SlideShare uma empresa Scribd logo

Locking down server and workstation operating systems

Ben Rothke
Ben Rothke

Presentation: Locking down server and workstation operating systems Given by: Ben Rothke

Tecnologia
1 de 17
Baixar para ler offline
Locking down server and workstation operating systems Ben Rothke, CISSP CISA BT Global Services Senior Security Consultant
About me…. • Ben Rothke (too many certifications) • Senior Security Consultant – British Telecom • Frequent writer and speaker • Author - Computer Security: 20 Things Every Employee Should Know BT Americas Inc. 2
Traditional thoughts about hardening & patching • Remove unnecessary protocols and services • design program around Patch Tuesday • in the hope of avoiding Exploit Wednesday • Is this approach working? BT Professional Services 3
Patching today • Attackers continue to scan enterprises and look for easy openings – deploy critical security patches - especially to laptops and Internet-exposed servers • some organizations are finding it more difficult to justify the broad QA testing and disruptive deployment efforts needed for rapid application and database patching. • Resources (people and budget) are limited, so spending and effort must be focused in a way that's most efficient and effective for current threats. • Patching faster isn't always the best approach BT Professional Services 4
Why harden and patch? BT Professional Services 5
Gartner on the issue • Rapid patching isn't an effective response to many threats, and isn't operationally practical for some IT infrastructure elements • Better shielding and monitoring are more effective in these cases. – Reducing the risk of new threats requires more than fast patching – Mark Nicolett & John Pescatore BT Professional Services 6
Why rapid patching is not a panacea • Variety of paths are being used by targeted attacks – patching doesn't address all of them • Targeted attacks don't only seek out unpatched OS’s – they also focus on weaknesses in users and applications to attack databases and other internal systems • Rapid patching isn't possible or practical for some PC, network, server and application components • Additional protection and monitoring strategies are needed to reduce risk BT Professional Services 7
A better approach • Threat assessment and penetration testing processes – to determine which vulnerabilities must be remediated immediately, which can be temporarily shielded and which can be addressed later • Implement network segmentation and shielding – for critical servers, databases and applications that can't be patched quickly • Implement user and resource access monitoring technologies and processes – for systems and applications containing data that might be subject to a targeted attack BT Professional Services 8
The best approach to app dev security • Strong application security • every CIO agrees about the important of app security • Forrester notes: – the need to protect applications and proactively eliminate application-level vulnerabilities is a growing concern for security professionals, but too few firms have taken action. • disconnect between the perceived importance of application security & willingness to tackle the problem BT Professional Services 9
Tacking the app dev security problem • Reactive – source code and/or or black box scanning – Citigal, Cenzic, Fortify, Veracode, WhiteHat, Ounce Labs • Proactive – proactive application security strategy into the dev life cycle – end-to-end application security program – can be modeled after Trustworthy Computing initiative – ensure all technologies are considered, especially Web 2.0 BT Professional Services 10
Two approaches to app dev security 1. Wait until someone exploits vulnerabilities in your system and then run to patch and fix it 2. Proactively build security early on in the dev process – mitigating vulnerabilities before attackers find them • Proactive app sec program extends to every relevant phase of the application life cycle – conception => operation • Success = commitment and support from senior management BT Professional Services 11
When you can’t patch….. • In-house web applications – detect and resolve vulnerabilities before deploying the web application – implement a web application firewall to shield vulnerabilities that can't be resolved • 3rd-party applications and databases – use host-based IPS on difficult-to-patch servers – segment unpatchable systems behind network IPS – Implement database and application monitoring or IDS to find breaches BT Professional Services 12
When you can’t patch….. • Windows laptops – deploy an aggressive policy on endpoint protection platforms, including firewalls and HIPS – require laptop data encryption for any laptop used by an employee who has access to sensitive data, regardless of patch management capabilities – enable network access control (NAC) to protect corporate IT resources from compromised mobile devices. • Networking equipment – shield network equipment behind network IPS and firewalls. – use change monitoring or IDS to detect breaches BT Professional Services 13
When you can’t patch….. • Windows/Unix/Linux servers and PoS – deploy HIPS on difficult-to-patch servers. – segment unpatchable systems behind network IPSs. – use database application monitoring or IDS to detect breaches BT Professional Services 14
Tools / standards / guides • Microsoft security guides – http://technet.microsoft.com/en-us/library/cc184906.aspx • DISA Security Technical Implementation Guides – http://iase.disa.mil/stigs/stig/index.html • NIST Guide to General Server Security (SP 800-123) – http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf • CIS Benchmark Assessment Tools – http://www.cisecurity.org/en-us/?route=downloads.audittools BT Professional Services 15
Recommendations • Whenever possible, vulnerable software should be patched ASAP • When business realities dictate that this isn't possible – all devices at least should be configured as securely as possible to minimize attack apertures. • Follow general security principles of enabling only the required functions – deny by default, allow by exception, etc. • If not using the specific functions of a device, – ensure that these options are disabled • Ensure a formal app sec security program is in place BT Professional Services 16
Contact info… • Ben Rothke, CISSP CISA • Senior Security Consultant • BT Professional Services • • www.linkedin.com/in/benrothke • www.twitter.com/benrothke • www.slideshare.net/benrothke BT Professional Services 17

