PG - Out of Denial: A 12-Step Program for Recovering Admins - Paul Lee

you're the US bureau of labor statistics anticipates greater than thirty percent grow through 2020 so there's new people coming into our industry every single day and frankly it's a logical transition from networking system admins they know the systems and so it makes it a pretty easy transition and if done well can actually be very powerful transition but at the end of the day admins are generally more worried about making stuff work than making it secure trust may have been there so why a 12-step program well wikipedia defines a 12-step program this way and while it looked pretty heavy and a lot of places if we look a little bit closer we see something's very applicable to what

we're trying to do that a set of guiding principles outlining a course of action for taking for tackling problems can anybody hear say that information security in its current state is not a problem so what's a what's a 12-step program that an admission statement well there is no silver bullet to security there's dozens of vendors just down the street here all selling their wares saying I've got the solution to all your security woes well that's all fine and good and those tools are great and there can be extremely useful if you have the right personnel in the right processes in place so before we get started you know we need to deal with some deal with

some arguments you're gonna hear let's establish the baseline you know otherwise known as arguing with the IT manager because everybody has at least one guy in the organization that thinks they're just fine that whether it's naiveté or just general disregard for the risks they think they're just fine so it's we got the security by obscurity argument how many times we heard this I'm small nobody cares about me because it's not just but it's not just who you are it's what you have and who you're connected to you know one of the largest breaches in recent history target came because a very small HVAC company was breached and they rode right through the back door additionally you know small

doctors offices they may not have much but how much PII or you know do they have the money to secure everything now appropriately oh but I have a firewall in that enough now let's go talk to the lock big guys and see if a lock on your front door sufficient I don't think so you know it doesn't this doesn't help with stolen and misused credentials you know if I can get if i can get legitimate credentials and come through your front door your firewalls all but useless but i don't have budget well yes budget is nice to have but certainly not requirement there's tons of open source tools things you can do without having to spend any money and finally if you

don't have a budget for security how you can have money to handle the incident of the breach when it happens and my personal favorite but we're compliant well you know so we're target Neiman Marcus than Michaels anybody's ever worked in compliance knows that complies has a whole lot more about spinning the fact check boxes than actually being secure compliance is merely the starting point so you know take a maintain inventory yeah this is this seems pretty boring and this definitely sounds a lot more like the admin world done security world but how can you defend what you don't know you have because after all so you need to know what you have where it is who's responsible for it but it's not

just a list of systems you need to know what your critical systems you know which systems if they were compromised or they were lost you have to close your doors tomorrow and make sure you're protecting in order do we really think developers going to patch their own test servers you know how many developers only install the modules on Apache they really need or don't ramada 777 so you know we talked we in the arguments we said that you don't have to have a massive budget I've never seen a network that doesn't have plenty of security controls that can be implemented with what you already have if you knew your being pent tested tomorrow or if you

knew your you're being attacked tomorrow what would you go change you know you don't have time to procure the new technology and implement it by tomorrow I mean what are you gonna do do you have any virus deploy and you know across your corporate without hips enabled or do you have an IPS installed only in detection mode how many pre how many free vendor tools are available that you're not currently using whether it be Microsoft laps I mean who hears pop to windows box and then use that to move through the network with the local admin not hard and what laps may not be a total loss solution for that it definitely makes a little bit more

difficult and then community additions an open source NX log is a fantastic tool for pulling and reformatting logs if you haven't used a recommend taking a look at it Kali Wireshark in map metasploit all available you know don't cost a thing so you know here we're step 5 let's finally get down let's go in and go into the details let's get on the hood does your firewall do what you're supposed to we know it's not the end all be all but it's still a nice it's still important to be there are you are the ACL documented do you know who put it there why is it there is it still needed and you know can it be locked down

further than it is do your policies do what you think they do you know so many policies get so complicated do you haven't allow that overrules your denies or deny that the rules your allow you know is it really do you think yeah does this mean what you think it means and is everything installed as part of your golden image still necessary no are you are you deploying golden him are you deploying new machines with vulnerable versions of code or vulnerable applications or applications are no longer needed but we know security is not just about technical controls you know we have we all have to do with people so you know do you allow via what

