170 likes | 327 Views
Stanford IT Security Program. Re-aligning IT security to a modern threat environment. University IT Security. Firewalls VPN for off campus access Kerberos Encryption required for sensitive data Central AV/patching services Controlled access to data centers
E N D
Stanford IT Security Program Re-aligning IT security to a modern threat environment
University IT Security • Firewalls • VPN for off campus access • Kerberos • Encryption required for sensitive data • Central AV/patching services • Controlled access to data centers • But few central mandates and low visibility
Our Wake-Up Call,A Visit From Uninvited Guests Phishing Vulnerable services Poor credential hygiene Pass-the-Hash
Security Event Manager Data stored everywhere Consolidated
Phishing → Multifactor • Existing multifactor system • Moving to Duo to cover more devices/scenarios
Reducing Vulnerable Services / Machines (Part 1) • Eradication of Windows XP • Prioritized retirements of Windows Server 2003 R2 • Expansion of existing Whole-Disk encryption project
Pass The Hash – One Scenario Oh, Dear! Let me log in remotely and see what’s wrong. Helpful Help Desk Important Server My Computer is acting funny New credentials detected, where can I get to now? Unsuspecting User
Pass The Hash – Another Scenario Development Server Production Server Domain Controller
Personal Bastion Hosts • No inbound communications allowed / Limited outbound • Very strict application whitelisting rules • No DMA-based external interfaces • Whole disk encryption (TPM + PIN/Password) • Trusted vendor
Reducing Vulnerable Services / Machines (Part 2) • EMET (4.0 -> 5.0) • Application Whitelisting • Qualys • Compliance Registry • Network Access Control You must be THIS tall to connect!
Miscellaneous Projects • Replacement of SPAM/AV filtering for inbound email • Replacement of DLP system for outbound email • Replacement of the campus emergency alert system
Physical Security • Dramatic decrease in number of cards allowed to access to Data Centers • Replacement/Expansion of camera system.
Future projects in the program • Systems Administrator Training Standards • Systems Administration Practices • Centralized HIDS • Smartcard Implementation