Recomendados

Soc
SocSoc
Soc
Mukesh Chaudhari
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
Digital Bond
 
Resume | Vijay Navgire
Resume | Vijay Navgire Resume | Vijay Navgire
Resume | Vijay Navgire
Vijay Νavgire
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Digital Bond
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2
Marneil Sanchez
 
Intro to Security
Intro to SecurityIntro to Security
Intro to Security
primeteacher32
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
Digital Bond
 
Top Tactics For Endpoint Security
Top Tactics For Endpoint SecurityTop Tactics For Endpoint Security
Top Tactics For Endpoint Security
Ben Rothke
 

Recomendados

Soc
SocSoc
Soc
Mukesh Chaudhari
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
Digital Bond
 
Resume | Vijay Navgire
Resume | Vijay Navgire Resume | Vijay Navgire
Resume | Vijay Navgire
Vijay Νavgire
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Digital Bond
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2
Marneil Sanchez
 
Intro to Security
Intro to SecurityIntro to Security
Intro to Security
primeteacher32
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
Digital Bond
 
Top Tactics For Endpoint Security
Top Tactics For Endpoint SecurityTop Tactics For Endpoint Security
Top Tactics For Endpoint Security
Ben Rothke
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - Rothke
Ben Rothke
 
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
IBM Security
 
Chapter 15 Presentation
Chapter 15 PresentationChapter 15 Presentation
Chapter 15 Presentation
Amy McMullin
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practices
Ben Rothke
 
Security Essentials
Security EssentialsSecurity Essentials
Security Essentials
Ashley Deuble
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
North Texas Chapter of the ISSA
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar Asia
Digital Bond
 
Gartner technologies for Infosec 2014-2015
Gartner technologies for Infosec 2014-2015Gartner technologies for Infosec 2014-2015
Gartner technologies for Infosec 2014-2015
Samuel Kamuli
 
Secure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of UsSecure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of Us
Eoin Woods
 
Lesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionLesson 1- Intrusion Detection
Lesson 1- Intrusion Detection
MLG College of Learning, Inc
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
Jisc
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a Shoestring
NCC Group
 
CompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsCompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentals
Ganbayar Sukhbaatar
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
Digital Bond
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
lior mazor
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
MLG College of Learning, Inc
 
Chapter 4
Chapter 4Chapter 4
Chapter 4
Amy McMullin
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
newbie2019
 
Network Security, Change Control, Outsourcing
Network Security, Change Control, OutsourcingNetwork Security, Change Control, Outsourcing
Network Security, Change Control, Outsourcing
Nicholas Davis
 
Chapter 2 Presentation
Chapter 2 PresentationChapter 2 Presentation
Chapter 2 Presentation
Amy McMullin
 
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Lumension
 
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds
 

Mais conteúdo relacionado

Mais procurados

The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
IBM Security
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practices
Ben Rothke
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
North Texas Chapter of the ISSA
 
Gartner technologies for Infosec 2014-2015
Gartner technologies for Infosec 2014-2015Gartner technologies for Infosec 2014-2015
Gartner technologies for Infosec 2014-2015
Samuel Kamuli
 
Secure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of UsSecure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of Us
Eoin Woods
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a Shoestring
NCC Group
 
CompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsCompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentals
Ganbayar Sukhbaatar
 
Network Security, Change Control, Outsourcing
Network Security, Change Control, OutsourcingNetwork Security, Change Control, Outsourcing
Network Security, Change Control, Outsourcing
Nicholas Davis
 

Mais procurados (20)

The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - Rothke
 
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
 
Chapter 15 Presentation
Chapter 15 PresentationChapter 15 Presentation
Chapter 15 Presentation
 
Rothke effective data destruction practices
Rothke effective data destruction practicesRothke effective data destruction practices
Rothke effective data destruction practices
 
Security Essentials
Security EssentialsSecurity Essentials
Security Essentials
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar Asia
 
Gartner technologies for Infosec 2014-2015
Gartner technologies for Infosec 2014-2015Gartner technologies for Infosec 2014-2015
Gartner technologies for Infosec 2014-2015
 
