Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Essentials for Desktop System Administrators.

Published byPercival Cobb Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Essentials for Desktop System Administrators."— Presentation transcript:

1 Security Essentials for Desktop System Administrators

2 Civilization Is Made Of People … Civilization is Risk. -- Not Big Brother Civilization is Risk. -- Not Big Brother December 8, 2011Security Essentials for Desktop System Administrators2

3 Dave Barry On Civilization … New Technology Is Invented Largely To Overcome Previous "Advances" New Technology Is Invented Largely To Overcome Previous "Advances" December 8, 2011Security Essentials for Desktop System Administrators3

4 Dave Barry On Civilization … Fields December 8, 2011Security Essentials for Desktop System Administrators4

5 Dave Barry On Civilization … Fields -> Trees December 8, 2011Security Essentials for Desktop System Administrators5

6 Dave Barry On Civilization … Fields -> Trees -> Caves December 8, 2011Security Essentials for Desktop System Administrators6

7 Dave Barry On Civilization … Fields -> Trees -> Caves -> Houses December 8, 2011Security Essentials for Desktop System Administrators7

8 Dave Barry On Civilization … Houses December 8, 2011Security Essentials for Desktop System Administrators8

9 Dave Barry On Civilization … Houses -> Windows December 8, 2011Security Essentials for Desktop System Administrators9

10 Dave Barry On Civilization … Houses -> Windows -> Glass December 8, 2011Security Essentials for Desktop System Administrators10

11 Dave Barry On Civilization … Glass -> Drapes December 8, 2011Security Essentials for Desktop System Administrators11

12 Dave Barry On Civilization … Glass -> Drapes -> Tents December 8, 2011Security Essentials for Desktop System Administrators12

13 Dave Barry On Civilization … Glass -> Drapes -> Tents (in Fields!) December 8, 2011Security Essentials for Desktop System Administrators13

14 Dave Barry On Civilization … Fireplaces December 8, 2011Security Essentials for Desktop System Administrators14

15 Dave Barry On Civilization … Fireplaces -> Microwaves December 8, 2011Security Essentials for Desktop System Administrators15

16 Dave Barry On Civilization … Fireplaces -> Microwaves -> Bean Burritos December 8, 2011Security Essentials for Desktop System Administrators16

17 Dave Barry On Civilization … -> December 8, 2011Security Essentials for Desktop System Administrators17

18 Computer Security … Essentially A People Problem December 8, 2011Security Essentials for Desktop System Administrators18

19 Internet A Basic “People Problem” December 8, 2011Security Essentials for Desktop System Administrators19 Privacy

20 Internet A Slightly More Precise View December 8, 2011Security Essentials for Desktop System Administrators20 Privacy Blog Rants (tl;dr)

21 Bruce Schneier Once the technology is in place, there will always be the temptation to use it... (Secrets and Lies, 2000) Once the technology is in place, there will always be the temptation to use it... (Secrets and Lies, 2000) December 8, 2011Security Essentials for Desktop System Administrators21

22 Technology How Technology Works December 8, 2011Security Essentials for Desktop System Administrators22 Surprising Uses

23 Surprising Technology Use December 8, 2011Security Essentials for Desktop System Administrators23

24 Surprising Technology Non-Use December 8, 2011Security Essentials for Desktop System Administrators24

25 MUDFLAPS SO I HERD U LIEK THEM MUDFLAPS SO I HERD U LIEK THEM Surprising Technology Use December 8, 2011Security Essentials for Desktop System Administrators25

26 Technology Technology And Risk December 8, 2011Security Essentials for Desktop System Administrators26 Surprising Uses Malicious Activity*

27 Technology Technology And Risk December 8, 2011Security Essentials for Desktop System Administrators27 Surprising Uses Malicious Activity* * not to scale

28 Bruce Schneier And it is poor civic hygiene to install technologies that could someday facilitate a police state. And it is poor civic hygiene to install technologies that could someday facilitate a police state. December 8, 2011Security Essentials for Desktop System Administrators28

29 xkcd … December 8, 2011Security Essentials for Desktop System Administrators29

30 … xkcd December 8, 2011Security Essentials for Desktop System Administrators30

31 Dealing With Risk Recognize | Reduce | Recover December 8, 2011Security Essentials for Desktop System Administrators31

32 Dealing With Risk Protect | Detect. | React December 8, 2011Security Essentials for Desktop System Administrators32

33 Recognizing Risks High Bandwidth Enormous Storage Posh.gov Location Nothing Marketable High Bandwidth Enormous Storage Posh.gov Location Nothing Marketable December 8, 2011Security Essentials for Desktop System Administrators33

