“The more things change, the more they stay the same”. Security operations teams continue to be underfunded – their budget is a hard sell to the business for funding because there is not a direct and obvious correlation to $$$ until after the worst has happened. As a consequence, the meager staff sifts through an overwhelming sea of information while pulling significantly over 40 hours a week, wishing they knew how to improve their world and wondering what’s coming in at them that they aren’t ready for. Over the years in the trenches of the industry I’ve been a worry wart, and I can’t think of the last time I spoke to someone in sec ops that was not in the same boat of wondering what will come up next. Various articles that claim to address this come out from time to time, and as I read through them it reminds me of the various crappy top ten lists on the net. Two-factor authentication – check. Don’t use vendor supplied passwords – check. I could have been reading off a PCI check list. Don’t get me wrong, those items absolutely need to be done and are very important – we cover them heavily in our products so I don’t need a website regurgitating them.
I always wanted to see advice that was more geared to throwing a rope down in the trenches to help people like me climb out instead of just standing up top waving a sign that lists all the current short comings. It’s damp and crappy in the trench; I don’t need a life coach to tell me it sucks. Tossing down that rope is going to give me some hope that I can get on top of the situation, and to be honest that frayed rope looks like braided platinum if it can lift me up even a bit.
So, that’s what I’m going to try and tailor my posts to – those things that help people get up the rope a bit. For this schpiel I’d like to focus on the low hanging fruit. Let’s start with the script kiddies. Ah the mystical script kiddies. I am not going to downplay Anonymous or other major hacking groups. You absolutely do have to respect them as they have hacked into some pretty high profile companies and the last thing you want to be is on their target list. I can probably guarantee though that before they used their higher end skills that they do a pass with scripts. SCRIPTS. $cr1p+$.
The quality of free tools available today to execute malicious scripts is downright amazing. With a combination of metasploit (or even the Backtrack OS) and nmap/zenmap (also on the OS), it’s relatively simple to try basic exploits. Don’t get me wrong, the Backtrack OS project is incredible and I am one of those that believe that you should let it all hang out and educate, but like any other tool, it can be used for harm.
Below is my list of some simple things you can do now to mitigate some of this risk. Your time is limited, pick wisely. No one cares about the server storing your favorite Milli Vanilli mp3s. These steps are for the security person that doesn’t have any time already. Low hanging fruit.
1. Pick two servers that, if they were compromised you would be out of a job.
- Run “netstat –an” and look for ports that are unusual. Anything over 1024 is potentially malicious but do not ignore ports under that. Use an audit log product that can check for port activity easily in logs. Bonus points for creating a correlation to alert you on unusual port activity. Check for clear text ports 21/23/80.
- Check user accounts on the machine. Interesting, there is a user account called Ihaxyou…. Again why not make a correlation to look for just “hax” in clear text in your SIEM.
- Check to see if the servers are patched.
- Check processes. Windows Sysinternals Process Monitor is free, Sysinternals Process Explorer is also free, and on linux ps –ef . Anything strange in there?
- Run a compliance check on the servers in question.
2. Ask yourself when was the last time you audited, anything.
- Set up a schedule once a week to spend 1 hour having fun searching logs or look at changes.
- Check for configuration changes on your network. Buy your network engineer lunch and go over them.
- Run your compliance scans every month on a Sunday, review on Monday. Don’t be that person that runs them the bare minimum to stay compliant.
- Search for “root”, “sudo” and “su –” in your log management product.
- Search for any log or changes of /windows/system32/drivers/etc/hosts in either your log management product or FIM.
- Search for any log or changes of /etc/password in either your SIEM or FIM for *nix. /etc/groups as well.
3. Make friends.
- Get up from your desk. Walk. Find the managers of the teams and ask them what YOU can do for them. I can guarantee that they are probably worried about security, their job, etc. They just don’t want red tape, work with them.
- Talk to the people in the trenches. You were there at one time. They know the real issues and would probably leap at the chance to help.
- Enlist people that are interested. Getting into info sec is hard and there are very few degrees or classes at the college level you can take. The people you meet that are interested are worth their weight in gold.
- Work with your bosses. Security is a hard sell. Face to face you will be much more visible and the message will resonate.
- If you are in charge of a web proxy don’t be hardcore – use it for the really bad people, ie. people that are surfing porn at work. The enemies you will make by being too restrictive will outweigh the friends you can make. It’s not your job to make sure they do their job. You cannot imagine how much proactive security advice you can get if you make security positive and not something they hate.
- Pick a couple websites about security news at least 30 minutes a week. Darkreading and Securosis are always good reads. I surf. You should surf. Security articles are everywhere.
- Educate yourself on bots, botnets, and malware. If you get compromised these will be the first things to look for.
- Study Conficker it’s a good blueprint for what can go wrong.
What do you think? I’d love to hear some more advice on the low hanging fruit.
Hit me up at firstname.lastname@example.org
If you’re interested in learning how to implement a layered security program, check out this new white paper by Brian Honan: Layered Security: Protecting Your Data in Today’s Threat Landscape.