Secure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of UsSecure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of Us
 
Lesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionLesson 1- Intrusion Detection
Lesson 1- Intrusion Detection
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a Shoestring
 
CompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsCompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentals
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Chapter 4
Chapter 4Chapter 4
Chapter 4
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
 
Network Security, Change Control, Outsourcing
Network Security, Change Control, OutsourcingNetwork Security, Change Control, Outsourcing
Network Security, Change Control, Outsourcing
 
Chapter 2 Presentation
Chapter 2 PresentationChapter 2 Presentation
Chapter 2 Presentation
 

Destaque

Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Lumension
 

Destaque (6)

Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
 
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breach
 
Server Management
Server ManagementServer Management
Server Management
 
Wsus best practices
Wsus best practicesWsus best practices
Wsus best practices
 
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
 

Semelhante a Locking down server and workstation operating systems

Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security Knowledge
Denim Group
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
pvanwoud
 
Dr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should KnowDr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should Know
Nuuko, Inc.
 

Semelhante a Locking down server and workstation operating systems (20)

Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN Testing
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security Knowledge
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
 
Career Domain 2022-23.pptx
Career Domain 2022-23.pptxCareer Domain 2022-23.pptx
Career Domain 2022-23.pptx
 
How to develop an AppSec culture in your project
How to develop an AppSec culture in your project How to develop an AppSec culture in your project
How to develop an AppSec culture in your project
 
Building an AppSec Culture
Building an AppSec Culture Building an AppSec Culture
Building an AppSec Culture
 
Fundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product DevelopmentFundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product Development
 
Managing security threats in today’s enterprise
Managing security threats in today’s enterpriseManaging security threats in today’s enterprise
Managing security threats in today’s enterprise
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
Dr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should KnowDr. Eric Cole - 30 Things Every Manager Should Know
Dr. Eric Cole - 30 Things Every Manager Should Know
 
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentorImplementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentor
 
Fortinet Solution Mapping with AWS Well-Architecture
Fortinet Solution Mapping with AWS Well-ArchitectureFortinet Solution Mapping with AWS Well-Architecture
Fortinet Solution Mapping with AWS Well-Architecture
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 

Mais de Ben Rothke

Mais de Ben Rothke (20)

Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
 
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
Rothke rsa 2012 what happens in vegas goes on youtube using social networks...
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizations
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryption
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryption
 
Mobile security blunders and what you can do about them
Mobile security blunders and what you can do about themMobile security blunders and what you can do about them
Mobile security blunders and what you can do about them
 
Lessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity comLessons from ligatt from national cyber security nationalcybersecurity com
Lessons from ligatt from national cyber security nationalcybersecurity com
 
Lessons from ligatt
Lessons from ligattLessons from ligatt
Lessons from ligatt
 
Interop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothkeInterop 2011 las vegas - session se31 - rothke
Interop 2011 las vegas - session se31 - rothke
 
Infosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. HooperInfosecurity Needs Its T.J. Hooper
Infosecurity Needs Its T.J. Hooper
 
Rothke computer forensics show 2010
Rothke computer forensics show 2010Rothke computer forensics show 2010
Rothke computer forensics show 2010
 
Webinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS ComplianceWebinar - Getting a handle on wireless security for PCI DSS Compliance
Webinar - Getting a handle on wireless security for PCI DSS Compliance
 
La nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswiftLa nécessité de la dlp aujourd’hui un livre blanc clearswift
La nécessité de la dlp aujourd’hui un livre blanc clearswift
 
The Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White PaperThe Need for DLP now - A Clearswift White Paper
The Need for DLP now - A Clearswift White Paper
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security Infotec 2010 Ben Rothke - social networks and information security
Infotec 2010 Ben Rothke - social networks and information security
 
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
 
Rothke stimulating your career as an information security professional
Rothke stimulating your career as an information security professionalRothke stimulating your career as an information security professional
Rothke stimulating your career as an information security professional
 
Ben Rothke - Effective Data Destruction Practices
Ben Rothke - Effective Data Destruction PracticesBen Rothke - Effective Data Destruction Practices
Ben Rothke - Effective Data Destruction Practices
 

Último

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Último (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Locking down server and workstation operating systems

