Managing the IT Security Octopus

Scott Grimes

Biography -> 25+ Years in IT● Sr Systems Administrator + DevOps● Employer: IBM iX - Helping businesses with their digital experience

journey● SysAdmin: CentOS, Ubuntu, FreeNAS, VMware,

○ OS/2, SVR4, Solaris, AIX, Windows Server● DBA: Oracle, SQL Server, MySQL● Developer: HIPPA compliant web-based EMR● Been attending LinuxFest for 12+ years● Personal Challenge: Make the LinuxFest Security Talk “better”

HousekeepingThe open source security landscape is changing at a dizzying pace

● It is impossible for any one person to have all current knowledge. Thank you in advance for overlooking technical details that may be out of date or now inaccurate

● All slide images are free or public domain

● Audience: End-User, Developer, SysAdmin

● I will talk to the slides, but not read them verbatim

Please hold questions / comments to the end. I plan to leave time to answer a few.

Out of Scope - Time Restriction● Logging / Auditing● Encryption at Rest● Honey Pots● Penetration Testing● Dirty little secrets of hackers● IPv6● Policies + Practices

In Scope● Increase Overall Security Awareness● Deepen Technical Understanding● Provide Practical Take-aways

The new “Gold” is DATA!

● Do not underestimate the value of any data

● Good security is about making things HARDER

● Good security is a combination of technology + policies / practices

● You do not need to spend a King’s ransom to implement good security

● You have way more “pirates” than you are probably aware

Hackers have become increasingly organized & sophisticated

● Russian computer science graduate. Two most profitable job opportunities○ Work for the government○ Hacker

● Global collaborative development network● Agile development methods, incremental, continuous integration● Shared code base repos● Use SSL / TLS security. Use Encryption● Scanning tools● “bots” = global networks of attack systems or bitcoin mining

IP Sec

SSL / TLS

SSH

GPG / PGPMulti-Factor

Patching

S/MIME

Awareness Training

Encryption Protocols

IT Security Landscape

Firewalls

A successful defense is “layered”

SSL/TLS

OS Patching

LoggingFirewall

Phishing

USB

Social Engineering

- Keyboard- Keystroke Logger

What does good digital security need to do?1. Verify your source2. Verify your destination3. Prevent “man-in-the-middle” attacks4. Setup an encrypted transport5. Authenticate _without_ sending the secret6. Verify what was sent did not change during transport7. Prevent session “replay”

Layering security to apply multiple defenses

Castle OSI Model Security

Door + Lock Application Passwords, Multi-Factor, SSH, Services, Anti-Virus, Phishing

Tower Presentation SSL / TLS, Digital Certs

Session

Transport

Wall + Gate Network Firewall, IP Sec

DataLink

Drawbridge Physical Bluetooth, Ethernet, WiFi

WiFiIt IS “safe” to broadcast your SSID Name

WEP = Wired Equivalent Privacy. Exploited. Disable.

WPA = WiFi Protected Access. Weak. Disable.

WPA2 = Enable. Use a long shared key. 32 characters.

WiFiQ: “I’m WPA2 encrypted. I’m secure!”

A: SSID “spoofing”:

● Comfort Inn● Comfort Inn rogue

Comfort Inn

Rogue Comfort Inn

Relay

Layering security to apply multiple defences

OSI Model Security

Application Passwords, Multi-Factor, SSH, HTTPS, Services, Anti-Virus, Phishing

Presentation SSL / TLS, Digital Certs

Session

Transport

Network Firewall, IP Sec

DataLink

Physical Bluetooth, Ethernet, WiFi

Firewall

● Advantages○ Limit access to “trusted” IPs

and ports○ Firewall EVERY device

● Disadvantages○ “Spoof” the IP address○ Unblocked “High” ports○ Security “bugs” in the

service

Port 1

65535

1023

SSH (22)Time (123)HTTP (80)HTTPS (443)

Hom

e =

210.

