Slide 1

0 comments

file time: 2008-02-16

filetype:pptx

Click Here To Download...

>  

Presented by: CMS Consulting Inc.

Visit us online at http://www.cms.ca 

Top 10 Security Mistakes

 

DISCLAIMER 
 

   The contents of this presentation are the property of CMS Consulting Inc.  No portion, in whole or in part can be used without the express written consent of CMS.  You may email brian@cms.ca for permission to re-post or re-use any of this content.

 

Your Presenter 

Brian Bourne CMS Consulting Inc, President Toronto Area Security Klatch, Co-Founder Black Arts Illuminated Inc., Director  
Fancy Credentials CISSP, MCT, MCSE:Security  

Microsoft Infrastructure and Security Experts

Active Directory - Windows Server - Exchange - SMS - ISA 

MOM - Clustering - Office 00Desktop Deployment - SQL 00

Terminal Services - Security Assessments - Lockdown 00Wireless 

Training by Experts for Experts

      MS Infrastructure 00Security - Vista and Office Deployment 
 

Visit us online: www.cms.ca

      Downloads 00Resources 00White Papers 

For Security Solutions

For Advanced Infrastructure

For Network Solutions

For Information Worker

For Mobility Solutions 

CMS Consulting Inc.

 
 
 

1.   ~~~~~~~~~

2.   ~~~  ~~ ~~

3.   ~~~~ 

Agenda Today 

Top 10 Security Mistakes Based on the results of numerous health  
check and assessment service offerings 
Top 10 Areas for Security Improvement Based on feedback from the consulting  
team at CMS  
 

1. Password Management 

This is painfully obvious and still a problem at every customer. Problems include: Poor policy or poor policy enforcement Password re-use (eg. FileMaker password = Domain Password = Banking Password) User training 00hey, did you know a simple sentence is complex?  00y first born is Grant.00/font> Password storage   
 

2. Patches and Upgrade 

Typical Issues: No inventory of software and hardware  
(no idea what to patch) No reporting of patch status or deployment Legacy software that00 simply unpatchable Software that followed the 00eploy and forget00methodology Remember: All software and hardware needs patching, not just Microsoft! Especially security products!  

3. NTFS and Share Permissions 

Everyone, Full Control, Everywhere Anonymous is part of everyone! Simple Rules: Permissions are cumulative, except Deny wins. Never grant permissions to users.  Grant to groups. Avoid upgrading W2K.  Install W2K3 fresh. Use security templates and group policy to set/maintain security  
 

4. Too much privilege! 

No one seems to follow the rule of least privilege. Enumerate the following groups: Enterprise, Domain and Schema Administrators Server, Print and Backup Operators Service Accounts need special treatment Separate OU with GPO00 limiting rights Should be 00dministrators00 not DA or EA! Use OU00 and delegate required  
administrative functions  
 

5. Administrative Practices 

Please don00 use a DA account for day to day activity. Better yet, don00 use a DA from anything but a designated high security, administrative workstation (think about bad things like keyloggers when logging in from untrusted machines) Guard EA accounts! Don00 share the administrator password.   
At minimum, you want some level of  
non-repudiation.  
 

6. UnUsed Services 

The most common installed and unneeded service?  Any guesses?  (IIS) Reduce the attack surface!  Define Role based Templates Test, test, test Enforce by GPO!  
Good guide to understanding services http://www.microsoft.com/technet/prodtechnol/ 
windows2000serv/deploy/prodspecs/win2ksvc.mspx  

7. Auditing and Logging 

How will we ever know if something happens? How will we ever be able to piece together 00he crime scene00without any evidence? Audit only what00 important.  Think beyond Windows events.  Applications, firewalls, switches, etc. Consider log shipping also.  
 

8. Missing or Incomplete Backups 

System State on all FSMO role holders. Critical data everywhere else. Remember to test procedures with restores Consider encryption/password protection  
to prevent unauthorized restores Offsite storage, secured fireproof vault Part of a larger Disaster Recovery plan  
 

9. Security Education and Awareness 

For IT Staff: Security Architecture Secure Operating Procedures Understanding of attack methods Defence in Depth techniques For All Staff Awareness training Email and Internet Usage Social Engineering awareness  

10. Incident Response 

Have a plan and have training! DO NOT: Touch the computer. Delete files. Or frankly react in anyway without a carefully thought out and professional approved plan!  
 
 

1.   ~~~~~~~~~

2.   ~~~  ~~ ~~

3.   ~~~~ 

Bonus Material 

Things People Need to Think More About:

Funding for security Application filtering and layer 7 firewalls Intrusion detection and prevention Incident Response Planning and Training Security Policy, Usage Policy Log collection, management and co-relation Physical controls Network controls (who can plug in) Firewalls should not look like swiss cheese     (Hint: Use IPSec instead) VPN controls and other remote access methods  

Security Education 
Conference in Toronto 

November 20 0021, 2007, MTCC, Toronto, ON, Canada 
http://www.sector.ca/

 

CMS Training Offerings 

INSPIRE Infrastructure Workshop 4 days of classroom training - demo intensive 
AD, Exchange, ISA, Windows Server, SMS, MOM, Virtual Server Business Desktop Deployment 00Deploying Vista/Office 3 days of classroom training - hands on labs (computers provide) 
Business Desktop Deployment Concepts, Tools, Processes, etc. Vista and Office Securing Internet Information Services Securing ActiveDirectory Securing Exchange 2003 1 day classroom training per topic  

TRAINING BY EXPERTS FOR EXPERTS

 

@ 

Contacting Us. 

Brian Bourne, President 00 brian@cms.ca Robert Buren, VP Business Development 00robert@cms.ca  
CMS Consulting Inc. 00http://www.cms.ca/  
CMS Training 00http://www.cms.ca/training/  
Toronto Area Security Klatch 00http://www.task.to/  

Q & A 

Thank You!

Visit: CMS Consulting at http://www.cms.ca  

Join: Toronto Area Security Klatch at http://www.task.to  

Register: Security Education in Toronto at http://www.sector.ca 
 

CMS Consulting Inc.

 

1

 

2

 

3

 

4

   download Slide 1