Security Thread V2.0

[stalin]

After the Original Security Thread? ended up something different to what I expected (though it has excellent discussion regardless)

I wanted to have more Q&A Style
Eg: Question
http://forums.overclockers.com.au/sh...88&postcount=7

Answer
http://forums.overclockers.com.au/sh...8&postcount=12

Maybe this can be Post Questions (ie as above) and the previous thread be discussions around those Questions? Then you don't have to go looking through 100 post threads to find answers?

If not, then not, but it can't hurt to try

[Daemon]

Since nobody has responded yet, I'll ask a few questions. Interested to hear what people are doing in different companies to secure a few things, always good to know if there are better methods out there.

Q1: What are people using for USB device management (ie Group Policy controlled) and what about support for laptops (ie no centralised authentication / control)?

Q2: What do you do about auditing printers and print jobs?

Q3: What do you do to audit and ensure there are no rogue WiFi devices in your area?

[therazza]

Quote:

Originally Posted by Daemon

Since nobody has responded yet, I'll ask a few questions. Interested to hear what people are doing in different companies to secure a few things, always good to know if there are better methods out there.

Q1: What are people using for USB device management (ie Group Policy controlled) and what about support for laptops (ie no centralised authentication / control)?

Q2: What do you do about auditing printers and print jobs?

Q3: What do you do to audit and ensure there are no rogue WiFi devices in your area?

Q2- Look up a program called PaperCut. GUI and a Web Interface, can charge people usage rates. Auditing reports are generated in to PDF.

Q3- Cisco have a wireless program but I'm sure it only works once you own it.

[coroner]

Seconding papercut for printers and print usage. Their support is very helpful and there is online chat to get a response when required during business hours. very handy.

Some incident response may be good if someone is keen. procedures for machines that have been attacked or used for attacks etc.

[stalin]

Quote:

Originally Posted by Daemon

Since nobody has responded yet, I'll ask a few questions. Interested to hear what people are doing in different companies to secure a few things, always good to know if there are better methods out there.

Q1: What are people using for USB device management (ie Group Policy controlled) and what about support for laptops (ie no centralised authentication / control)?

Q2: What do you do about auditing printers and print jobs?

Q3: What do you do to audit and ensure there are no rogue WiFi devices in your area?

Q1:
There are heaps of products out there that give you this functionality, most of the new 'endpoint security' products do this, there has been lots of aquasitions in this space lately.

Sancuary is a popular one - just don't get on one of their reseller lists they never leave you alone.
Zenforce also popular.. there is heaps.

However what I have seen lately is where there is only simple requirements for USB managment, people deploy FDE products with that management built in, things like Protectdrive and McAfee (they just bought SafeBoot - though they plan to cripple the USB managment and make you use EPO )

However lots of little places, just disable all USB storage on the local devices except for the permitted USB storage ID. Costs nothing. Easy to administer (enable through GP, or scripts) and your done. However when you want to start making CD drives RO and ensuring only certain wireless devices are attached etc, you really need to go out to market and see whats out there... and there is lots.


Q2: Needs to go to someone else, we aren't all that concerned with 99% of printing, its logged through NDPS for us anyway.

Q3: Walk around with AirMagnet WiFi Analyser or AirMagnet PDA Analyser to each of your sites. This has a few advantages.

1) - you get to leave your desk and avoid DVT.
2) - its a visible deterant and reminder to people to not use wireless
3) - You can resolve the problem then and there.

Another option is to have a wireless device on a seperate VLAN/MPLS VPN and have it monitor (kismet etc) when it detects something off baseline you can get an alert, this is more alert prone, but gives you quicker warning and is more efficent, but looses out on the 3 points above. Its also more expensive.


coroner - I will give you a good answer to that in a few weeks, I have some Security Incident Response course with AusCert coming up, and will have it fresh in my mind. Meanwhile if anyone else wants to chip in...

[Icidic]

Alright, I'll bite.

What do people here use (probably not all that many, mind you) for biometric integrated security and authentication solutions? I'm talking about Retinal\Fingerprint\Face Recgonition software that ties into AD\eDir\LDAP\etc.

[coroner]

Daemon - if you would like some extra answers regarding papercut I'm happy to give you some info. I used it at my previous work and it worked well. Can integrate with external devices for cards etc for photocopying aswell.

However they allow you to download a trial version aswell. no limits for 30 days so you get a good feel for it.


Stalin - I have seen those courses but feel if I was going to fork out the money to attend one it would be very beneficial to have done alot of homework first. Will probly be a few new forensic articles up after blackhat finishes.

