The touchdown task for June is to perform a quick and dirty check of your ongoing external vulnerability assessment. By now, you should have your Internet facing systems assessed each month, with weekly or daily checks applied to critical systems. If you aren’t having your systems assessed for vulnerabilities in an ongoing manner, get that process started. MSI can assist you with this, of course.
But, the task for June is to check and make sure that ALL of your public Internet facing systems, interfaces and devices are being assessed. Sometimes new systems might get added to the public IP space without making it into your assessment plan. Take an hour and check to make sure all the devices you know of are covered by the assessment. Do some quick ping/port scanning to make sure you are getting coverage and nothing has snuck in that is being missed. Give your assessment process a quick review and make sure that it is running on the proper IP spaces or lists and that the reports are as you expect.
Until next month, stay safe out there!
The touchdown task for May is a quick and dirty egress filtering audit. Take a look at your firewalls and make sure they are performing egress filtering (you do this, right? If not, make it happen now ~ it’s the single most effective defense against bot-nets). Once you know egress is in place, give a once over to the firewall rules that enforce it. Make sure they are effective at blocking arbitrary ports, outbound SSH, outbound VPN connections, etc. Verify that any exposed egress ports are to specific IPs or ranges. If you find any short comings, fix them.
Also take a look and make sure that violations of the firewall rules are being alerted on, so your team can investigate those alerts as potential infection sites.
Lastly, check to make sure that you have egress controls for outbound web traffic. You should be using an egress proxy for all HTTP and HTTPS traffic. Yes, you should be terminating SSL and watching that traffic for signs of infection or exfiltration of sensitive data. Take a few moments and make sure you have visibility into the web traffic of your users. If not, take that as an immediate project.
That’s it. This review should take a couple of hours or so to complete. But, the insights and security enhancements it can bring are HUGE.
Until next month, thanks for reading and run for the goal line!
April’s touchdown task for the month is a suggestion to update your contact list that you should have included in your incident response policy.
A few minutes now to make sure the right people are in the list and that their contact information is current could pay off largely down the road. It might also be a good time to check to make sure your contact process has been updated to include SMS/texting, Skype and/or other supported technologies that may have not been around when your policy was last updated.
This month’s Touchdown Task is to help you with detection and response. For March, we suggest you do a quick controls review on your firewall logs. Here’s some questions to begin with:
- Are you tracking the proper amount of data?
- Are the logs archived properly?
- Do you have IP addresses instead of DNS names in the logs?
- Are the time and date settings on the logs correct?
- Is everything working as expected?
Undertaking a different quick and dirty Touchdown Task each month helps increase vigilance without huge amounts of impact on schedules and resources. Thanks for reading!
The holidays are right around the corner. Use some cycles this month to make sure your IT support and infosec teams have a plan for providing coverage during the holiday season.
Does your help desk know who to call for a security incident? Do they have awareness of what to do if the primary and maybe even secondary folks are out on holiday vacation? Now might be a good time to review that with them and settle on a good plan.
Planning now, a couple of months before the holiday crush, just might make the holiday season a little less stressful for everyone involved. Create your plan, socialize it and score a touchdown when everyone is on the same page during the press of the coming months!
Our last Touchdown task was “Identify and Remove All Network, System and Application Access that does not Require Secure Authentication Credentials or Mechanisms”. This time, it is “Detection”.
When we say “detection” we are talking about detecting attackers and malware on your network.
The best and least expensive method for detecting attackers on your network is system monitoring. This is also the most labor intensive method of detection. If you are a home user or just have a small network to manage, then this is not much of a problem. However, if your network has even a dozen servers and is complex at all, monitoring can become a daunting task. There are tools and techniques available to help in this task, though. There are log aggregators and parsers, for example. These tools take logging information from all of the entities on your system and combine them and/or perform primary analysis of system logs. But they do cost money, so on a large network some expense does creep in.
And then there are signature-based intruder detection, intruder prevention and anti-virus systems. Signature-based means that these systems work by recognizing the code patterns or “signatures” of malware types that have been seen before and are included in their databases. But there are problems with these systems. First, they have to be constantly updated with new malware patterns that emerge literally every day. Secondly, a truly new or “zero day” bit of Malware code goes unrecognized by these systems. Finally, with intruder detection and prevention systems, there are always lots of “false positives”. These systems typically produce so many “hits” that people get tired of monitoring them. And if you don’t go through their results and winnow out the grain from the chaff, they are pretty much useless.
Finally there are anomaly detection systems. Some of these are SEIM or security event and incident management systems. These systems can work very well, but they must be tuned to your network and can be difficult to implement. Another type of anomaly detection system uses “honey pots”. A honey pot is a fake system that sits on your network and appears to be real. An attacker “foot printing” your system or running an exploit cannot tell them from the real thing. Honey pots can emulate file servers, web servers, desk tops or any other system on your network. These are particularly effective because there are virtually no false positives associated with these systems. If someone is messing with a honey pot, you know you have an attacker! Which is exactly what our HoneyPoint Security Server does: identify real threats!
Undertaking this Touchdown Task is relatively easy and will prove to be truly valuable in protecting your network from attack. Give us a call if you’d like us to partner with you for intrusion detection!