1. Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com |

2. Motto  Thou shalt never assume The Rogue Warrior's Eight Commandment of SpecWar Richard Marcinko US Navy Seal

3. Current Threats to a Secure Office

4. Attackers  External  don’t know anything about your environment  can try brute force passwords at most  vulnerability scanning  Internal  most severe threats  know their environment  have already at least some level of access  can steal data they are authorized to read

5. Protection: External Attackers  Firewalls  Antispam/Antimalware  Software Updates  Account Lockout

6. Current Internal Threats  Assuming  Physical security  computers  data  Passwords  cracking, keyloggers  Eavesdropping  wired/wireless networks  Spam/malware  directed attacks  Remote Access  from unsecure computers  Data theft by authorized readers  currently one of the most underestimated problem

7. Current Threats

8. Vulnerabilities  Examples:  My wife crossing a road  PKI misconfiguration in a bank  Hidden accounts after virus attack  Malicious mail from home vs. from work

9. Protection: Assumptions  Never assume anything  Be careful  Know your enemy  Don’t do anything you don’t understand

10. Current Threats to a Secure Office

12. Environment  Windows 2008 R2 Datacenter  Windows 7 Enterprise  Exchange 2010  SharePoint 2010  Hyper-V  Office 2010  mobile devices with ActiveSync

13. Current Threats to a Secure Office

14. Vulnerabilities  Computers easily accessed by a lot of people  employees  maintenance staff  theft from branch offices  Attacks  stealing the whole machine  stealing the data only  Physical access = local administrator

15. Machines and Network  Servers  rack security  Data storage  Client computers  desktops, notebooks  usually caching data  Peripherals  Remote offices  Wireless and wired networks  AirPCap, USB ethernet switch/netbook

16. Protection: Physical access  Limit physical access  Place computers/storage into secure locations  +hardware locks, cables  Use notebooks instead of desktops  Use remote desktop/terminal  Encryption

17. Protection: BitLocker  Disk partition encryption  AES  Provide password on startup  prevents others from becoming an administrator  Use TPM  prevents owner from becoming an administrator  Trusted Platform Module  stores the password on motherboard  checks signatures of BIOS, CMOS, MBR, Boot Sector, loader etc.

18. Protection: BitLocker  Recovery keys in Active Directory  Windows 7 Enterprise  Gemalto.NET smart-cards  workstations/ntb require S/C to boot  manually enrolled  combined with user logon certificates

19. Protection: 802.1x  Network Access  Ethernet, WiFi  EAP-TLS  Certificate authentication  computer/user  computer + user  automatic enrollment, AD computer account

20. Protection: 802.1x Switch Managed Switch PC Printer PC

21. Current Threats to a Secure Office

22. Vulnerabilities  Free network access  No network traffic encryption  People ignore warnings  ARP poisoning

23. Protection: Firewall  Windows Firewall  IP/TCP/UDP/ICMP/AH/ESP inspection  FTP/PPTP/IPSec pass-through  IP/process filters  Network Location Awareness  Blocking client / client traffic

24. Protection: Eavesdropping  IPSec encryption  IP filters  Network Location Awareness  internal traffic only  Computer certificate authentication  automatically enrolled for AC machine account  AES, SHA-2

25. Protection: SSL Inspection  Threat Management Gateway  secure remote access  monitor users when “uploading”  Reverse inspection  Exchange, SharePoint, Terminal access  Forward  Antimalware, URL, classification

26. Internet SSL Publishing TMG LAN Web Server Certificate 443

27. SSL Certificate prices  Verisign – 1999  300$ year  Thawte – 2003  150$ year  Go Daddy – 2005  30$ year  GlobalSign – 2006  250$ year  StartCom – 2009  free

28. SSL Assurance  Email loopback confirmation  Requires just a valid email address  No assurance about the target identity

29. EV browsers BrowserVersion Internet Explorer7.0 Opera9.5 Firefox3 Google Chrome- Apple Safari3.2 Apple iPhone3.0

30. EV Certificate prices  Verisign – 1999  1500$ year  Thawte – 2003  600$ year  Go Daddy – 2005  100$ year  GlobalSign – 2006  900$ year  StartCom – 2009  50$ year

31. LANInternet Forward SSL Inspection TMG Certificate443 Certificate443 Certificate443 Certificate443

32. SSL Inspection (MITM) Web Server Client Certificate Public key Private key Attacker TMG False Certificate Public key Private key

33. TMG Forward SSL Inspection

34. No SSL Inspection

35. TMG CA Not Trusted

37. Web Server Certificate

38. TMG CA Trusted on the Client

39. Protection: Intrusion Prevention  Threat Management Gateway  Intrusion Prevention System  External/Internal/DMZ only

40. Current Threats to a Secure Office

41. Vulnerabilities  Keyloggers  software  hardware  Cache / Local Storage  Cracking

42. Local Password Storage  Full-text passwords  IE autocomplete  password “lockers”  fingerprint readers  service/scheduled-tasks accounts  Password hashes  local user accounts  all domain accounts on Domain Controllers  password caches

