The Ides of Security – episode 1903: Hail Caesar!
I’m following up on my promise to get these periodic (ideally monthly) missives into a place you can reach them without searching your email inboxes (or recycle bins). Enter the Ides of Security, archived on the ACNS security page (you found your way here, but for convenience here’s the link: //www.acns.colostate.edu/security-blog/).
The title this month echoes the selection of the title of this blog series: the Ides of Security. The world remembers the Ides of March because of Brutus and Julius Caesar (honestly, because of Shakespeare). But the Ides of any month in the Roman calendar was the middle of the month, originally determined by the full moon. As such, it was a time for festivals, holidays, and other important social occasions.
My thinking is that this blog can be another important social occasion at CSU: the opportunity to convey not only the periodic warning or update, but also a place to go for a review of where we stand on security. So here are some things I won’t burn a lot of time with at the next Subnet Managers meeting, but which are nevertheless important to know. This month I’ll just go with an outline format so you don’t have to stare at this in PowerPoint. If you have questions about acronyms, or just want to chat about any of these, feel free to email!
* Windows 7 EOL 1/14/2020 — 294 days, then it needs to be gone
– or request a (rare) exception, just like we do for XP
– only for situations that can’t be upgraded (scientific equipment, etc.)
– and in those cases, need a network firewall (not the Windows firewall)
* What is ‘adequate’ web server security?
– Before even getting into complicated policies, what’s a baseline?
– Protocols: TLS v1.2 only (no SSLv2, SSLv3, TLS 1.0, or even TLS 1.1)
– Certificate: Not self-signed, not expired, good path (root and intermediate), >= 2048-bit DH primes
– Externally hosted sites: Please request these from vendors too.
– Ready for TLS 1.3?
* Reminder about minimum OS/browser levels
– Not just for fun; real exploits against older versions
– Starting to enforce these via code on the network
– What is it to be out of support at CSU? Older than:
Windows 10 or 8.1. And 7 for another 42 weeks.
Mac 10.14.4, 10.13.6, 10.12.6 (latest patch of last 3 OS versions)
Linux kernel 5.x (new), 4.20 (latest), 4.4 LTS, 3.16/3.18 LTS (upgrade soon)
iOS 12.1.4 (latest)
Android based on Linux kernel 4.x: Pie (9.0), Oreo (8.0/8.1), Nougat (7.0-7.1.2)
– Browser (maintain latest release):
IE: 11 (and move away from this entirely)
Edge: latest available with OS, auto-update
Safari: latest available with OS, auto-update
ALL: TLS 1.0/1.1 EOL by January 2020 (TLS 1.3 is out!)
Note: Chrome v73, Firefox v65 support TLS 1.3
* We’re waiting for the 2019 version of the Verizon Data Breach Incident Report. In the meantime, some reminders from the 2018 version:
– Email is by far the most common malware vector
– Stolen credentials = the leading cause of ALL breaches
– 4% of people will click on any given phishing campaign (no matter what we do)
– Ransomware had a huge spike (yeah, we know – remember CO DOT?)
– Money is the motivation (mostly)
– DoS is the leading cause of incidents (brief poke in the eye to get something else done)
– Most attacks come from outside
– Education attacks: primarily DoS and server hacking