Lessons learned from the WRCCDC Invitational 12-3-16
The boxes you are given are not only insecure, they are misconfigured and broken. So the first step is to fix them so the required services are up and figure out how they interoperate. This must happen before you begin to secure them otherwise.
In our case, the students rushed to secure the boxes by adding firewalls, terminating unused services, and changing passwords, only to end up with apps that didn't work. We then spent most of the time trying to figure out what was wrong.
We did not properly use the week of preparation access to the machines to map out all the required services, and how they depended on one another. We should have gone into the event with these items already printed out:
Before the event started, we should have rehearsed this process:
- A network diagram showing all connections and services used
- A list of all dependencies among the servers, such as how the web app connected to the database server
- A list of all ports that needed to be open on each box
- Step-by-step instructions to TEST all required services and ensure that they are working
- Step-by-step instructions to implement very basic security on the boxes: simple firewall rules, changing passwords, and disabling extra accounts.
- TEST all systems
- SECURE all systems
- TEST them again
Posted 12-4-16 by Sam Bowne