90.7

76.5

5

Rogue App (22727)Inte

rnet

= 1

2.14

3.67

.559

Low

Hig

h

Firewall SpoofingPort 1

65535

HTTPS (443)

Hom

e =

210.

90.7

76.5

5

Good App (22727)Inte

rnet

= 1

2.14

3.67

.559

Net

wor

k P

rovi

der =

12.

143.

67.5

59

Net Monitor

IP Sec[urity]Advantages

● Whatever is running through the pipe is automatically encrypted

● Good for host to host or network to network

● Easy Windows activation● Lots of VPN implementations

Disadvantages

● Setup required for each source / target● Someone compromises one network, the

other network is at risk

Key I Key II

FirewallAWS

Layering security to apply multiple defences

OSI Model Security

Application Passwords, Multi-Factor, SSH, HTTPS, Services, Anti-Virus, Phishing

Presentation SSL / TLS, Digital Certs, Encryption

Session

Transport

Network Firewall, IP Sec

DataLink

Physical Bluetooth, Ethernet, WiFi

Encryption Algorithms -> Strength● Based upon a key length (128,

256, 1024, 2048, …)● Data “munging” algorithm (Cipher)● CPU cycles (Time)

LOW - Disable

MEDIUM - Disable

MEDIUM:HIGH - Disable if app < 5 years old.

HIGH

0000000000000000000000000000000000000A

0000000000000000000000000000000000000B

0000000000000000000000000000000000000C

0000000000000000000000000000000000000Z

000000000000000000000000000000000000AA

000000000000000000000000000000000000AB

000000000000000000000000000000000000AC

000000000000000000000000000000000000AD

Key Space

Encryption Algorithms - TrustedAES-256 (Advanced Encryption Standard)

TWOFISH

SHA-256

RSA

OpenPGP

Encryption Algorithms - FAQQ: What’s a good key Strength?

A: 2048 bits or longer (100 yrs)

Q: I thought encryption was slow?

A: +5%

Q: Quantum Computing

A: Movie: Sneakers = “No more secrets”

Presentation - SSL / TLS EncryptionSSL = Secure Socket Layer

TLS = Transport Layer Security

● SSL v1 - Exploited. Disable.● SSL v2 - Exploited. Disable.● SSL v3 - Exploited. Disable.● TLS v1.0 - Weak. Disable.● TLS v1.1 - Weak. Disable.● TLS 1.2 - Available for 5 years now. Solid.● TLS 1.3 - Released in Mar 2018 after 4

years of development & testing○ "major improvements in the areas of

security, performance, and privacy."○ Already supported in Chrome & Firefox

Presentation - HTTPS Source Verification

Inside a certificate….

Issuer: C=US, O=International Business Machines Corporation, CN=IBM INTERNAL INTERMEDIATE CA

Not Before: Mar 23 04:00:00 2018 GMT

Not After : Mar 22 03:59:59 2021 GMT

Subject: C=US, ST=Columbus, OH, L=Columbus, OH, O=ibm.com, CN=www.ibm.com/mail=scgrimes@us.ibm.com

Public-Key: (2048 bit)

00:c1:77:95:eb:4f:5b:4b:3f:05:56:32:26:35:2a:

f6:8d:2e:1b:ed:42:e9:39:8b:ef:4d:3d:e0:01:cb:

Root Cert 1Root Cert 2Root Cert 3

Root Cert 4Root

Cert 64

Business Intermediate Cert

Business Intermediate Srvs

Host Certwww.ibm.com

DNS

Browser SSL/TLS Source Verification VisualInside a certificate….

Subject: C=US, ST=CA, L=Santa Clara, CA, O=google.com, CN=www.google.com/mail=scgrimes@us.ibm.com

letsencrypt.org = Free. Good for 90 days.