43. Password Cracking  Windows MD4 Hashes  local storage  LAN network capture  PPTP VPN  Offline  Rainbow Tables  severe up to 7 characters (minutes)

44. Protection: Passwords  Use smart cards  convenient (3-5 characters PIN)  Gemalto.NET without installation  Require strong passwords  admin accounts  Procedures, policies and audit  Never type sensitive passwords on insecure computers  Training

45. Protection: Comparable Algorithm Strengths (SP800-57) StrengthSymetricRSAECDSASHA 80 bit2TDEARSA 1024ECDSA 160SHA-1 112 bit3TDEARSA 2048ECDSA 224SHA-224 128 bitAES-128RSA 3072ECDSA 256SHA-256 192 bitAES-192RSA 7680ECDSA 384SHA-384 256 bitAES-256RSA 15360ECDSA 512SHA-512

46. Protection: Smart Cards AlgoritmusPorovnání 10 znaků heslo US-ASCII70 bit SHA-180 bit RSA 2048112 bit SHA-256128 bit AlgoritmusNáročnostDoba 10 znaků heslo US-ASCII12 500 let SHA-11024x lepší2 600 000 let RSA 20484 398 046 511 104x lepší11 000 biliónů let SHA-2562^58x lepší-

47. Protection: Password Policies  For individual groups/users  Granular Password Policies  Windows 2008 Domain Functional Level and newer  Non-complex password example  login: Ondrej  password: #.LonDo-NN.sea-s0n58  Complex password example  September2011

48. Current Threats to a Secure Office

49. Spam threats  No real prevention against spam  Spam created anonymously  no traces/auditing  Directed attacks cannot be automatically recognized

50. Malware Threats  Virus must be first detected after infection!  Backdoors just download the real infection  does antimalware know what exactly it was?  Reinstallation of the whole password domain!  users tend to use same passwords for more services  Stability and performance

51. Protection: Spam and malware  Train people  Implement antispam/antimalware  Words/Open Relay Lists etc.  SenderID  Forefront Protection for Exchange  Forefront Protection for SharePoint  Forefront Threat Management Gateway  Forefront Endpoint Protection  + network traffic scanning

52. Antimalware

53. Antispam

54. Current Threats to a Secure Office

55. Vulnerabilities  Prone to keylogger attacks  when used with passwords  Can be connected from quite anywhere  insecure home computers, internet cafes  Some protocols not secure  PPTP – passwords hashes offline cracking

56. Client VPN Comparison VPNConnection requirementsSecurity Client Availability Authentic. RDP TCP 3389 server certificate (not required) random keys (D-H) certificate private key (2048bit) Windows XP password smart card RDS/TS Gateway TCP 443 server certificate random keys (D-H) certificate private key (2048bit) Windows XP password smart card PPTPGRE + TCP 1723 depends on password quality vulnerable to offline cracking MS-DOS password smart card L2TP IPSec ESP + UDP 500/4500 server certificate client computer certificate random keys (D-H) certificate private key (2048bit) Windows 98 password smart card SSTP TCP 443 server certificate random keys (D-H) certificate private key (2048bit) Windows Vista password smart card Direct Access IPv6 IPSec tunnel IPv6 over IPv4 tunneling random keys (D-H) certificate private key (2048bit) Windows 7 machine certificate + Kerberos

57. Protection: Remote Access  Use RDP when possible  sends only keystrokes and mouse  receives only pictures  Use L2TP or SSTP  IPSec or SSL  encrypts the channel with strong random private keys (2048 bit etc.)  IPSec requires and limits connection to those who have client computer certificate  Implement Network Access Protection (NAP)

58. Protection: Direct Access  IPv6 client / IPv6 gateway  Tunneling over IPv4  6to4, Teredo, ISATAP, IP-HTTPS  NAT64 + DNS64  Unified Access Gateway  Always on  Authentication  machine certificates  user Kerberos authentication

59. LAN DirectAccess Client DA Server

60. Current Threats to a Secure Office

61. Vulnerabilities  Authorized users can  read  print  copy  send emails  upload FTP/SSL/VPN

62. Protection: Authorized users  Procedures  Limit public online access and services  Limit use of removable hardware  Limit use of unapproved software  AppLocker, Software Restriction Policies  Monitor and audit  Email Journaling  TMG URL logs  Use some Rights Management software  Data Leakage Protection

63. Current Threats to a Secure Office

64. What’s missing  User monitoring  RDP, keystrokes, etc.  File/folder encryption  EFS is very limited in features  RMS for more applications  currently only Office  Better smart/card experience  Better certificate restrictions  Alternative logon methods (e.g. SMS)

65. Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com |