Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016
-
Upload
ted-wentzel -
Category
Technology
-
view
29 -
download
1
Transcript of Naked and Vulnerable - A Cybersecurity Starter Kit from Camp IT Dec 2016
Naked and Vulnerable
A Cybersecurity Starter Kit
@MrShannonFritz
Who is this Guy?• I’m Shannon Fritz• I’m a Microsoft Enterprise Security MVP• I’m on twitter @MrShannonFritz• I’m a Solutions Architect at Concurrency• We transform businesses
Modern Applications
Modern IT ManagementIdentity, Management
Identity, Application, InformationCommunications
Customer EngagementIdentity, Application, Information
Communications
Cloud Data CenterNetwork, Identity
Analytics & DataIdentity, Application, Information
Communication
Digital Transformati
onRealized
Mob
ility Security
MobilitySe
curit
y
@MrShannonFritz
A Cybersecurity Starter Kit•Why you’re here
oYou know you are at risk, but it’s ambiguousoYou want improve securityoYou uncertain where best to start
•What you’ll getoSome examples to make a case for improving
securityoFour specific areas to start making improvements
now
@MrShannonFritz
Larg
est
Dat
a Br
each
es Source:Informationisbeautiful.net
Hack
s res
ultin
g in
loss
of m
ore
than
30,
000
reco
rds
@MrShannonFritz
@MrShannonFritz
Starting Out•First, ADMIT that theorganization CAN do better
•Second, KNOW thatyou can ALWAYS do better
•Then, make a PLAN
@MrShannonFritz
Get Specific• Identify specific things to addressoWhat risk are you concerned with?oWhy is it bad?
•Select the low hanging fruit
•Make it measurable
@MrShannonFritz
Get Specific - Threats•Possible Risk ConsiderationsoDDoS / BotNetoSocial EngineeringoRansomwareoCredential Theft
TIP: Do NOT start with ‘insider’ threats
@MrShannonFritz
Get Specific - Assessments•Possible Starting PointsoNetwork SegmentationoBad ConfigurationsoAPIs and ProtocolsoSoftware Versions / PatchingoExcessive PrivilegesoCredential Management
@MrShannonFritz
Get Specific - Assessment
ID System Owner
Business Process
Hardware Product
Software Product
Configuration Threat Vulnerability Controls
Impact(Low-Med-High)
Complexity(Low-Med-High)
Risk(Low-Med-Hgih)
Priority
00001 Workstations and Servers Denise Smith X Privilege Escalation Local Administrators LAPS High Low High 1
00002 Active Directory Qiong Wu X Unauthorized Use Privileged Accounts MIM PAM Med Med Low 4
00003 Workstations and Servers Naoki Sato X Code Execution Patching SCCM X Med Med 3
00004 Business Culture Daniel Roth X Social Engineering Phishing KnowBe4 High Low High 2
00005 WiFi Andrea Dunker X Unauthorized Use Pre-shared Key 802.1X Low High Med 5
00006 Workstations and Servers Eric Gruber X Business Data Loss Malicious Software Device Guard High High Med 6
Discover Assess
@MrShannonFritz
Prove It• If you need to, Prove the risk!•Exploit the vulnerability•Record your process
TIP: DO NO HARMDo not use your own access or Personal RelationshipsCYA – Get permission, or Hire a Penetration Tester
@MrShannonFritz
Why Prove It?•Risks of ProofoSomeone can get angry (or Die?)oYou can get in trouble (Fired / Legal)
•Benefits of ProofoGets peoples attentionoGets business buy-inoMakes Security Real / Real Cool
@MrShannonFritz
Analyze it•What did you get?
•How did you get it?
•What went wrong so you could get it?
•Who is responsible for what went wrong?
@MrShannonFritz
Remediate it• Team up with the responsiblepeople and collaborate
•Define ‘Remediation Objectives’
•Create official projects with funding,assigned resources and deadlines.
• Test Again!
@MrShannonFritz
Repeat it•Define the concern
•Prove it is a Risk
•Analyze the Proof
•Remediate and Test it
Four Attacks to Mitigate FirstSource: Praetorian
@MrShannonFritz
The Study•100 red team penetration tests•75 different companies•12 month study (to June 2016)•450 real-world exploits
•Most attack vectors are OLD exploits, not 0-days•Top attacks are largely based on Credential Theft
@MrShannonFritz
Attack Stages•Get creds ofan individual•Get on thenetwork•Elevate Access•Seize the Target
@MrShannonFritz
Attack 1: Weak Domain User Passwords• Key Problems
oAD cannot prevent “bad” passwords, only set length and char set
oMany users have Admin rights to their machine
• RecommendationsoUse a passphrase not password; ie: Increase length to 15oAllow users to keep passwords for a longer time; ie: 180 days)o Implement an password enforcement solution; ie: blacklist
“Password1”o Implement MFA for Admin and Remote access
Used in 66% of tests to successfully compromise the target
@MrShannonFritz
Attack 1: Weak Domain User Passwords• Use a passphrase, Keep passwords longer
oSet with AD Group Policy• Password enforcement
oAzure AD Premium with Password Reset• Implement MFA for Admin
oMicrosoft Identity Manager Privileged Access Management (MIM PAM)oAzure AD Privileged Identity Management (AAD PIM)
• Implement MFA for RemoteoRDS Gateway and Azure MFAoAD FS and/or Azure Application Proxy
@MrShannonFritz
Password Guidance• Use a Passphrase
o A statement with punctuation is easy to remember, longer & harder to crack• Randomly Generate a Password
o http://aka.ms/password • Use Windows Hello (login with PIN, Fingers, Face)
o http://tinyurl.com/winhello • Do you save passwords in your browser?