BYOD you know okay you allow them in I do you allow them on the Wi-Fi if y'all I'm on the Wi-Fi how well are they segmented off do you allow them to take corporate resources home or starbucks or work security cons do you have the proper physical security controls because the end of day if I can touch it I can own it and can you enforce your policies have you had the tough conversation with HR and legal to make sure the the conversations you're going to have that you can actually enforce the policies you have if somebody does what you say they're not special you can you've removed them for it and are you following your own policies how many

times have we seen in the news where company had documented policy what they're going to do but they weren't following it and they open themselves up to all sorts of litigation and bad PR now this one I realize that security professionals we all roll our eyes when we get the email once a year time to go do our security awareness training yeah most of those are a waste of time we all know that but the end of the day users are still almost always the weak link you know the VTB are says and as few as 10 emails they received they got a ninety percent efficiency rating the campaign's keep getting harder to detect I mean is anybody here not always been

fooled with you have or not I'm like I asked that but you know they're getting much harder tab the attackers are getting better and everyone needs understand the role they play if you if you don't believe this walk in the SEC TF room later this week at Def Con and see how quickly every user they talked to is giving out valuable information because it only takes one T to breach or detect one of the VTB are in research companies said that almost ten percent of their detection came from their human sensor ok so we've talked about firewalls who said that's not sufficient we've talked about you're getting your admin your technical policies so now what well incidents inevitable so you

better be watching we know what's going to happen and it doesn't mean just logging and you know forgetting about them later that means actually looking at your logs you know it's and it's important remember the incidents don't necessarily mean a multi-billion dollar credit card breach it may just be somebody saying too much or you know information leakage at a restaurant within within earshot at somebody shouldn't be hearing the senior can tech you know the less the more you can lessen your damage you know and do not just that but do you have the proper logs do you have the logs actually detect what you need to detect because we don't want to be the I don't

think you want to be the leading news story tonight or the next scoop by Brian Krebs and are you actually paying attention to your sim or is it just logging for compliance you know if you turned off your sim how long would it take it actually notice it was not running okay so we've established that incidents inevitable so what are you gonna do yeah don't wait till something happens because if you do times gonna be wasted money money lost and mistakes made do you immediately pull the affected resource offline or do you need to worry about the chain of evidence you know who to call and you also need to know what the limitations of your team

are you need to know what what capabilities do we have and do we have the kind of data that we need to be worried about or do we need to worry about having a third party retainer in place so that we can call the true experts and get them in without legal snafus okay now for the fun stuff right we've been waiting for this and eventually things are great but they're useless and irresponsible without without a baseline you know one option is honey pots you know were there be honey honey files or honey tables you know create some users out there that should never be logged into and alert every time they are or create a file or

a table in your database that has what would appear to be sensitive information and see who's trying to access it or modify pin testing we all love pen testing helmet who hasn't popped shell it's so much fun if you haven't i really suggest you do it at least once but but until you have the basics it's dangerous and a waste of time because you haven't proved anything you've proven you're vulnerable that's it so but the important the wonderful thing about pen testing is once your security practice becomes more mature it becomes a real validation you verify that not only do you have this controls in place that you have the visibility to see it and you

have the way to respond to it so the IT landscape is changing every day we know that whether it be mainframes to personal computers or now we're on just cloud and smart devices the only thing we know is it continue to change so don't be i'll call don't be caught off guard look what happened when BYOD first came out most companies weren't ready for it and so they had to play catch-up and the CEO doesn't always ask the security team if he can implement a new technology he says I'm doing it I bought my new iPad by God is going to be on the network so make sure you understand now make sure you're aware and you can help secure

that policy before the company makes a decision it's really important to pick your battles if you're always a security guy that just says no then you've lost your voice be the enabler help bring the technologies on in the right way so that you can help so you can gain their trust and earn political capital so when it's time to say no they'll actually listen and so we need to be involved in get back no continue learning go to cons like you are here don't be and don't be afraid to dive in and figure it out and learn from others ask questions you know as you learn new things continue to iterate to the process you know go back

