Brian Reid – Improving User and Application Security
-
Upload
andrew-j-price -
Category
Presentations & Public Speaking
-
view
61 -
download
1
Transcript of Brian Reid – Improving User and Application Security
IMPROVING USER AND APPLICATION SECURITYBrian Reid - NBConsult
“There are two kinds of big companies, those who’ve
been hacked, and those who don’t know they’ve been
hacked.”James Comey, Director FBI
Wall Street Journal, JP Morgan, White House, Yahoo, RSA, Microsoft, Google, Apple, Facebook, Sony, Target, Heartland ,EBay TalkTalk, ICANN, Home Depot, Vtech, Carphone Warehouse, UPS. Dropbox, LinkedIn, Republican Party
Organizations with enormous security budgets and elite security analysts are strugglingto address these modern threats.
THE EVOLUTION OF ATTACKS
Targeting
Soph
istica
tion
Volume and Impact
Script Kiddies
BLASTER, SLAMMER
Motive: Mischief
2003-2004
THE EVOLUTION OF ATTACKS
Targeting
Soph
istica
tion
2005-PRESENT
Organized Crime
RANSOMWARE,
CLICK-FRAUD, IDENTITY
THEFT
Motive: ProfitScript Kiddies
BLASTER, SLAMMER
Motive: Mischief
2003-2004
THE EVOLUTION OF ATTACKS
Targeting
Soph
istica
tion
2005-PRESENT
Organized Crime
RANSOMWARE,
CLICK-FRAUD, IDENTITY
THEFT
Motive: ProfitScript Kiddies
BLASTER, SLAMMER
Motive: Mischief
2012 - Beyond
Nation States,
Activists, Terror Groups
BRAZEN, COMPLEX, PERSISTENT
Motives:IP Theft,Damage,Disruption
2003-2004
THE ANATOMY OF AN ATTACK
:)Healthy
ComputerUser
Receives Email
User Lured to Malicious
Site
Device Infected with
Malware
HelpDesk Logs into Device
Identity Stolen, Attacker Has
Increased Privileges
:)Healthy
ComputerUser
Receives Email
User Lured to Malicious
Site
Device Infected with
Malware
THE ANATOMY OF AN ATTACK
User Lured to Malicious
Site
Device Infected with
Malware
HelpDesk Logs into Device
Identity Stolen, Attacker Has
Increased Privileges
User Receives
THE ANATOMY OF AN ATTACK
What Can We Do?
Do We Do The Following?• Password Policies• Two Factor Authentication• Proper Identity Management• Spoof and Phishing Protection• End User Security Training• Email Zero Minute Protection• Data Encryption• Manage Cloud Security
• Post Breach Detection• Patch, Patch, And Patch Again• Modern Hardware• Device Management• Application Management• Conditional Access• Windows Server 2016 AD FS• Privileged Identity Management
123456, password,cowboy, football,qwerty,jordon,harley,pa55w0rd,12345,baseball, 12345678,dragon,1234,thunder,monkey,letmein,abc123,tigger,11111111,shadow,batman,trustno1,69696969,mustang, ranger,test,thomas,michael, tigger,soccer,thunder,cowboy
How To Secure Your Password• Never change it – but make it secure and easy to remember• Forcing change is an inconvenience to users, causes helpdesk reset calls and all it does is
make users choose one similar to the last one (or write it down)• Implement monitoring instead – change forced based on risk
• Change it via Azure AD• Microsoft block passwords that are considered weak and already known
• Use a trusted device or 2FA• But this can inconvenience users – do you have 2FA on your internet accounts?• Even better is risk based two factor authentication (2FA)
© xkcd http://xkcd.com/936/
SELF-SERVICE PASSWORD RESET Identity Driven Password Reset or unlock
Part of Azure Active Directory Premium
User registers device, alternative email and answers some questions
On change, lockout or risk based issues the user can easily reset their password having proved the person issuing the change is the user!
TWO FACTOR AUTHENTICATION
Lots of options from vendors
Built into Office 365 for free Azure Multi-Factor Authentication Azure Multi-Factor Authentication Server
Windows Hello and Passport for Work
AZURE MULTI FACTOR AUTHENTICATION Available for free in Office 365, but limited PowerShell support
Available as part of Enterprise Mobility + Security (EMS suite) or stand alone purchase
Can use on premises (RADIUS, IIS, AD integration etc.) by running the MFA Server installer
Can customise telephone number, voice greetings, and cache times Can integrate it with AD FS – need MFA Server on-premises if AD FS is pre-
2016 Supports one and two way 2FA with phone, text, app and devices and
SDK for adding MFA to your applications
RISK DRIVEN IDENTITYPROTECTION
Part of Azure Active DirectoryPremium P2
Includes Reports on risk and risk events MFA registration policy User risk policy
SPF, DKIM AND DMARC
Do you know where emails from your domain are coming from? DMARC will tell you DMARC also can tell receivers what to do with emails from suspicious sources
SPF tells receivers where you allow your domain to send email from
DKIM adds a signature to email header based on body to show true sender
Ever “phished” your users intentionally?