Google “bumps” any site in its search response if the entire site is SSL protected

SSL Everywhere Firefox plugin

Site verified

Business verified

Presentation - SSL / TLS & Risks

Root Cert 1Root Cert 2Root Cert 3

Root Cert 4

Root Cert 64

Business Intermediate Cert

Business Intermediate Srvs

Host Certwww.ibm.com

DNS

Business Intermediate Cert

Logon credentials

Bank transactions

HIPPA, PII

RISKS

Network SnifferLast Pass

Presentation - SSL / TLS & Risks

Root Cert 4

Root Cert 64

Business Intermediate Cert

Business Intermediate Srvs

Host Certwww.ibm.com

DNSLogon credentials

Bank transactions

HIPPA, PII

Root Cert 1

Network Sniffer

NetworkingIT SecurityCust SupportNSA | FBI

RISKS

Layering security to apply multiple defences

OSI Model Security

Application Passwords, Multi-Factor, SSH, HTTPS, Services, Anti-Virus, Phishing

Presentation SSL / TLS

Session

Transport

Network IPv4, IPv6, Firewall, IP Sec

DataLink

Physical Bluetooth, Ethernet, WiFi

Application - Password Authentication

● NIST, 2017 => Drop Expiring Password requirement● NIST, 2017 => Drop “Com-plex” password requirement. Found to be less secure.● “Use a Long memorized Secret” rather than “a-Funki0ne”. The longer the harder to crack. 10 char

minimum.○ Lyric from a favorite song. Bible Verse. Movie quote.

Half the security credentials are easily obtainable.

Authentication & Authorization rests on one, hard to guess, password

Application - Multi-Factor AuthenticationTwo-Factor: Something you know + something you have

Example: Debit Card

SMS Text: “token”

Authy, Google Authenticator, Duo, FreeOTP

Time limited, 6 digit, random number

Supported: Google, Facebook, AWS, more ...

Application - Multi-Factor Authentication - RiskEvery multi-factor authentication generates a session “cookie” or “key” that the app uses for authentication & authorization going forward.

Intercept the “cookie” or “key” and you can impersonate the user.

● SSL / TLS “snooping”● Browser Plug-In● Rouge App reading memory

Application - Insecure protocols

telnet = Needs to die

rsh = Needs to die ( Remote SHell )

FTP = Needs to die

rcp = Needs to die ( Remote CoPy )

E-mail = sending passwords UNencrypted

Replace with SSH

Replace with SSH

Replace with: scp (Secure CoPy) or rsync --rsh=/bin/ssh

Replace with scp

Add S/MIME or PGP

Application - Secure SHell (SSH)More features & options than a swiss army knife

SSH on Windows => Client => https://www.putty.org/

openSSH => Windows Server => OpenSSH-Win64.zip

ssh-keygen -t rsa -b 2048 -C ‘sgrimes@us.ibm.com’

Inside the file….

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwmiquDVM+XhfaOL/f9r8iSPR4KcDr+MyCKx783VCJOL/e/D0h6rBGrY5f1r2guSFK50V3XTRikwEQBuFX6T0GejWFJiWSo9HJcmrbBfm3igBu6RjGwEtxLVOjpvHifntBAU+8UyMfxIQKC5mE+FHwxJ+WxNLfcP5QqnGGJeilEAge4IYOxjLaJeKXg2CK72hpJvQQi3Ku5+9gSb/230Vlm3dzdPK5fIcVr478oHnrbiska59+NvX4eeUhCQrp0gShE+ovPSYg2ugQr3jKIeUiLhDFM51FZvU26v/VHw1DD08AQVil7ma0h5llShLWfUEtIWZ6zxDCqbCMyjdnRm+5 sgrimes@us.ibm.com

