Bryan Owen

Cyber Security ‘buzz’ @VCL12 (part 2) – Hands On Labs

Blog Post created by Bryan Owen on Dec 6, 2012

Three very different cyber security hands on labs were offered at VCL12:

  • Improving the Security of your PI System Infrastructure: Whitelisting, Firewalls, & Windows Core (Level 100)
  • Security for PI System Administrators (Level 200)
  • Web Application Security: Introducing the OWASP Tools (Level 300)

Whitelisting, Firewalls, & Windows Core

 

Every workstation was busy for Improving the Security of your PI System Infrastructure class by Jim Davidson. As an extra surprise many folks were getting their first look at Windows Server 2012!

 

Jim started with a primer explaining application whitelisting and why this approach is strongly recommended by OSIsoft and other reputable sources (eg SANS, Australian Defence Signals Directorate). The class then began to explore various configurations of Windows Applocker.

 

Exercising automatic rule generation was a snap.  The most tedious part was assigning the rules to specific groups.  For instance, the rules required for a PI System Manager were generated by scanning the PI and PIPC folders and then granted to a Windows group corresponding to PI System Managers. Finally you set rule enforcement options. We choose to audit Applocker by logging any rule exceptions.  This step helps you verify Applocker won’t interfere with normal operation.

 

An interesting part of the Windows Firewall lab was about enabling outbound rules. Blocking outbound network traffic goes a long way toward containing post exploitation activity. Especially if the attack relies on outbound access to download additional attack payload.

 

Jim saved one more surprise in the Windows Core exercise. Server 2012 has a command to add or remote the desktop GUI (most of us didn’t hit enter since it takes a while). But still, converting to ‘core’ has never been easier!  Server Core remains a top recommendation for improving the security of your PI System infrastructure.

 

Security for PI System Administrators

 

PI System security is no small task and the exercises in this lab focused on security tools and scripting to help manage the hundreds to thousands and potentially millions of related settings. No wonder this lab garnered an encore session.

 

We started by working with the official security baselines provided by Microsoft’s free Security Compliance Manager (SCM) tool.  While SCM is very useful for compliance documentation and security hardening tasks, the effort is still significant. This is another proof point supporting Windows Core as the quick and easy approach for a secure PI System server platform.

 

Our approach uses scripts and utilities to examine security settings embedded in various application and database stores.  The lab highlights scripts driving the recently updated ‘Bandolier’ audit checks.  Anyone using ‘Bandolier’ should welcome the lab manual as useful documentation for the PI scripts.

 

This lab also introduced Powershell as the successor technology for PI system management scripts. My intention is to sponsor a vCampus community project as the official home for the ‘Bandolier’ PI scripts. Knowing Mathieu and crew it won’t be long before all these scripts are available as cmdlets! Thank you in advance vCampus contributors.

 

Introducing the OWASP Tools

 

Most folks don’t come to vCampus Live to learn how to hack. We were compelled to make an exception this year in context of incident response to breach of the OSIsoft partner website.

 

This lab seemed to attract a tight knit crowd (perhaps it was the focus on a web application or the intensity of 300 level materials).  Imagine my surprise when we learned to hack a web site using a single key stroke!

 

Once the bug was found it was just natural to see what could be done with it. We followed along as tips from the SQL injection cheat sheet were demonstrated using an image our vulnerable web site.  

 

Now that the audience was hooked they were guided into the world of OWASP.  Lab machines were loaded with SamuraiWTF and each tool of the web testing framework was introduced. The materials from OWASP include test applications to help understand different classes of defect.

 

The question I remember most: Is it okay to do this on the internet?  The answer came in a chorus of Nooo!

Outcomes