DefCon 22 presentation notes

Behind the cut are the notes I took during DefCon 22, organized by name of presentation. Where appropriate I've linked to the precis of the talk. I make no guarantee that they make sense to anybody but me.One Man Shop: Building an Effective Security Program All By Yourself - Medic

• Integrate with environment
• Continuous monitoring
• People and Process -> Secure Network Architecture -> Secure Systems Design -> Continuous Monitoring -> External Validation -> Compliance
• Compliance, per usual, means dick in the final analysis
• Roughly five year plan w/ deliverables
• Needs organizational supprt. Still answers to the Business.
• Supports, !replaces Business
• Security will not mature past the business' maturity level
• Be realistic about what you want to achieve
• Schedule time for firefighting
• Develop little plans, achieve each, build on top of them
• Be realistic. You're probably not one of China's targets.
• Security through simplicity. Easy to verify and audit.
• ID existing processes. Improve with security.
• Ad-hoc environment == ad-hoc security programme
• Match people to roles and tasks. What and how are things done? Negotiate ownership of systems and processes. Who does what?
• RACI matrix
• Set and communicate expectations on all sides
• The Business is the hook for everything
• Be realistic. Don't use FUD or scare tactics.
• Recruit help. Communicate plans.
• Make the SA the liason. Find out what they do. Make a checklist. Insert security protocols into that list. Automate provisioning where you can.
• Workstations get secured by attrition - part of the hardware refresh lifecycle.
• Identify and use hand-offs of tasks.
• Swim lane flowcharts
• Identify where security fits in best
• Identify mitigation strategies
• Know your environment. If you don't, do it. Nmap. Netviz. Something!
• Nmap results -> Nessus -> Visualization
• Zenmap will make visual network maps for you
• ID endpoints and uses
• Categorize users by what they do. Use that to ID sensitive data, architect networks appropriately.
• Perl script -> Nmap output diff
• Centralize sensitive services
• Network segmentation works. Use it.
• Go outside in to establish a perimeter.
• Group endpoints based on roles, risks, exposures, trust levels. Do it somehow.
• Requires knowing what you have. Get organized!
• Build security zones around those groups.
• If systems don't need to talk, isolate them.
• For each zone, what risks do each face?
• Deny by default. DPI the rest.
• Log everything you can't DPI.
• Normal operation comes first.
• Exceptions should be documented and approved.
• Internal firewalls. Protocol enforcement. ID/PS. Netflows. DPI. File extraction and analysis.
• Netflows -> traffic patterns. ID anomalies.
• File extraction: IDs executables on the wire, write to disk, scan and examine.
• Central logging
• Figure out how to re-organize everything
• Migrate everything into appropriate zones
• Build all new stuff in secure environments
• Cross as few security zones as necessary.
• Host based firewalls work. Use them.
• "If you can't talk to it, you can't hack it."
• Back everything up. Snapshot VMs.
• Automate account provisioning.
• If you can do SSO, do it.
• Disable once, disable everywhere.
• Standard desktop image. Least privilege. NO LOCAL ADMINS! Centralized administration. Enable automatic updates; OS killing patches are rare.
• Microsoft WSUS is free. Use it. It lets you patch by groups for testing. Test before rollout. Can also roll patches back. AV is better than nothing; use it anyway.
• Use EMET for additional defense. Hardens apps by injecting itself into the memory field.
• MAC filtering at the switch.
• Nmap portscan -> Nessus -> Daily reports.
• MBSA on Windows boxen
• Automated log review. What and who comes from where?
• Log and analyze dropped packets. Means stuff is talking to things that they shouldn't.
• Event logs from privileged accounts
• Snort with