34 Recognizing Risks High Bandwidth Enormous Storage Posh.gov Location Nothing Marketable* High Bandwidth Enormous Storage Posh.gov Location Nothing Marketable* December 8, 2011Security Essentials for Desktop System Administrators34

35 Recognizing Risks Caching warez Sending SPAM Spreading malware Being/controlling bots Committing/suffering DDoS attacks Caching warez Sending SPAM Spreading malware Being/controlling bots Committing/suffering DDoS attacks December 8, 2011Security Essentials for Desktop System Administrators35

36 Recognizing Risks Destruction Of Data Waste Of Bandwidth Waste Of Time Frustration Destruction Of Data Waste Of Bandwidth Waste Of Time Frustration December 8, 2011Security Essentials for Desktop System Administrators36

37 Recognizing Risks Default admin privs Visiting malicious sites Promiscuous USB sharing Lack of gruntlement Default admin privs Visiting malicious sites Promiscuous USB sharing Lack of gruntlement December 8, 2011Security Essentials for Desktop System Administrators37

38 Newer Threats CarrierIQ / mobile device surveillance QR Code attacks CarrierIQ / mobile device surveillance QR Code attacks December 8, 2011Security Essentials for Desktop System Administrators38

39 Newer Threats DigiNotar Gemnet Stuxnet, Critical Infrastructure attacks Advanced Persistent Threats DigiNotar Gemnet Stuxnet, Critical Infrastructure attacks Advanced Persistent Threats December 8, 2011Security Essentials for Desktop System Administrators39

40 Grace Hopper Life was simple before World War II. After that we had systems. Life was simple before World War II. After that we had systems. December 8, 2011Security Essentials for Desktop System Administrators40

41 TLAs for TCB: ISM? DID! Integrated Security Management (ISM) Defense In Depth (DID) Integrated Security Management (ISM) Defense In Depth (DID) December 8, 2011Security Essentials for Desktop System Administrators41

42 Reducing Risks: DID Perimeter Controls Auto-blocking Mail virus scanning Central Authentication (via LDAP/Kerberos) Perimeter Controls Auto-blocking Mail virus scanning Central Authentication (via LDAP/Kerberos) December 8, 2011Security Essentials for Desktop System Administrators42

43 Reducing Risks: DID Patch and configuration mgmt Critical Vulnerabilities Prompt response via FCIRT Intelligent and informed users General and special enclaves Patch and configuration mgmt Critical Vulnerabilities Prompt response via FCIRT Intelligent and informed users General and special enclaves December 8, 2011Security Essentials for Desktop System Administrators43

44 Recognizing Risks: ISM Computer Security not an add-on Not “one size fits all” Largely common sense Computer Security not an add-on Not “one size fits all” Largely common sense December 8, 2011Security Essentials for Desktop System Administrators44

45 Reducing Risks: ISM Primary passwords off the net Single turn-off point No visible services without Strong Authentication Lab systems scanned for compliance Primary passwords off the net Single turn-off point No visible services without Strong Authentication Lab systems scanned for compliance December 8, 2011Security Essentials for Desktop System Administrators45

46 Recovery: ISM General Computer Security Coordinators (Listed at http://security.fnal.gov/ ) Work with Computer Security Team Disseminate information Deal with incidents General Computer Security Coordinators (Listed at http://security.fnal.gov/ ) Work with Computer Security Team Disseminate information Deal with incidents December 8, 2011Security Essentials for Desktop System Administrators46

47 What About Us Users? Malicious Surprises abound Use reasonable caution Malicious Surprises abound Use reasonable caution December 8, 2011Security Essentials for Desktop System Administrators47

48 Users: We Get Mail You haven’t won $10M Don’t open (most) attachments Best not to click links in mail Disable scripting for mail You haven’t won $10M Don’t open (most) attachments Best not to click links in mail Disable scripting for mail December 8, 2011Security Essentials for Desktop System Administrators48

49 Users: We Get Mail Can you trust the (so-called) sender? Received: from [123.28.41.241] (unknown [123.28.41.241]) by hepa1.fnal.gov (Postfix) with ESMTP id 808F76F247 for ; Thu, 01 Apr 2010 09:41:02 -0500 (CDT) From: Wayne E Baisley To: Wayne E Baisley route: 123.28.32.0/19 descr: VietNam Post and Telecom Corporation (VNPT) address: Lo IIA Lang Quoc te Thang Long, Cau Giay, Ha Noi Can you trust the (so-called) sender? Received: from [123.28.41.241] (unknown [123.28.41.241]) by hepa1.fnal.gov (Postfix) with ESMTP id 808F76F247 for ; Thu, 01 Apr 2010 09:41:02 -0500 (CDT) From: Wayne E Baisley To: Wayne E Baisley route: 123.28.32.0/19 descr: VietNam Post and Telecom Corporation (VNPT) address: Lo IIA Lang Quoc te Thang Long, Cau Giay, Ha Noi December 8, 2011Security Essentials for Desktop System Administrators49

