Security. Bob Shantz Director of Infrastructure & Cloud Services Computer Guidance Corporation. All Rights Reserved.

Transcription

1 Security Bob Shantz Director of Infrastructure & Cloud Services 2016 Computer Guidance Corporation. All Rights Reserved.

2 CPE Credits To receive your CPE Credits:. Complete a survey for each session attended. Surveys are available through the Customer Focus PSAV app Submit the completed surveys by Friday, July 29, Computer Guidance Corporation is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be addressed to the National Registry of CPE Sponsors, 150 Fourth Avenue North, Suite 700, Nashville, TN, or

3 Session Code: TS2

4 Bob Shantz Bob Shantz is responsible for the information technology infrastructure of Computer Guidance, including the management of storage, server and network based systems and services for both our hosted customers and the Computer Guidance team. Bob has over 30 years of experience designing and implementing a broad range of network, server, storage, data center and cloud based computing technologies. Prior to Computer Guidance, Bob was the Director of IT Infrastructure for Kaydon Corporations in Ann Arbor, Michigan where he was the leader of the global IT infrastructure team responsible for the IT infrastructure execution across 23 locations in 12 countries.

5 Areas of Discussion Facility Security Network Perimeter Security Software Maintenance Cycles User Accounts Security Awareness

6 Physical Facility Security What are we trying to protect? Unauthorized access to equipment and networks Computers Servers Networks wired/wireless Prevent theft of physical assets Removable media. Tapes, CD/DVD/USB Backup Tapes Master copy CD/DVD/USB Hardware data damage resulting from: Power interruptions Cooling system failures Fire Business continuity in the event of a natural disaster.

7 Physical Facility Security Recommendations: Facility access security ID / scan access cards Visitor sign in logs Network access Don t have active network jacks in common visitor areas Don t broadcast your production wireless network SSIDs Keep servers in secure area Separate locked office Secure locked cabinet Utilize UPS battery backups Servers Network switches Control / security systems Removable media. Tapes, CD/DVD/USB Fireproof secure storage for backups Media Destruction Servers, switches, security system areas require cooling Many switches can report out temperatures via or SNMP Low cost USB options for monitoring temperature in server areas Fire Suppression Systems Hosted systems / co location data centers Simplifies these requirements for hosted applications Quality identified through tier certification.

8 Network Perimeter Security The network perimeter is the boundary between internal private networks and external public networks. Areas of Vulnerability: Firewalls Wireless Access Points Servers Desktops and Laptops Computers Mobile Devices Web browsing

9 Network Perimeter Security Simple small office / home network configuration.

10 Network Perimeter Security Simple business network configuration.

11 Network Perimeter Security Advanced business network configuration.

12 Recommendations: Firewalls Use a Deny All default for inbound traffic flow. Ensure remote administration is disabled. Ensure administration account passwords are changed from the vendor default. Validate your firewall rules, especially the inbound traffic rules, on a quarterly or semi annual basis. Perform Port Scan tests on a quarterly or semi annual basis to verify configuration. Limit inbound traffic by port/protocol and by source IP address if possible. Enable logging for successful, Allow connections. Sign up to receive vendor updates regarding fixes and software updates. If possible, engage a certified professional when make changes.

13 Recommendations: Wireless Access Points Create a separate network for guest access behind a firewall. Don t broadcast your production network SSID. Require password security to connect to all SSID. Encrypt all wireless traffic WPA/WPA2 are excellent (256 bit). Ensure administration account passwords are changed from the vendor default. Sign up to receive vendor updates regarding fixes and software updates.

14 Servers Recommendations: Windows Servers: Install an industry standard Antivirus/Anti malware application. Enable Windows Update to receive the latest software and security fixes. Enable the Windows Firewall service. Only install roles / services required to support the server functions. Enable File Shadow Copy on file servers.

15 Servers Windows Shadow Copies of Shared Folders provides point in time copies of files that are located on shared resources, such as a file server. With Shadow Copies of Shared Folders, users can view shared files and folders as they existed at points of time in the past. Accessing previous versions of files, or shadow copies, is useful because users can: Recover files that were accidentally deleted. If you accidentally delete a file, you can open a previous version and copy it to a safe location. Recover from accidentally overwriting a file. If you accidentally overwrite a file, you can recover a previous version of the file. Compare versions of a file while working. You can use previous versions when you want to check what has changed between two versions of a file. Can be a useful tool for recovery in the event of a virus attack.

16 Servers Recommendations: Non Windows Servers Linux Install an industry standard Antivirus/Antimalware application Only install roles / services required to support the server functions. Sign up to receive vendor updates regarding fixes and software updates. Keep you systems up to date based on vendor recommendations. Backup ALL Servers! Have at least 3 copies of your data (source, copy 1, copy 2). Store copies of the data on different media devices. Keep one backup copy offsite.

