Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Published byWhitney Preston Modified over 9 years ago

Similar presentations

Presentation on theme: "Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for."— Presentation transcript:

1 Security and Risk Management

2 Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for a while

3 What is this about? Where schools fall apart in their IT security How schools can have better IT security

4 Why do you need good security? Because any student nowadays can learn how to hack

5 Schools are unique in security Lack of time and resources Has highly sensitive personal information Users are not only untrusted, but actively distrusted

6 Patch Management

7 Mistake Just ad hoc install patches or rely on Windows Update Forget half of the environment People are just lazy

8 What will happen Students will google “how to hack servers” Students will follow a handy 12 step guide Suddenly they have control over half the school

9 What should we do? Make sure everything is patched Centralised patch management Vulnerability assessment

10 Old PCs/Servers Noone Knows About

11 Mistake An old library server from 10 years ago No-one knows who set it up Maybe it’s important, better not touch it It’s never been patched Contains valid passwords, connected to AD, privileges access

12 What will happen Students will google “how to hack servers” Students will follow a handy 12 step guide Students will use their access to find passwords, connect to AD, exploit privileged access Suddenly they get 100% in every test

13 What should we do? Remove old systems Keep a list of what you have, why it’s there, and if you still need it

14 Password Management

15 Mistake Someone thinks "qwertyui" is a good password People put passwords on post-its No-one changes the password to a router People share their passwords All devices have the same password Local admin

16 What will happen? Students will google default passwords and find this: www.cirt.net/passwords/www.cirt.net/passwords/ Students will google how to crack weak passwords Students will read post-it notes Students will use cracked passwords in other systems

17 Default Passwords

18

19 But students don’t have specialist hardware to crack systems! Yes they do I’m not joking, they really do A “specialist password cracking system” is also known as an “awesome gaming system” >1 billion combinations per second

20 Demo

21 What should we do? Deployment procedure that includes changing default passwords Password policies enforced with group policy No shared passwords

22 Wireless

23 Mistake Not locking down wireless Using Wireless insecurely Using the wrong encryption schema

24 Wireless Encryption Schemas WEP is bad WPA2-PSK is better than nothing, but carries risks WPA2 Enterprise is best Never use WPS

25 WPA2-PSK Shared password If someone has the passphrase, they can intercept all data Shared student passphrases leads to MITM attacks

26 Decrypting WPA2-PSK

27 What should we do? Use WPA2 Enterprise if you can If you have to use PSK, preconfigure devices and segment between networks if you can…still best to just use WPA2 Enterprise

28 Web Applications and Internet Facing Infrastructure

29 Mistake A site has been online for the last 10 years. Who knew it was vulnerable to SQL Injection? “I want to access this from home” Weak external firewall rules

30 Parameter Manipulation http://yourschool.edu.au/getinfo.php?id=4 Student should only be able to access id=4 Who knew they could change the URL to id=5?

31 SQL Injection Application sends commands using the database using SQL: “SELECT * FROM information WHERE id = ” What if is SQL as well? “SELECT * FROM information WHERE id=3 union select password from users”

32 Cross Site Scripting The application allows users to post up comments Doesn’t think to stop users from posting HTML and Javascript code Javascript code can be used to compromise a user account

33 Other Mistakes Not patching web software: wordpress needs to be patched as well! Misconfiguring sites Bad/default admin credentials

34 Automatic Exploitation

35 What will happen? Defacements Stealing personal information Stealing financial data Denial of service Even if you’re not a target, sites can be automatically exploited

36 What should we do? Be careful what you have on the internet Make sure you secure your sites properly Make sure you patch and update your web applications Get them tested if you can afford it If you’re not sure, take it down

37 Printers

38 Mistake No-one thinks of printers when they think of security Printers can do more than print Often they aren’t even password protected

39 What will happen Denial of service Pranks, 100s of pages of juvenile creativity Retrieve copies of printed documents, like upcoming tests

40 What should we do? Password protect printers Segment them off into their own subnet

41 Student Laptops

42 Mistake All students now have laptops Hard to manage, patch and secure So we have a standard admin password... So we have laptop restrictions...

43 What will happen? Physical access always wins Never trust students Shared passwords will be cracked Client side restrictions will be bypassed

44 What should we do?... Don't have shared passwords if you can avoid it. Never rely on client side restrictions.

45 Network Segmentation

46 Mistake We're a school, why would we need a firewall? Students can access all servers Students can access teacher services

47 What will happen Servers with personal info and marks are exposed Way more risk than you need

48 What should we do? Use a firewall Server subnet, student subnet, teacher subnet Only allow what is necessary, block everything else Keep a current list of services

49 It’s easy to learn to hack

50 Overview of a pentest

51 Any Questions?

52 About Content Security Provided services and solutions since 2000 Works to improve the security of schools (and government, banks, law, corporate, etc) http://www.contentsecurity.com.au/

Download ppt "Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Data and Applications Security Dr. Bhavani Thuraisingham The University of Texas at Dallas Attacks to Databases October 2014.

Data and Applications Security Dr. Bhavani Thuraisingham The University of Texas at Dallas Attacks to Databases October 2014.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
UT Wing Civil Air Patrol. Objective Identify network and cyber vulnerabilities and mitigations Social Media/Metadata/Exfil data MITM Attacks Malware Social.

UT Wing Civil Air Patrol. Objective Identify network and cyber vulnerabilities and mitigations Social Media/Metadata/Exfil data MITM Attacks Malware Social.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
Wi-Fi Security January 21, 2008 by Larry Finger. Wi-Fi Security Most laptops now come with built-in wireless capability, which can be very handy; however,

Wi-Fi Security January 21, 2008 by Larry Finger. Wi-Fi Security Most laptops now come with built-in wireless capability, which can be very handy; however,
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Agenda 10:00 11:00 Securing wireless networks 11:00 11:15 Break 11:15 12:00Patch Management in the Enterprise 12:00 1:00 Lunch 1:00 2:30 Network Isolation.

Agenda 10:00 11:00 Securing wireless networks 11:00 11:15 Break 11:15 12:00Patch Management in the Enterprise 12:00 1:00 Lunch 1:00 2:30 Network Isolation.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Similar presentations

Ads by Google