50 Users: Pass the Word Use strong passwords Longer is better Use different passwords Or variants, at least Use strong passwords Longer is better Use different passwords Or variants, at least December 8, 2011Security Essentials for Desktop System Administrators50

51 Access: Hollywood Royko any social engineering attempts December 8, 2011Security Essentials for Desktop System Administrators51

52 Users: Data Decide what data requires protection How to be recovered, if needed Arrange backups with Sysadmins Or do your own backups Occasionally test retrieval Decide what data requires protection How to be recovered, if needed Arrange backups with Sysadmins Or do your own backups Occasionally test retrieval December 8, 2011Security Essentials for Desktop System Administrators52

53 The Incidental Computist Some non-Lab-business Surprising Use is allowed: http://security.fnal.gov/ProperUse.htm (I prefer personal iPhone/iPad/Droid via an external network …) Some non-Lab-business Surprising Use is allowed: http://security.fnal.gov/ProperUse.htm (I prefer personal iPhone/iPad/Droid via an external network …) December 8, 2011Security Essentials for Desktop System Administrators53

54 Activities to Avoid Services like Skype and BitTorrent not forbidden but very easy to misuse! Services like Skype and BitTorrent not forbidden but very easy to misuse! December 8, 2011Security Essentials for Desktop System Administrators54

55 Activities to Avoid Anything that: Is illegal Is prohibited by Lab/DOE policy May embarrass the Lab Interferes with job performance Consumes excessive resources Anything that: Is illegal Is prohibited by Lab/DOE policy May embarrass the Lab Interferes with job performance Consumes excessive resources December 8, 2011Security Essentials for Desktop System Administrators55

56 Which Brings Us To Sysadmins That wrench ain’t gonna swing itself. December 8, 2011Security Essentials for Desktop System Administrators56

57 Sysadmins Get Risk-Roled System manager for security Assist and instruct users to do it right Vigilant observer of your systems (and sometimes users’) behavior System manager for security Assist and instruct users to do it right Vigilant observer of your systems (and sometimes users’) behavior December 8, 2011Security Essentials for Desktop System Administrators57

58 N OISE, n. … The chief product and authenticating sign of civilization. Ambrose Bierce, The Devil’s Dictionary … The chief product and authenticating sign of civilization. Ambrose Bierce, The Devil’s Dictionary December 8, 2011Security Essentials for Desktop System Administrators58

59 Data Privacy Generally, Fermilab respects privacy You are required to do likewise Special cases for Sysadmins during Security Incidents Others must have Directorate approval Generally, Fermilab respects privacy You are required to do likewise Special cases for Sysadmins during Security Incidents Others must have Directorate approval December 8, 2011Security Essentials for Desktop System Administrators59

60 Privacy of Email and Files May not use information in another person’s files seen incidental to any activity (legitimate or not) for any purpose w/o explicit permission of the owner or “reasonable belief the file was meant to be accessed by others.” May not use information in another person’s files seen incidental to any activity (legitimate or not) for any purpose w/o explicit permission of the owner or “reasonable belief the file was meant to be accessed by others.” December 8, 2011Security Essentials for Desktop System Administrators60

61 Offensive Materials Material on computer ≈ Material on desk A line management concern Not a computer security issue per se Material on computer ≈ Material on desk A line management concern Not a computer security issue per se December 8, 2011Security Essentials for Desktop System Administrators61

62 Software Licensing Fermilab is strongly committed to respecting intellectual property rights. Use of unlicensed commercial software is a direct violation of lab policy. Fermilab is strongly committed to respecting intellectual property rights. Use of unlicensed commercial software is a direct violation of lab policy. December 8, 2011Security Essentials for Desktop System Administrators62

63 Patch/Configuration Management Baselines: Linux, Mac, Windows All systems must meet their baseline All systems must be regularly patched Non-essential services off Windows, especially, must run AV Baselines: Linux, Mac, Windows All systems must meet their baseline All systems must be regularly patched Non-essential services off Windows, especially, must run AV December 8, 2011Security Essentials for Desktop System Administrators63