[PsyKo-Billy]

Quote:

Originally Posted by Daemon

Q1: What are people using for USB device management (ie Group Policy controlled) and what about support for laptops (ie no centralised authentication / control)?

Q2: What do you do about auditing printers and print jobs?

Q3: What do you do to audit and ensure there are no rogue WiFi devices in your area?

Q1: We use trust it seems.
Only a fairly small comany with limited 'important' infomation that can be obtained by those not reasonably high up. No issues in ~20 years.

Q2: Trust again.
Only users who need colour have access to colour printers. Aside from that it's expected if you empty the paper tray you fill it...

Q3: We have McAfee ePO with Rouge system detection. Hardly 100% but it works most of the time.

I really posted this as an idea of how the other half do it. It's far from ideal but seeing as we haven't been bitten yet the 'powers who be' seem fine with limited security. I guess it's just a risk assesment thing and they see limited risk.

[Drunkmunky]

Quote:

Originally Posted by Daemon

Q1: What are people using for USB device management (ie Group Policy controlled) and what about support for laptops (ie no centralised authentication / control)?

Q2: What do you do about auditing printers and print jobs?

Q3: What do you do to audit and ensure there are no rogue WiFi devices in your area?

Q1: We have just implemented a custom group policy as there wasn't any that suited our needs there already, it does a few things including hiding the drive letters that windows would use to map USB sticks to and also changing the permissions on usbstor.inf and usbstor.pnf the other alternative is to use software on every client that could do the same thing.

Q2: +1 for Papercut, we use that at every site in the state. Has come a long way over the years, setup is easy, configuration and management is easy, there pretty much isn't much to not like about it.

Q3: Not sure what you mean by rogue WiFi devices, as in AP's or people trying to connect to your wireless? We run Radius at all sites through Linksys WAP's (soon to be upgraded to fancy Cisco stuff) which so far hasn't caused any problems and is quite secure, except for occaisonally the AP's forget who they are and have to be reset but that's a hardware problem. The Radius stuff comes down through Group Pol and is enforced so that machines will always connect to our wireless before any other random network it finds.

[bloodbob]

Q: Is there any reasonable way to prevent attacks on wireless driver stacks?

[exodushunter]

Quote:

Originally Posted by Icidic

Alright, I'll bite.

What do people here use (probably not all that many, mind you) for biometric integrated security and authentication solutions? I'm talking about Retinal\Fingerprint\Face Recgonition software that ties into AD\eDir\LDAP\etc.

We use Digital Personas U.are.U Fingerprint Scanners for authentacation. We had to get over a hurdle when we start locking everyones Screens at 5 Minutes and this was the cake.
Intergrates with AD, also enables to encrypt files with your fingerprint, One touch sign on into Programs and Web pages that require Auth. Also works with Citrix Apps if you have the latest Version (4.6).
We have a fingerprint scanners on 95% of our computers, also gets around people having to remember their password, and you can set the software up to randomize the users password when it expires, so the user doesnt get prompted or sees that its expiring.

[Squeezer]

#1 We use a product called LyncRMS

Currently we only monitor and Log USB transfers we dont block. It can encrypt stuff on USB keys also if you have the license key for that module.

[stalin]

Quote:

Originally Posted by Squeezer

#1 We use a product called LyncRMS

Currently we only monitor and Log USB transfers we dont block. It can encrypt stuff on USB keys also if you have the license key for that module.

I could not recommend _against_ that product enough. PM Sent.

Quote:

Originally Posted by bloodbob

Q: Is there any reasonable way to prevent attacks on wireless driver stacks?

Disable Wireless.
Don't use Wireless drivers with a poor history (which includes Toshiba, DLink, Netgear, Broadcom etc)
Buy the ones with as few features as possible - less features = less potential security holes.

This is a good little article on 'Fuzzing' http://www.uninformed.org/?v=6&a=2&t=pdf

But not that I am aware of, there isn't a sane way to protect yourself. Hopefully someone can enlighten me.

[yoda123]

We disable all USB access through group policy. Im not only worried about what can come into our network, but also worried about what can go out. Corp Data Theft is something everyone should be worried about in this day and age.

Papercut +1 Manages all of our print logging and reporting.

Airmagnet Monitoring.. nuff said ! We also MAC lock all of our ports to make it harder for rogue devices to be plugged in.

We also have very strict policy's about wireless leakage outside of our property.. basicly all the buildings that are on property perimeters have their output on the AP's tuned so its enough for that building, but doesn't go outside of our property. We also use RADIUS for auth to beef up the security there.

[bloodbob]

Quote:

Originally Posted by stalin

Disable Wireless.

Unfortunately management have deemed that wireless is needed for managers. I think it is because plugging in a blue cable is inconvenient.