you learn something new go back and evaluate your inventory you know see if it affects you do you have a policy to handle it do you have the visibility detected and can you validate it with a pin test and get involved with other regional and local cons I had an opportunity get involved with one of the regional cons three years ago and it's been a fantastic experience learns tremendous amount from some very smart people and met great great connections in the industry so if you don't know where to start just find somebody mask most every kind of scene always looking for volunteers but it's also important to not just look at a look outside of

the information security industry don't just come and talk to other information security people if you have your insecurities go back if you're recovering admin go back to you know a microsoft conference so an admin conference and try to bring more people over from the dark side try to you know or go or if you're a former developer go to a developer conference and you know see if we can't help some of that before it ever starts one that definitely thank b-sides for offering proving ground for providing the opportunity for new speakers and I want to definitely thank mom my mentor on this Guillaume and I'm sure I just butchered your name so I apologize so

any questions sure good yeah so just one the question only technique you said to review your ACL on file and periodic and make sure you had document I'm in this position right now try to work with my networking team lays it all have time to document and reinspect all the stuff so how often do you recommend is that periodic review what's the best practice quarterly monthly annual I'm trying to bring back some best practice guys so I can convince my networking ah yeah i think the judgment of what by practice depends some of it comes down to you know what are you guarding is it's just the firewall guarding just you know your internet browsing segments or is this

the one guarding your crown jewels if it's one guarding my crown jewels i'm probably don't watch it a whole lot more closely what i used to do is if if an ACL didn't have documentation who put it there and why was needed i would just randomly go through and disable it you'll find out real quickly if it still needed I don't know that do it weekly I don't I probably wasn't regimen as I should have been like I said I was I was not I was not a great admin but it's say it was definitely it's amazing how fast they come screaming when you disable the ACL they need sure so what would you say you did when you

were an admin that was the worst for security that you wouldn't do any more oh um yes never get the camera working I cannot wait I guess what mine is because I used to be more in IT before and you know one thing we sometimes have to do you know you work for a company that has little budget or whatever you you end up running a lot of stuff that might not necessarily be safe on networks that are not super well segmented and that's something that you see penetration testers do from time to time you know we'll just grab some exploit from somewhere all that looks like an exploit and compiled and use it which can be

really dangerous if you don't really know what it does so that's one thing that I think I was I was guilty of you know maybe 10 years ago when i was in nit so i was just wondering if there's like one thing that you you think you were doing back then she would not do any more staying quiet letting you see things you know we're wrong and letting it go for either fear of speaking up and that applies to everybody I mean whether we're talking about the human sensor and seeing malicious email you know if you ridicule and browbeat your users because they clicked on a bad link they're not going to come to you and tell you that

you know they saw something come through they're going to delete it and be quiet so you've just lost your opportunities for detection at that point but you know as an admin you know being so focused on the making it work you know even if sometimes cowering to the business side of saying hey it's got to work today well I can make it work right next week but you know but it kind of comes down to one of my friends had a quote in this cube for years and it was a if you don't have time to do it right when you have time do it again and so taking the time to put it in place it right way because

once it's in wrong it'll never change yeah it's temporary yeah absolutely anybody else yeah

uh so you gave it a lot of good examples and things that we should do do you have any idea of like what's a good like how would i prioritize some of this stuff like if i am going to be you know like you said if i'm going to be attacked in a week what would I go change like you know how can i prioritize like what should I focus on first that's going you know at the end of the day we're all these companies are all in business to make money not to be secure so you've gotta understand that spy and part of the inventories understand your crown jewels you've got to know that if I lost

this I'm closing my doors tomorrow so if it's if you know there's low hanging fruit that you can go to knock out quickly to protect your crown jewels if you know there's something you need to focus on you know you eat if you have proprietary you know or industry data it's what's your pride a differentiator guard it even if you realize you may have to give up somewhere else thank you guys you [Applause]