dark alleys-2015

Dark Alleys of the Internet

Updated 2015For System and Network

Administrators

Do the Right Thing!

Attack Statistics» AU Border Firewall

» Over 34,000 blocked connections per minute (taken 7/28/2015 at 2pm)

» WordFence for WordPress• 100+ blocked login attempts (10 per incident)

per day to a personal, unpublicized WP site over 3 days

Passwords on a Sticky Note?How to stop the sharing

madness

Passwords» No reason to share passwords

because you can use:• Shared files/folders• Permissions settings• Remote Desktop• E-mail Proxy• Web 2.0 products

Managing Passwords» Trade-offs

• Different passwords for different systems• Require passwords to change

» Password Managers• KeePass• LastPass• LifeHacker Choices

• http://lifehacker.com/lifehacker-faceoff-the-best-password-managers-compare-1682443320

» Creating memorable passphrases• “1wb0rniDaleCH.” (I was born in Dale County

Hospital.)

Network ProtocolsHelp protect users

Secure All Protocols

»Telnet -> SSH»FTP -> SFTP»SSL Certificates

• LDAP -> LDAPS• HTTP -> HTTPS

»Require Secure Protocols for authenticated Applications

Plain-text Protocols

Secure Protocol

SSL Certificates» Recognized

Certificate Authority -$$

» Pre-installed• Verisign• CyberTrust• Thawte

» Self-signed Certificates – free

» Manual Install• eXtension• AU

VS

Root Certificates

» Internet Explorer• Internet

Options• Content• Certificates

Self-Signed Certificates

» Products• Microsoft Certificate Authority• Mac OS - Keychain• Linux - OpenSSL

» Trouble is that people do BYOD and then get certificate errors. Training people to accept errors is bad.

Secure Network Access

For the Road Warriors

Virtual Private Network

» VPN provides unlimited access to campus network

» Prevent eavesdropping» Treat off-campus just like WiFi

An insecure transmission medium

Public/Private WiFi» Restrict open WiFi ports/protocols» Encourage VPN

• Better encryption• Unrestricted access• Restrict OS announcements• Gain benefit of University border firewall• Restrict services to internal Ips

» Enable Security• Prevent stealing bandwidth• Add some security to insecure sites

Remote Access» Remote Desktop» Bomgar, LogMeIn, etc» Shared space access» Printer access» Internal websites

Other References» Bruce Schneier’s

http://www.schneier.com» SANS’ “@RISK: The Consensus

Security Alert”

Thank YouUntil it goes missing, security is a boring obstacle to productivity in the minds of most people. Don’t be most people.