[MUSIC] Hi, I'm Justin Massey and I'm a Penetration Tester from Coalfire Labs. Today we'll be discussing security operations. [SOUND] Security operations are typically defined in a security policy and include your common buzzwords, such as, [SOUND] the principle of least privilege and patch management. Unfortunately, in many organizations, this policy is poorly implemented and thus increases the overall risk. [SOUND] For example, a company policy may read, all employees are only permitted user access and no administrator or root privileges are granted, unless they are a system administrator. However, users are bugging the system administrator to install software on their local machines, and it begins to grant the user local administrator access to make his job easier. The employees are now free to install whatever software they wish, and oftentimes this leads to malware being installed on workstations. Furthermore, this can lead to devastating impact on the organization, such as crypto locker, encrypting all of the shared drives which the domain user has write access to. [SOUND] It is absolutely necessary for the security team to audit the user permissions and assure the principle of least privilege is being implemented correctly. Another important role of security operations is to ensure sensitive information is properly identified, handled and secured. Also, when sensitive data is no longer needed for business purposes or required by law, it is necessary to destroy the information. The concept is great, but could be difficult to implement. If all system information is stored in one location, one can review the data and determine if it should be destroyed. [NOISE] In our current day of computing, this is not the case. Sensitive data can often be stored on individual's computers rather than a database where it can be easily queried. [NOISE] For example, a comptroller of an organization is required to run tax reports at the end of each year and stores the W2s on a mapped network drive for easy access when needed. The comptroller continues to store them in this location each year for the years to come. If this drive is compromised, the personally identifiable information of the employees is attained by the threat agent and exfiltrated to engage in tax fraud of all of the employees. Educating the employees about proper data handling is a must for all organizations. [SOUND] Media management is yet another security nightmare for organizations. Employees have the need to move data to and from their work location. And an easy way to do this is by a USB flash drive. Unfortunately, no encryption mechanism is built into the hardware and the operating systems also do not support any encryption by default. For your average user, this means that the data stored in the flash drive is in clear text, and readable by anyone who can obtain the flash drive. [SOUND] There are many other examples of security operations, but the underlying problem lies within the implementation of the policy. Audits are necessary to ensure the policy is being implemented properly. But the audit [SOUND] must be inclusive of all assets, and not only where the company thinks the data may reside. As part of the audit, it may be necessary to complete a vulnerability assessment, and correlate it to prior year's assessments, review default configurations, and scrutinize the change management logs. With all this being said, a well implemented security operation starts with training the users and system administrators, and ends with the same people properly following those clearly defined procedures. [MUSIC]