HOW MALWARE ATTACKS CHANGE OVER TIME
Attack morphs over time to evade detection
Safe
Multiple filters + 3 antivirus engineswith Exchange Online protection
Links
RecipientSafe links rewrite
Unsafe
AttachmentDetonation chamber (sandbox)Executable? Registry call?Elevation?……?
Sender
ADVANCED THREAT PROTECTION
ATP is part of Office 365 E5 licence suite or stand alone purchase
Accelerate ProductivityDynamic Email Delivery and Linked Content Detonation keep productivity high by delivering all emails instantly.
Built in protectionNatively built in to Exchange Online Protection to allow deployment in seconds. Manage policies for Safe Attachments and Safe Links from a single cloud console for faster remediation for issues that are detected.
Protection everywhereSafe Attachments and Safe Links are expanding their protection beyond email, to other Office 365 workloads and Office Clients. For example links inside documents opened in Word or Safe Attachments in SharePoint libraries.
ADVANCED THREAT PROTECTION
DATA ENCRYPTION
Protect data with encryption that stays with the data regardless of the location of the data
On-premises or cloud based service provided out of Azure Information Protection (was Azure Rights Management Service)
Now with automatic classification and labelling – protecting what needs protecting and then monitor it and respond if data is being abused
AZURE INFORMATION PROTECTION
MONITORING UNAUTHORISED CLOUD APP USAGE Upload your firewall and proxy reports to Cloud App Security
No agents to install
See what back door IT service provision is in use in your organization
Activity maps – who is using what from where
File and sharing reports in real time
WINDOWS DEFENDER ADVANCED THREAT PROTECTION Detect advanced attacks and remediate breaches Built into Window 10 Behaviour based, cloud-powered breach detection Rich timeline for investigation Can integrate with Advanced Threat Protection in Office 365
and Advanced Threat Analytics on-premises Part of the Windows Enterprise E5 Licence Included in the Enterprise Mobility + Security E5 licence
DEMO
DEMO
WDATP – LET TAKE A LOOK
What’s the latest with patching?
DEVICE GUARD
Hardware Rooted App Control
Windows desktop can be locked down to only run trusted apps, just like many mobile OS’s (e.g.: Windows Phone)
Resistant to tampering by an administrator or malware
Requires Windows 8 certified or greater hardware
Untrusted apps and executables, such as malware, are unable to run
CREDENTIAL GUARD IN WINDOWS 10
Virtualization Based Isolated User Mode
Kernel
Devi
ce G
uard
HypervisorHardware
WindowsKernel
AppsCr
eden
tial
Guar
d
Trus
tlet #
3Windows Platform Services
UNKNOWN PC HEALTH
Today health is assumedAccess please
1
Important resources
OneDriveFile Servers
Email Wireless2
You’re in
CONDITIONAL ACCESS
Blocking unhealthy devices to protect
resources and prevent proliferation
Windows Device Health Attestation (WDHA) service provides validation of device integrity dataManagement systems (e.g.: Intune) can leverage WDHA attested integrity data to facilitate conditional access to resourcesManagement may couple WDHA attested integrity data with additional health state data (e.g.: patch status) to provide more comprehensive view of device healthThe integrity data from the WDHA service is available for use by 3rd party network access, security, and management solutions.
WINDOWS DEVICE HEALTH ATTESTATION ENABLES:
MDMs to gate access basedon device integrity and health
Access please1
Important resources
OneDriveFile Servers
Email Wireless2Prove to me you are
healthy
Windows Cloud Service and
Intune
Device Integrity Health State s (Windows Cloud Service)
3Request
Here is my proof5
Approved4
Client Policies(AV, Firewall, Patch state (e.g.: Intune)
WINDOWS SERVER 2016 AD FSThree new ways to access resources without a password:
1. Sign in with Azure Multi-Factor Authentication [new] Enter username and one time code from an authenticator
app Enter username and password and then follow that up with MFA
(known as secondary authentication) MFA authentication is built into Windows Server 2016 – no MFA
server required MFA can be added as part of access control policy rules or
configured for intranet or extranet
WINDOWS SERVER 2016 AD FS
Three new ways to access resources without a password:
2. Sign in from compliant devices Enable Access only from devices that are managed and/or compliant Enable Extranet Access only from devices that are managed and/or
compliant Require multi-factor authentication for computers that are not managed
or not compliant
Managed/Compliance means meets Intune policies
WINDOWS SERVER 2016 AD FS
Three new ways to access resources without a password:
3. Microsoft Passport Windows 10 devices introduce Windows Hello and Microsoft
Passport for Work Passwords replaced with strong device-bound user credentials
protected by a user's gesture (a PIN, a biometric gesture like fingerprint, or facial recognition)
PRIVILEGED IDENTITY MANAGEMENT How many Global Admins do you have
How many Domain Admins do you have
How many other privileged identities are there on your network
Could you limit them by time and place?
Going to Consider the Following?• Password Policies• Two Factor Authentication• Proper Identity Management• Spoof and Phishing Protection• End User Security Training• Email Zero Minute Protection• Data Encryption• Manage Cloud Security
• Post Breach Detection• Patch, Patch, And Patch Again• Modern Hardware• Device Management• Application Management• Conditional Access• Windows Server 2016 AD FS• Privileged Identity Management