var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-35754314-2']); _gaq.push(['_setDomainName', 'securityeverafter.com']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();

Monday, August 29, 2011

Control 13: Limitation and Control of Network Ports, Protocols, and Services

Just as mentioned in Control 5 Boundary Defense, proper ingress and egress filtering should be in place. Diligently maintaining awareness of the traffic that is allowed into and out of your network is critical.

SourceFire RNA Compliance Rules allow the administrator to create rules that mirror the firewall rules and alert when any other traffic occurs. This is configured in the administrative console at Policy & Response, Compliance, Rule Management, Create or open a Group.  Select If a flow event occurs and meets the following conditions. Add a condition such as if Payload is AOL Mail. This feature in RNA allows the user to define approved flows and respond to everything not specifically allowed. Policy violations and new traffic flows will become immediately apparent and will be complimentary to the traditional network firewall rules.

Perform daily network discovery scans using nmap. Depending on the complexity of the network, multiple scanners may need to be deployed to ensure complete coverage. List the name of each service running on the network and attempt to justify its business need. Consider an nmap diff scan to identify all hosts and their associated services. Using the diff option, results for the new scan are compared to the previous one, with only the changes being noted.

Wednesday, August 24, 2011

Control 12: Malware Defenses

Malware should certainly be considered unauthorized software and addressed using the techniques listed in Control 2. Maintain a listing of approved software and its business need can be readily compared to all software that has been detected.

Malware protection is often packaged within traditional anti virus software. Configure this tool to send its events to the administration tools and event log servers. Carefully review these logs for indications of system compromise.

Create alerts specifically for malware infection and respond to these promptly to avoid further damage. Ensure that malware defenses are specifically configured to check for updates every hour and configure the policy to push new defenses to all agents when a new update is found.

Include the Microsoft Malicious Software Removal Tool (MSRT) in the packages distributed by WSUS. The MSRT tool is deployed monthly and is useful to eliminate known and disruptive malware.

Monday, August 15, 2011

Control 11: Account Monitoring and Control

What does it really mean to provide Account Monitoring and Control and what are some practical and no cost ways to implement this control?

Send automated alerts to any change or attempted change to any group whose membership grants elevated access. Daily alerts and reports of locked-out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire.

Perform a quarterly review of all accounts on systems and reconcile that to the list of employees from Human Resources and the physical access control system. Often one or more of these systems are not current and is an avenue to potential compromise. Develop relationships with Human Resources in order to have a more prompt and efficient employee termination procedure. Working together, a partnership can be created and leveraged when needed.

During internal employee transfers, go through the extra step of revoking all access and then add new access required to perform the new job. This will help avoid accumulation of privileges over their tenure.

Use the log review solution to create automated alerts for any new account, any new administrator access and also for when any account is locked out. At a minimum you will be able to provide better customer service by knowing about accounts that need to be unlocked. Perhaps these same alerts can be used to serve as indications and warnings to an attack.

Tuesday, August 9, 2011

Control 10: Continuous Vulnerability Assessment and Remediation

Is it possible to have a vulnerability assessment program that truly can be considered continuous? I believe the answer is a resounding yes you can.

Configure a network scanner to perform daily discovery scans on the internal and external networks. Review the output for new hosts and unexpected services. Make certain that these scans are detected by your security controls, such as Network Intrusion Detection (NIDS) and file monitoring tools. This technique is very valuable and will help assess the maturity of the continuous monitoring program.

The free Microsoft Windows Server Update Services (WSUS) provides automated patching of Microsoft products. The administrator can schedule categories of patches and schedule their installation. Also included is a reporting capability. WSUS can send daily reports via email to administrators notifying them of new patch releases and the status of their installation.


Ensure that after patches are applied that you verify outside the patching tool that the patch has actually been applied. Look for clues such as registry values, installed programs and the last system reboot to help measure this control.

Even if in a simple spreadsheet format, track all open vulnerabilities across each system type. If you get to the point where you do not know what task to work on next, this will serve as an excellent guide to direct your attention.  This will help move your security program to a more mature state.

Saturday, August 6, 2011

SANS Mentor Offers FREE Noise Cancelling Bluetooth Headphones

Starting Monday, the SANS Mentor program is offering a special promotion. Register for any SANS Mentor event in the next three weeks and receive a fantastic pair of Noise Cancelling Bluetooth Headphones valued at $499! To take advantage of this promotion, enter the code "stereo11" during registration. The headphones will be ordered the second week of class and shipped directly each student.

A most excellent use of this promotion would be for my upcoming SANS Security 401 Security Essentials Bootcamp Style Mentor Session in Atlanta. This course starts on January 24 and meets once a week for ten weeks. This popular SANS course is excellent for new as well as experienced system and security administrators.


Feel free to contact me for more information.

Friday, August 5, 2011

Control 9: Controlled Access Based On Need to Know

Simply being an employee should not serve as adequate justification to obtain access to company data. Segregation of logical access must be in place to help deter casual browsing and potential unauthorized data disclosure. Start with broad concepts such as departments and teams as a way to isolate systems and data from those that do not require access.

A data classification program, even if elementary in nature, would be valuable to help achieve the objective of this control. Even if there are broad and limited categories of data types, it would be valuable to know where sensitive data is stored to make sure it is adequately protected from possible misuse.

Enforce strict role based access for all sensitive resources such as directories and servers and configure the default action to deny for all access that is not explicitly granted. Log failed access attempts and alert the team when failed resource attempts are detected.

Set a monthly calendar reminder to review the access of a small number of employees. Be on guard for access that may no longer be required. This can be a delicate process, so be sensitive to both the real and the perceived needs of co-workers. Enforcing this is particularly difficult with employees with tenure who tend to accumulate access over time.

Monday, August 1, 2011

Control 8: Controlled Use of Administrative Privileges

Gaining access to administrative accounts is often the goal of an attacker. What can you do to ensure that only the appropriately trained and fully accountable people have and maintain administrative access on your systems? This effort must start with an accurate inventory of every account with elevated access and must be strictly maintained. The change control board should approve every new account that requires persistent administrative access. Maintaining strict admission guidelines for administrative access will help curb the desire for everyone to be an administrator. Implement an annual renewal process that requires each administrator to justify his or her continued need for elevated access.

Encourage administrators to maintain different passwords for administrator accounts where clear differences in system type exist, such as on workstations and individual server types. This will help deter unintentional access to collateral systems for which system administrators are not explicitly authorized to use.  Encourage this practice by requiring more frequent password expiry and increased complexity rules for these accounts.

Accounts with elevated access must be used only when administrative activities are required. Normal web browsing and email usage should never be permitted from accounts that have elevated access. The damage that could occur is much greater than the convenience gained by allowing a system administrator to check their Twitter account.

Where feasible, require all administrative access to be achieved by elevating their access from a regular user account. Examples to facilitate this to create a Microsoft Management Console (MMC) that includes all tools needed for administration. Open this with a Run As command that uses the credentials of the elevated account.

Accurate and timely recording and distributing all activities performed by members of elevated access groups as found in system and security logs could help deter misuse and increase accountability. Configure a daily automated report that lists all administrative activities from the previous day to the entire team.

Look for default accounts on workstations and servers that can be removed or disabled. It is up to you to explain and justify every account on your system. The faster you can identify new accounts on the system, the better.

The underling goal must be to do everything in your power to not allow untrained or unauthorized people to gain administrative access on your networks or systems.