Leading Controls and Tools: Small Teams who can do more with little or no budget Jeremy Mio – Security and Research Manager
Agenda: Hygiene / Controls Tools Examples Q&A
Controls & Resources NIST Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) - consists of standards, guidelines, and practices to promote the protection of critical infrastructure. NIST’s Security Content Automation Protocol (SCAP) - a suite of standard, interoperable specifications for SCAP-capable tools to automate cyber security assessments, including the first five recommended actions of the Cyber Hygiene Campaign. CIS Benchmarks and Configuration Assessment Tool (CIS-CAT) - more than 80 consensus-based, industry recognized security benchmarks for the most commonly used technologies are available, along with the SCAP-implementable CIS-CAT to help assess security posture in an automated way. CIS Top 20 Critical Controls - a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks. Australian Government Department of Defense Strategies to Mitigate Targeted Cyber Intrusions - a list of strategies to mitigate targeted cyber intrusions.
CIS Top 5 Critical Controls https://www.cisecurity.org/critical-controls.cfm
Free and Painful Trial vulnerability scanner… many for ad-hoc scanning Best practice GPO: Microsoft Baseline Security Analyzer: https://www.microsoft.com/en-us/download/details.aspx?id=7558 Tripwire SecureCheq™: http://www.tripwire.com/free-tools/ Qualys BrowserCheck: https://www.qualys.com/free-tools-trials/browsercheck/ KnowBe4 RanSim: https://www.knowbe4.com/ransomware-simulator KnowBe4 Phish Alert Button: https://www.knowbe4.com/free-phish-alert AFAP Domain Admins Limit!!!! Software inventory: Microsoft Software Inventory Analyzer tool
NMAP + NDIFF… What is that? NMAP is you friend nmap -T4 -v -oA myshares –script smb-enum-shares –script-args smbuser=MyUserHere,smbpass=MyPassHere -p445 192.168.0.1-255 && cat myshares.nmap|grep ‘|\|192’|awk ‘/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/ { line=$0 } /\|/ { $0 = line $0}1’|grep \||grep -v -E ‘(smb-enum-shares|access: <none>|ADMIN\$|C\$|IPC\$|U\$|access: READ)’|awk ‘{ sub(/Nmap scan report for /, “”); print }’ >> sharelist.txt NMAP + NDIFF… What is that?
Other Free and Painful Tips Disable telnet or alert on use! Lock down logins over https! Don’t store plain text passwords: KeePass on file share shutdown ports that are unused, & setup port security Bitlocker/encryption Network device config backups SSH… user ssh keys!! Patch, Patch, Patch!!
SSL vs TLS Disable old/all SSL!! 33% of all HTTPS servers are vulnerable Switch to TLS Heartbleed, DROWN, POODLE, FREAK https://www.ssllabs.com/ssltest/ https://isc.sans.edu/forums/diary/POODLE+Turnin g+off+SSLv3+for+various+servers+and+client/18837
Servers with Desktop Software Remove the software!!! Do you need to browse the web, read pdf documents, and run flash videos from servers!? Log all the logins from servers… including successful! Check iLo settings/passwords
Don’t Forget your printers
NetDisco Netbox: http://packetlife.net/blog/2016/jun/15/announcing-netbox/
Free & not completely easy Start to purple team: SANS Training User Education: Resources, team up! Diff. local admin passwords: LAPS Least privileges: Practice it! App Whitelisting: AppLocker Canary in the coal mine: Honeypots!!! Egress Filtering: Squid Proxy and others
IR: Tool of Tools Katana USB Kit External Storage MiFi Documentation!!!! Playbooks?... What are thoughts? SANS + MS-ISAC Resources!
Show me the $$$ Do we have a budget yet? Real vuln scanner SIEM/IDS/IPS: AlienVault + MS-ISAC Albert Professional pen test (not security assessment) DHS 2FA Advanced buzzword devices
Organize IPAM Password safe Incident Response tabletops and drills MS-ISAC workgroups Software Inventory and Standards
Shodan.io County US: 800 FTP: 163 Telnet: 133
Extras Start early on http://osintframework.com/ Books: https://www.safaribooksonline.com/library/view/defensive-security-handbook/9781491960370/
List of available resources:
Questions Contact: Jeremy Mio jmio@cuyahogacounty.us 216.698.2542 Cyber Support Inquires: CCISCSecurity@cuyahogacounty.us Register to the mailing list at: www.itsecurity.cuyahogacounty.us/en-us/Education.aspx