64 Patch/Configuration Management Exceptions/Exemptions: Documented case why OS is “stuck” Patch and manage as securely Exceptions/Exemptions: Documented case why OS is “stuck” Patch and manage as securely December 8, 2011Security Essentials for Desktop System Administrators64

65 Critical Vulnerabilities Active exploits declared critical Pose a clear and present danger Must patch by a given date or be blocked Handled via TIssue events Active exploits declared critical Pose a clear and present danger Must patch by a given date or be blocked Handled via TIssue events December 8, 2011Security Essentials for Desktop System Administrators65

66 Computer Security Incidents Report suspicious events to x2345 or computer_security@fnal.gov Follow FCIRT instructions during incidents Keep infected machines off the network Preserve system for expert investigation Not to be discussed! Report suspicious events to x2345 or computer_security@fnal.gov Follow FCIRT instructions during incidents Keep infected machines off the network Preserve system for expert investigation Not to be discussed! December 8, 2011Security Essentials for Desktop System Administrators66

67 FCIRT Triage initial reports Coordinate investigation Work with local Sysadmins, experts May take control of affected systems Maintain confidentiality Triage initial reports Coordinate investigation Work with local Sysadmins, experts May take control of affected systems Maintain confidentiality December 8, 2011Security Essentials for Desktop System Administrators67

68 Mandatory Sysadmin Registration All Sysadmins must be registered Primary Sysadmin is responsible for configuring and patching http://security.fnal.gov -> “Verify your node registration” All Sysadmins must be registered Primary Sysadmin is responsible for configuring and patching http://security.fnal.gov -> “Verify your node registration” December 8, 2011Security Essentials for Desktop System Administrators68

69 Do Not Want: Prohibited Activities Blatant disregard of computer security Unauthorized or malicious actions Unethical behavior Restricted central services Security & cracker tools http://security.fnal.gov/policies/cpolicy.html Blatant disregard of computer security Unauthorized or malicious actions Unethical behavior Restricted central services Security & cracker tools http://security.fnal.gov/policies/cpolicy.html December 8, 2011Security Essentials for Desktop System Administrators69

70 We Want To Avoid This … December 8, 2011Security Essentials for Desktop System Administrators70

71 Role of Sysadmins Manage your systems sensibly, securely Services comply with Strong Auth rules Report potential incidents to FCIRT Act on relevant bulletins Keep your eyes open Manage your systems sensibly, securely Services comply with Strong Auth rules Report potential incidents to FCIRT Act on relevant bulletins Keep your eyes open December 8, 2011Security Essentials for Desktop System Administrators71

72 We Can Do It … December 8, 2011Security Essentials for Desktop System Administrators72

73 We Can Do It. Statistically. December 8, 2011Security Essentials for Desktop System Administrators73

74 Questions? nightwatch@fnal.gov for questions about security policy computer_security@fnal.gov for reporting security incidents http://security.fnal.gov/ nightwatch@fnal.gov for questions about security policy computer_security@fnal.gov for reporting security incidents http://security.fnal.gov/ December 8, 2011Security Essentials for Desktop System Administrators74

75 Security Essentials for Desktop System Administrators

76

Download ppt "Security Essentials for Desktop System Administrators."

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Let’s Talk About Cyber Security

Let’s Talk About Cyber Security
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Basic Computer Security. Outline F Why Computer Security F Fermilab Strategy: –Integrated Computer Security –Defense in Depth F Your role and responsibilities.

Basic Computer Security. Outline F Why Computer Security F Fermilab Strategy: –Integrated Computer Security –Defense in Depth F Your role and responsibilities.
Basic Computer Security. Outline F Why Computer Security F Fermilab Strategy: –Integrated Computer Security –Defense in Depth F Your role and responsibilities.

Basic Computer Security. Outline F Why Computer Security F Fermilab Strategy: –Integrated Computer Security –Defense in Depth F Your role and responsibilities.
Security Essentials for Fermilab System Administrators.

Security Essentials for Fermilab System Administrators.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Security Essentials for Desktop System Administrors.

Security Essentials for Desktop System Administrors.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.

Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.
Internet Security PA Turnpike Commission. Internet Security Practices, rule #1: Be distrustful when using the Internet!

Internet Security PA Turnpike Commission. Internet Security Practices, rule #1: Be distrustful when using the Internet!
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
GET CONTROL! Avoid The Headache… Five Simple Steps to a Safer Computer – NUIT Tech Talk.

GET CONTROL! Avoid The Headache… Five Simple Steps to a Safer Computer – NUIT Tech Talk.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg.

Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg.
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

Similar presentations

Ads by Google