微淘公众平台推广营销方法详解

SecuringWindowsNetworksSecurityAdviceFromTheFrontLinePresentedbyRobertHensing–PSSSecurityIncidentResponseSpecialist微快车微信营销RevealingHackerPersonasTopSecurityMistakesEveryoneSeemsToMakeSecuringWindowsNetworksStayingSecureSecureWindowsInitiativeSecurityImprovementsinXPServicePack2RevealingHackerPersonasOverview–RevealingHackersPersonasAutomatedvs.TargetedAttacksRevealingHackerPersonasLameSkilledSophisticatedWhyYOUWereSelectedandHowYouGot0wn3dHackerPersonasAutomatedAttacks“Spreaders”or“Scan’nSploitTools”or“auto-rooters”WormsThatDropBotsorTrojansTargetedAttacks0-dayExploitsCustomAttacksthatExploitWeaknessofYourInternetPresenceHackerPersonasLame-~75%ofallintrusionsMotive:WantsyourstorageandbandwidthMethod:Useofspreaders,bots,wellknownexploitsAbilities:LimitedhighlevellanguageabilityPayload:UsuallyFTPservers,backdoorsdisguisedasa‘clever’servicename“TCP/IP”serviceor“SystemSecurity”service“MicrosoftISAServerCommonFiles”serviceHackerPersonasSkilled-~24%ofallintrusions?Motive:Wantstoexploreyournetworkanduseyourstorageandbandwidth,wantstoavoiddiscoveryasmuchaspossible.Method:CustomizedintrusionbasedonidentifiedvulnerabilitiesformultipleoperatingsystemsorapplicationsAbilities:AdvancedHLL,someASMPayload:FTPservers,keyloggers,backdoors,sniffers,passworddumpersHackerPersonasSophisticated-1%ofallintrusions?Motive:Wantsyourmoneyoryoursecret/confidentialdataMethod:Cancustomizeintrusionbasedonanynumberofidentifiedvulnerabilitiesforavarietyofoperatingsystemsandapplications,possiblyusing0-dayexploitsAbilities:AdvancedHLL,AdvancedASMPayload:Rootkits,asinglebackdoorDLL,extortionletter!HackerPersonasWhyyouwereselectedandhowyougot0wn3d...Oddsaregreatyouwere0wn3dbyalamerYouwereeasilyidentifiedasaWindowshostthroughasimpleport-scan(nofirewall)Youareonabigfatpipe(possiblyhosted)YouhaveweakpasswordsormissingsecuritypatchesduetomissingorineffectivesecuritypolicyDemonstrationWindowsRootkit–HackerDefenderTopSecurityMistakesEveryoneSeemsToMakeTopSecurityMistakesWeakornon-existentpasswordpolicyNoauditpolicySporadicsecuritypatchpolicyPatchingtheOS,butnottheappsWeakornon-existentfirewallpolicyNoegressfilteringNoknowledgeofsecurelybuildinganewboxwhichleadstoHacked?Rebuild!HackedAgain!?HowToEndTheCycleofViolenceInstallfromslipstreamedsourceDon’thaveone?Makeone!Patchorenableahostbasedfirewall(orboth)andthenconnecttothenetworkDon’tusethepreviousadminpasswordIncludingtheSQLSApasswordDon’tsharelocaladminpasswordsacrossOSinstallationsLeadstoexploitonce,runeverywherePatchtheapplications(SQL,IIS,Exchangeetc.)SecuringWindowsNetworksOverview–SecuringWindowsNetworksSystemAdministratorPersonasAnexampleofwhatnottodoThreats&Countermeasures–PruningTheLowHangingFruitSystemAdminPersonasDefaultSkilledSophisticatedSystemAdminPersonasDefaultPutsserversrightontheInternetwithnofirewallRunsacoupleservicepacksbehind(N-2)anddoesn’tknowhowtokeepuptodatewithsecuritypatchesNopasswordpolicyNoauditpolicyAlldefaultconfigurationsandsettings(alldefaults,allthetime)SystemAdminPersonasSkilledUsesInternetIP’s,buthasrouterACL’sLatestOSSP,allOScriticalupdates,hasn’tpatchedtheapplicationsinawhileifatall6characterpasswordswithaccountlockoutsOnlyauditslogoneventsandmonitorsforaccountlockoutsbycheckingeventlogsperiodicallySuspiciousofdefaultsettingsPerformedsomeOShardeningbyhand–didn’thardentheapplicationsthoughSystemAdminPersonasSophisticatedUsesafirewallwithNATandingress/egressfilteringUsesanIDS/IPSintheDMZnetworkEnsurescriticalsecuritypatchestestedanddeployedin24hourswithrollbackplan12characterpasswords,notsharedanywhere,noaccountlockout,mayuse2-factorauthNAuditseverything,archivesauditlogsdailyHardenedOSusingsecuritytemplates/grouppolicy,hardenedapplicationsWhatNotToDo...ConfigureyoursystemwithanInternetroutableIPaddressRunmultipleapplications/servicesononeboxActiveDirectory,IIS,SQL,Exchange,PCAnywhere,3rdpartysoftwareAvoidinstallingpatchesDon’thaveapasswordpolicyWhataretheoddsthatsomeonewouldguess‘666’ismyadminpassword?Ifyoudothis,here’swhatthehackerssee...Threats–LowHangingFruitOverviewNULLSessionEnumerationPassword/AccountLockoutAttacksPasswordHashAttacksRemoteCodeExecutionVulnerabilitiesPhysicalAttacksUnauthorizedNetworkAccessTheVPN“firewallbypass”ServerThreat-NULLSessionEnumerationUnderstandingthe‘NULL’userNetworkconnection,usuallyusingNetBIOSTCP139inwhichnocredentialshavebeenpassed.Networktokengetscreatedontheserverfortheclient,‘Everyone’SIDgetsaddedtothetokenTokencannowenumeratesensitiveinformationusingtheNet*API’sthe‘Everyone’SIDhaspermissionsto!CountermeasuresRestrictAnonymous=2BlockaccesstoTCP139/445StopserverserviceThreat–PasswordAttacks/AccountLockoutAttacksAnyservicesthatexposesauthNprotocolsareatriskforpasswordguessingattacksNetBIOS,SMB,RDP,IIS,FTPetc.CountermeasuresUsestrongpasswordsinsteadofanaccountlockoutpolicy(whichonlyprotectsweakpasswords)Educateadministratorsandusersonhowtocreatestrongpasswords.Blockaccesstoportsthatallowau