Im often curious what other security folks do to keep their machine safe when they go to IT conferences. I often see what looks like standard office machines being used and wonder if any precautions have been taken.So heres what I do and Id love to find out what other measure you take.
Im about to spend a few days a large security conference, so Im just putting the finishing touches to laptop Im taking with me. As I dont have any real needs beyond email, typing notes and web browsing, its a simple job of installing a clean OS and a couple of must have applications*. In keeping with Joels previous Diary, it took the duration of some reality TV show to install all the various patches for these apps to be up to date.
Now this is where I then go through my normal additional hardening steps. This OS happens to be Windows 7, so I disable a bunch of services, kill IPV6 services, gleefully disable hibernation and add in a gaggle firewall rules (or should that be an annoyance of firewall rules?).
The last thing I do make a record of clean state of the computer. This is the part Im assuming most companies have if they have managed operating environments (MOE) or standard operating environments (SOE) as this is such an easy thing to do andprovides a trusted baseline for the security teams to compare against.
In Windows theres a bunch of ways to ask the computer whats running, what services and software is installed, but I like PowerShell so heres a quick and dirty way to get the info and save it to a file.
From a PowerShell prompt:
gp HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |Select DisplayName, DisplayVersion, Publisher, InstallDate, HelpLink, UninstallString | out-file c:build\base.txt
Get-Process | sort company | format-Table ProcessName -groupby company | out-file append c:build\base.txt
Get-service * | out-file append c:build\base.txt
This gives me three pieces providing a baseline** of the system.
Im now ready to skip from vendor booth to vendor booth, keen to look at their product case studies conveniently on handy novelty USB devices, while surfing the web on freely provided Wifi doing on-line banking, checking todays nuclear launch codes and wondering why I keep seeing Loading Please Wait when clicking on links in emails from people Ive never heard of. - Although this is an attempt at humour (note attempt) having a baseline of the clean machine allows me to identify the more obvious signs of something bad happening to my system.
If I do feel a disturbance in the force or the laptop does something odd, I can re-run my simple PowerShell commands (with a different output name) and look for changes.
#Comparing in PowerShell
Compare-Object -referenceobject $(Get-Content c:build\ base.txt) -differenceobject $(Get-Content c:build\new.txt)
That gives me a quick indication if some has changed on my systems (barring root kits) and if I need to worry about.
Let me know what you do or don't do when taking your system to a conference.
* I cant say Im a big fan of live CD/DVD/USB, I see their uses, but they get out of date, especially the browsers, far too quickly.
**If you want to get more fancy with the base snapshot, its pretty easy to script that out to include registry keys, firewall rules and even files in directories with cryptographic hash.
Chris Mohan--- Internet Storm Center Handler on Duty
Im mentoring SANS Hacker Guard 464 class in Sydney on the 7th of August - SysAdmins, this is for you! https://www.sans.org/mentor/class/sec464-sydney-aug-2012-mohan
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.