As a datacenter security professional, you want to be proactive and use the tools that are in place to minimize any possible risk. (that will never be zero – let’s be honest). I felt a bit in a limbo recently doing a typical security consultant job – going through my check lists, testing some penetration attacks, reviewing logs and other pretty ordinary stuff.
I feel that there are few things that I learned from Kevin Ripa and Ali Aleali on how we can look at my customer’s security approach at a bit different angle. Here we’ll cover few things that I found very useful and easy to apply, so we’ve already implemented them.
Detect and check the following – Top 20 IP addresses (a) having the highest number of outbound connections, (b) having the longest outbound connection times and (c) sending the most data outbound. During Kevin’s talk someone asked a question about the tools – upon my return to the customer next day it took me 20-30 minutes to find the way to produce such a report even it’s not my primary firewall technology that I manage every day. So it shouldn’t be a problem, but definitely looking at this data you start asking a lot of questions such as “Why the machine of the receptionist generates terabytes of data traffic daily?”
According to Kevin – users open/interact with 30-40 files per week. So to protect from infection or ransomware encryption we can lockdown the user when they reach 50. This item is a bit tricky – you don’t want users being unhappy with IT when there is a good reason for them to open more than 50 files per week. So the item is a little bit political but it can be resolved if approached carefully. In terms of technology – I was not able to find any specific Microsoft AD or Group Policy tools to get such data collected and then apply restriction. In my case the files are stored on NetApp Filer that provides such functionality, but per session basis not per user per week. If any readers have a good idea on how to implement such a brilliant approach without investing in third-party tools – please share!
There are new NIST password requirements that shock many of the security professionals – the document can be found here and short summary is here In summary – the use special characters doesn’t make the password safe – what does is the lengths of password.
Have you heard the expression “Canary Tokens”– hopefully you paid better attention to them than I did and now regret. So what can be done is creating a file, email etc. that would serve as a honeypot. For example – my customer generates a document called “January 2017 CEO executive bonus details” put it in folder that is not easy to navigate to and if someone opens the document – alert is generated – meaning someone is looking where they shouldn’t be looking.
Lastly something new I learned and hope it will be a news to some of the readers too – that there is an excellent Windows workstation toolset for forensic investigations called FLARE VM – and it provided at no charge by FireEye. In my opinion – the most interesting tool that included is FakeNet-NG that basically emulates the essential services such as FTP, Web, DNS, SMTP and allows an investigator to analyze the intercepted traffic. Installing FLARE VM is very easy – put the URL specified in documentation to IE on your test VM and it will execute a script that will install all the tools. Personally I found FLARE VM to be very useful and complimentary to the tools included in Kali Linux and REMnux. Please give it a shot and let me know what you think!