  • 1. Locking down server and workstation operating systems Ben Rothke, CISSP CISA BT Global Services Senior Security Consultant
  • 2. About me…. • Ben Rothke (too many certifications) • Senior Security Consultant – British Telecom • Frequent writer and speaker • Author - Computer Security: 20 Things Every Employee Should Know BT Americas Inc. 2
  • 3. Traditional thoughts about hardening & patching • Remove unnecessary protocols and services • design program around Patch Tuesday • in the hope of avoiding Exploit Wednesday • Is this approach working? BT Professional Services 3
  • 4. Patching today • Attackers continue to scan enterprises and look for easy openings – deploy critical security patches - especially to laptops and Internet-exposed servers • some organizations are finding it more difficult to justify the broad QA testing and disruptive deployment efforts needed for rapid application and database patching. • Resources (people and budget) are limited, so spending and effort must be focused in a way that's most efficient and effective for current threats. • Patching faster isn't always the best approach BT Professional Services 4
  • 5. Why harden and patch? BT Professional Services 5
  • 6. Gartner on the issue • Rapid patching isn't an effective response to many threats, and isn't operationally practical for some IT infrastructure elements • Better shielding and monitoring are more effective in these cases. – Reducing the risk of new threats requires more than fast patching – Mark Nicolett & John Pescatore BT Professional Services 6
  • 7. Why rapid patching is not a panacea • Variety of paths are being used by targeted attacks – patching doesn't address all of them • Targeted attacks don't only seek out unpatched OS’s – they also focus on weaknesses in users and applications to attack databases and other internal systems • Rapid patching isn't possible or practical for some PC, network, server and application components • Additional protection and monitoring strategies are needed to reduce risk BT Professional Services 7
  • 8. A better approach • Threat assessment and penetration testing processes – to determine which vulnerabilities must be remediated immediately, which can be temporarily shielded and which can be addressed later • Implement network segmentation and shielding – for critical servers, databases and applications that can't be patched quickly • Implement user and resource access monitoring technologies and processes – for systems and applications containing data that might be subject to a targeted attack BT Professional Services 8
  • 9. The best approach to app dev security • Strong application security • every CIO agrees about the important of app security • Forrester notes: – the need to protect applications and proactively eliminate application-level vulnerabilities is a growing concern for security professionals, but too few firms have taken action. • disconnect between the perceived importance of application security & willingness to tackle the problem BT Professional Services 9
  • 10. Tacking the app dev security problem • Reactive – source code and/or or black box scanning – Citigal, Cenzic, Fortify, Veracode, WhiteHat, Ounce Labs • Proactive – proactive application security strategy into the dev life cycle – end-to-end application security program – can be modeled after Trustworthy Computing initiative – ensure all technologies are considered, especially Web 2.0 BT Professional Services 10
  • 11. Two approaches to app dev security 1. Wait until someone exploits vulnerabilities in your system and then run to patch and fix it 2. Proactively build security early on in the dev process – mitigating vulnerabilities before attackers find them • Proactive app sec program extends to every relevant phase of the application life cycle – conception => operation • Success = commitment and support from senior management BT Professional Services 11
  • 12. When you can’t patch….. • In-house web applications – detect and resolve vulnerabilities before deploying the web application – implement a web application firewall to shield vulnerabilities that can't be resolved • 3rd-party applications and databases – use host-based IPS on difficult-to-patch servers – segment unpatchable systems behind network IPS – Implement database and application monitoring or IDS to find breaches BT Professional Services 12
  • 13. When you can’t patch….. • Windows laptops – deploy an aggressive policy on endpoint protection platforms, including firewalls and HIPS – require laptop data encryption for any laptop used by an employee who has access to sensitive data, regardless of patch management capabilities – enable network access control (NAC) to protect corporate IT resources from compromised mobile devices. • Networking equipment – shield network equipment behind network IPS and firewalls. – use change monitoring or IDS to detect breaches BT Professional Services 13
  • 14. When you can’t patch….. • Windows/Unix/Linux servers and PoS – deploy HIPS on difficult-to-patch servers. – segment unpatchable systems behind network IPSs. – use database application monitoring or IDS to detect breaches BT Professional Services 14
  • 15. Tools / standards / guides • Microsoft security guides – http://technet.microsoft.com/en-us/library/cc184906.aspx • DISA Security Technical Implementation Guides – http://iase.disa.mil/stigs/stig/index.html • NIST Guide to General Server Security (SP 800-123) – http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf • CIS Benchmark Assessment Tools – http://www.cisecurity.org/en-us/?route=downloads.audittools BT Professional Services 15
  • 16. Recommendations • Whenever possible, vulnerable software should be patched ASAP • When business realities dictate that this isn't possible – all devices at least should be configured as securely as possible to minimize attack apertures. • Follow general security principles of enabling only the required functions – deny by default, allow by exception, etc. • If not using the specific functions of a device, – ensure that these options are disabled • Ensure a formal app sec security program is in place BT Professional Services 16
  • 17. Contact info… • Ben Rothke, CISSP CISA • Senior Security Consultant • BT Professional Services • • www.linkedin.com/in/benrothke • www.twitter.com/benrothke • www.slideshare.net/benrothke BT Professional Services 17