id_rsa id_rsa.pub

GLOBALLY UNIQUECryptographic relationship

Private Key Public Key

Two Factor: Something you HAVEPassword: Something you KNOW

$HOME/.ssh/

Sharing

$HOME/.ssh/ id_rsa

Your laptop

id_rsa.pub

authorized_keys

Remote system 1

Keep Private

Share

stash.resource.com

github.ibm.com/ix

id_rsa.pub

id_rsa.pub

pbcopy < ~/.ssh/id_rsa.pub

$HOME/.ssh/

$HOME/.ssh/

SSH is picky about SECURITY

id_rsa

Your laptop

id_rsa.pub

authorized_keys

remote system 1

Keep Private

stash.resource.com

github.ibm.com/ix

id_rsa.pub

id_rsa.pub

-rwx --- --- sgrimes

-rw- --- --- sgrimes

-rw- --- --- sgrimes

-rw- r-- r-- sgrimes usr_group world

First Contact ssh sgrimes@remote_system

Your laptopremote systemPROVE you are the

system I think I am connecting to

/etc/ssh/ssh_host_rsa_key/etc/ssh/ssh_host_rsa_key.pub

$HOME/.ssh/authorized_keys

system-credentialsI’ve not seen this system before. Do you trust this hash is the srv? yes$HOME/.ssh/known_hosts

$HOME/.ssh/id_rsa

I want to authenticate as sgrimes

Encrypt this token & send it back

token encrypted w/ id_rsa

Yep. You must have sgrimes private key matching sgrimes public key. Authenticated

Can I decrypt msg using authorized_key and get same token I sent?

Short Cuts

ssh-add = cache my private key in memory

scp -r -p /path/to/folder/file* sgrimes@remote_system:/path/to/store/

-r = recursive

-p = preserve permissions

scp sgrimes@remote_system:/path/to/remote/file /path/to/store/locally/

rsync --rsh=ssh /path/to/folder/file* sgrimes@remote_system:/path/to/store

Short Cuts - $HOME/.ssh/configHost * <- wildcard, apply to every server

ServerAliveInterval 180

ServerAliveCountMax 3

Host www01

User sgrimes

IdentityFile ~/.ssh/id_rsa

HostName www01.big.honking.long.fqdn

Compression yes

SSH tunnel - “Just-in-Time” VPN

AWS MySQL * : 3306

ToadDB Browser

Host: db01.aws.amazon.comPort: 3306

db01.aws.amazon.com

SSH tunnel - “Just-in-Time” VPN

AWS MySQL * : 3306

ToadDB Browser

db01.aws.amazon.comssh -f -L 3306:localhost:3306 sgrimes@db01

ssh listen process

Setup a forward, then background

Local forward

SSH tunnel - “Just-in-Time” VPN

AWS MySQL * : 3306

ToadDB Browser

db01.aws.amazon.comssh -f -L 3306:localhost:3306 sgrimes@db01

ssh

Host: localhostPort: 3306

Layering security to apply multiple defences

OSI Model Security

Application Passwords, Multi-Factor, SSH, HTTPS, Services, Anti-Virus, Phishing

Presentation SSL / TLS

Session

Transport

Network IPv4, IPv6, Firewall, IP Sec

DataLink

Physical Bluetooth, Ethernet, WiFi

Application - ServicesFirewall Port: 443 is OPEN! Application Programming Interface (API)

SQL Injection => “; SELECT * FROM users…”

https://www.site/path?security_token=aazvr...

Penetration Testing => Nessus

Code Reviews => Think like a bad guy

Libraries - Regular OS Patching

Applications - ClientGoogle Chrome => Send profile data home

Microsoft Edge => Send profile data home

Mozilla Firefox => “Your business is your business”

Gmail => “Reads” your e-mail. The world’s largest and most invasive “advertising” platform

ProtonMail => Private, end-to-end encrypted e-mail based on GPG encryption

Application - AntiVirusAnti-Virus => “We’ve lost.” -- Symantec. Use System Defender.

The Better investment is backups. Encrypted, off-server, off-site, cloud based

BackBlaze B2B => 270 GB, $0.54 / mo

FileServer => Scheduled hourly “snapshots”, keep for 2-4 weeks

FreeNAS using ZFS filesystem => Free!

Application - Phishing Attacks

PhishingSocial Engineering

Phishing => Security Awareness Training => https://www.knowbe4.com/

Stay Safe Out There - Thank You!

QuestionsScott Grimes

scgrimes@us.ibm.com

Website: None

Blog: NoneTwitter: None