions
Unethical behaviorRestricted central services
Security & cracker toolshttp://security.fnal.gov/policies/cpolicy.html
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6565
Role of SysadminsRole of Sysadmins
Manage your systems sensibly, securelyServices comply with Strong Auth rules
Report potential incidents to FCIRTAct on relevant bulletins
Keep your eyes open
Manage your systems sensibly, securelyServices comply with Strong Auth rules
Report potential incidents to FCIRTAct on relevant bulletins
Keep your eyes open
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6666
We Can Do It …We Can Do It …
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6767
We Can Do It. Statistically.We Can Do It. Statistically.
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6868
Questions?Questions?
[email protected] questions about security policy
[email protected] reporting security incidents
http://security.fnal.gov/
[email protected] questions about security policy
[email protected] reporting security incidents
http://security.fnal.gov/
November 9, 2010November 9, 2010 Security Essentials for Desktop System AdministratorsSecurity Essentials for Desktop System Administrators 6969