(My) BruCON 2015 notes (1)

Adrian Citu

Here are my quick notes from the BruCON 2015 conference.All the slides can be found here.

Nightmares of a Pentester bruCon

The goal is to present some (basic) that the operational security teams (a.k.a Blue Team) can use in order to make the life harder to the pen-testers.

Some numbers about the security breaches :

  • Verizon report: Quantify the impact of a data breach with new data from the 2015 DBIR
  • top 3 industries that are under attack: public sector, it sector, financial services
  • 70% of the attacks are targeting a second victim; so the first victim is a step stone to reach the target
  • 90% off the incidents have as root cause the peoples (the weakest link).

Good security programs are built in and not bolt on.

External defenses tips and tricks:

Don’t talk to strangers:

  • implement blocks from all the emerging cyber-threats lists.
  • reject specific user agent strings.
  • ban the port scanning.

If you are going to talk be sure to know who is it

  • disable smtp/verify/validation.
  • analyze the certificates and (external) domain age.
  • use SPF for the email validation
  • use DNS analysis
  • don’t forward DNS

Internal defenses tips and tricks:

Your internal network is an hostile environment; treat it as such

  • monitor inside more than outside.
  • segmentation of all servers from users.
  • never use VPN pools; always tie a user to a specific IP address.
  • remove your network default route.
  • intercept all http/s requests.

Users have the ability to use the company resources

  • white-list the approved and managed software.
  • disallow local admin privileges.
  • users should only be allowed to go to categorized sites; any other traffic must be denied.
  • host based firewals, ids and behavioral analysis.
  • scans all hosts for vulnerabilities on a regular basis.
  • randomize all the local admin passwords.

Servers have specific purposes

  • do not install workstation software.
  • manage updates centrally.
  • segment the servers.
  • standards images should have no additional services installed.
  • do not allow the use of local account to log in remotely.