o http://lastpass.com and https://1password.com are far better solutions!• Do you re-use passwords?
o http://haveibeenpwned.com tells if your account was leaked• Do you want more guidance?
o http://aka.ms/passwordguidance
@MrShannonFritz
Attack 2: Name Resolution Poisoning• Key Problems
oExploits behavior of Windows when connecting to a networkoClient machine is coaxed into transmitting credentials to attackersoAttacker can replay captured credentials or attempt to crack them
• RecommendationsoDisable LLMNR and NetBIOS (after testing!)oDisable Proxy autodetection (WPAD)oMonitor the network for illegitimate Broadcast trafficoBlock outbound tcp/53 (dns) and tcp/445 (smb) to the Internet
Used in 64% of tests to successfully compromise the target
@MrShannonFritz
Attack 2: Name Resolution Poisoning• Disable LLMNR and NetBIOS
oLLMNR – Use AD Group Policy to disableoNetBIOS – On DHCP server enable option “001” set to “0x2”oNetBIOS – On client set a reg key for network adapters
(scripting)• Disable Proxy autodetection (WPAD)
oAD GPO for Internet Explorer
@MrShannonFritz
Attack 3: Local Admin / Pass the Hash• Key Problems
oMany organizations use the same Local Admin password on all systems
oThe NTLM hash can be can be used without knowing the passwordoThe NTLM hash can be used on other systems with the same password
• RecommendationsoRevise business process around the use of local admin accountsoDeploy Microsoft LAPSoRead the Microsoft PtH v2 WhitepaperoDeploy Microsoft Advanced Threat Analytics (ATA)
Used in 64% of tests to successfully compromise the target
@MrShannonFritz
Attack 3: Local Admin / Pass the Hash• Revise business process around the use of local admin
accountsoUpdate the “gold image” build processoRestrict/eliminate used of local accounts, monitor and alert
• Deploy Microsoft LAPSohttps://aka.ms/laps - Use GPO to install/configure on Clients & Servers
• Read the Microsoft PtH v2 Whitepaperohttps://microsoft.com/pth
• Deploy Microsoft Advanced Threat Analytics (ATA)ohttps://microsoft.com/ata
@MrShannonFritz
Attack 4: Cleartext Passwords in Memory• Key Problems
oDomain Credentials are stored in cleartext in the LSASS process
oLocal Admin or SYSTEM users can read this memory spaceoExposes not only the Hash, but the actual password itself
• RecommendationsoMove Windows Server 2012 R2+ and Windows 10o Install and enable Microsoft Security Advisory 2871997 on
older OS’soRemove local admin rightsoUpdate the “gold image”
Used in 59% of tests to successfully compromise the target
@MrShannonFritz
Attack 4: Cleartext Passwords in Memory• Move Windows Server 2012 R2+ and Windows 10
oThese OS’s do not store the cleartext passwords in memoryoWindows 10 can further be protected with Credential Guard
• Install and enable Microsoft Security Advisory 2871997oUpdates available for Windows 7 and 2008 R2ohttps://support.microsoft.com/en-us/kb/2871997oHKLM\SYSTEM\CurrentControlSet\Control SecurityProviders\
WdigestUseLogonCredential: 0 (REG_DWORD)
oUsers with SYSTEM can alter this, monitor for changes (use OMS)
@MrShannonFritz
The Fifth Attack!• Insufficient Network Access Controls•Used in 52% of tests to successfully compromise•Read the whitepaper! https://www.praetorian.com/
Takeaways• Document and Share your security concerns (internally)• Work from the list, and have others contribute
• Prioritize Remediation based on Likelihood and Impact• Start with a narrow scope and short time frame
• Your Current Passwords are Weak and Puny• Use Stronger Password Policies, SSPR & MFA
• Reusing a Password is Dangerous• Use a Generator and a Manager
• Pace yourself! – It’s easy to get overwhelmed. Get some help.
Thank You!Want to know more?
Want our [email protected]