17 Recommendations: Desktops and Laptops Computers Install an industry standard Antivirus/Anti malware application. Enable Windows Update to receive the latest software and security fixes. Enable the Windows Firewall service via Active Directory group policies. Enable the screen saver lock group policy for inactive computers. If possible, do not give users local administrative rights. For laptops, use Bitlocker or a similar tool to encrypt the data on the disk drive. Backup your files to a removable device or network drive.

18 Recommendations: Mobile Devices Enabled the auto lock feature with password protection. Install the vendor recommended updates. If the device is not using applications on your production network, don t allow the device to connect to your production wireless access points. Setup a Mobile Device wireless network separate from your production wireless network. If this is not an option, consider using your guest wireless network for mobile devices. Include mobile device management in your employee departure procedures, utilizing remote wipe technology when appropriate.

19 Recommendations: Web Browsing For Internet Explorer, set the appropriate Security Level for the Internet zone.

20 Recommendations: Web Browsing For Internet Explorer, set the appropriate settings on the Internet Options Privacy tab.

21 Recommendations: Web Browsing For Google Chrome, ensure the Protect you and your device from dangerous sites option is selected under the Settings Advanced Privacy setting.

22 Web Browsing Recommendations: Implement a Proxy based web content filter. Scans for malicious web content. Blocks access to undesirable web sites (porn, hate, etc.). Allows for more secure outbound firewall configuration. Train your users!

23 Recommendations: Implement an enterprise filter. Blocks inbound and outbound malicious content. Screens for SPAM. Quarantine area for questionable , with user notification to review. Allows for more secure outbound firewall configuration. Train your users!

24 Software Maintenance Cycles Recommendations: Establish a formal maintenance schedule for updating servers, user computers, routers, and wireless access points. For Windows based computer, Microsoft s Windows Server Update Services or WSUS is an excellent tool to manage the process. For servers: Weekly or monthly cycle is sufficient. If a fix for a significant software vulnerability is identified, have a procedure in place to push immediately. For network switches, routers, wireless access points and firewalls: Quarterly updates Have procedures in place to address emergency, high risk vulnerability fixes. If you have IP based telephones, include these devices in your maintenance cycles.

25 User Accounts Recommendations: Use a named user account model no shared accounts. Create user s account rights based on the principle of least privileged access. Passwords: Longer passwords are more secure than shorter password with special characters (8 16 character length recommended). Enable account lockouts for multiple failed logon attempts (5 attempts). Require password be changed every days. Windows Password Setting: Established via Group Policy at the Domain or Local server level.

26 User Accounts ISeries Password Setting: Update setting via the System I Navigator. Security Policies Password Policy

27 ISeries Password Setting: User Accounts

28 ISeries Password Setting: User Accounts

29 User Accounts ISeries Password Setting: A few accounts need to be exempt from the policy. QEJBSVR ECMS ECMSBO or whatever profile is used for BO. Procedure to exempt these accounts: wrkusrprf qejbsvr (what?) Place a 2 next to it and press enter. Press F10 for Additional Parameters

30 User Accounts ISeries Password Setting: Page Down 1 Page Change the Password expiration interval to *NOMAX and press enter Repeat the process for the ecms and ecmsbo accounts.

31 Security Awareness Security awareness is the knowledge of potential threats and the ability to anticipate what types of security issues and incidents employees may face in their day to day functions. Technology alone cannot provide adequate information security. Awareness and personal responsibility are critical to the success of any information security program. The goal is to have your employees think about how their behavior and actions can impact information security.

32 Security Awareness Recommendations: Hold quarterly or semi annual employee training focusing on how their action can improve system security. Potential training topics: Password usage and management Good Web browsing habits Good habits Dealing with unknown attachments Unknown senders Phishing attempts Malicious content awareness Virus Worms Ransomware Steps to take to report a potential security breach

33 Security Awareness Recommendations: Monthly Security Awareness newsletters. Display security awareness posters to help remind employees every day. Encourage management to discuss security awareness in meeting and group events. SANS Institute is a globally recognized expert in the area of cyber security. They have a wealth of information that is extremely useful in establishing a Security Awareness Program. They also provide free monthly newsletters!

34 Presentation Reference Links Symantec s Internet Security Threat Report center/threat report MX Toolbox Windows Shadow Copy us/library/cc771305(v=ws.11).aspx Practical Design Group USB Temperature Monitor via Windows Server Windows Screen Save Lock Group Policy Setting us/library/ee617164(v=ws.10).aspx Windows Password Group Policy Settings us/library/cc756990(v=ws.10).aspx ISeries Password Settings Overview Windows 2012 R2 Windows Update Administrative Template us/kb/ server 2012 configuring windows update SANS Institute Security Awareness Free Security Awareness Posters free/ni free posters.asp