Skip to main content
IT Unconference

Server Security Response: How to keep ahead of the curve without going nuts

Proposed by Hans Jacobsen

Notes

Ideas, tools, to stay ahead of the curve
 
Examples of what other companies are doing for security
Blackhawk networks: everything runs off an AMI images.  Images are immutable and even login is not possible.  
Docker: only loads the services that are needed.  Very fast and very simple.  Immutable and unchangeable
 
School of Medicine is using attestation which keeps track of Employee information and what they have access to.  It eventually will also keep track of where all the PHI is stored and who has access to it
 
Need campus database of who is using what.  
 
Treat any anomaly as an attack vector
 
Outside of the cloud, what are some other methologies to minimize impact
 
Limit outbound access connectivity to limit egress possibilities - use a proxy server to control outbound access
 
Centralized Management Systems - Puppet - easily patch all machines - anything that needs to be done on the machine is controlled by a management system.  
 
Can't use AWS/Crashplan because PHI can't be stored in the cloud
 
School of Medicine - will have to have centralized database of systems that contain Patient data
have standards and verify that people are trained to use the standards
 
By virtue of being on Stanford, all of our desktops have more access to all other systems in campus.  Making all desktops an attack vector because of the patient data that is stored in School of Medicine.
 
Should have more campus standards and communication.  Is there a community of practice for this?
Should work with ISO to get a dialog going of what standards can be added.  Can maybe get ahead of the curve by having standards.
 
Methods of isolating privileged access: 
Personal Bastion Host - PBH - SysAdmins can only access specific servers from specific laptops.  Laptops can't surf, email or do anything else other than servers.  Laptop - hardened host - built like a server.  PBH built as a central management server with all the tools.  No one else can login except for the owner.  VPN with certificates, owner has specific certificates, and the user is assigned a set of IPs and can only login from that PBH with an account that's not SUNet related.  Can only do IT/AD work from that machine.  Never use that password/credentials for anything else other than that ring0 server.
 
Running an VM for browser and Internet access and use physical host only for server access so the Internet access VM never sees server credentials.
 
Password Policy changed - making the password 28 characters long isn't as efficient as training users to not fall for phishing attacks.
 
Don't treat servers as pets, but as cattle.  If something isn't right, then slaughter it.
 
Microsoft - Personal Admin Workstations - Best Practices for AD Administration
 
Rolling out a new PBH takes about an hour to 2 hours.  Build out image, but needs the user to set up the certificate.  
 
Complete segregation for PBH - Separate BigFix, WSUS, etc.
 
Hot point issues:
phishing - educate your users 
 
Legacy apps - if it doesn't need to live, then kill it.  Need political willpower - bring in ISO to help put pressure to kill older applications.  Renew applications to refresh them
 
Training people not to keep around old files.
 
HTTP vs HTTPS - why do you need HTTP?
 
Servers that were decommissioned but were left running for months and months - but not patched and they were compromised and used to attack everything else.
 
Change all default passwords
 
Don't make your backup an admin.