I am working on my flowchart/list of basic security activities.
It shows how to go from nothing to something to usable security.
The issue is that I am trying to find a mid-line between detailed instructions and useful overview. Something that lets you know what to do, without getting bogged down in minutia, and at the same time avoids being so vanilla general that its useless.
I'll keep you posted.
Monday, December 15, 2014
Its a "proven failed" method, so why use it?
This is not a conclusive post with detailed instructions.
Rather this is an open ended question for which I have a few quick thoughts.
As always with me it comes down to attacks of opportunity vs targeted attacks.
If you reduce your attack surface and harden your known attack points (firewall, wifi, desktops, remove/change default passwords, snmp, printers, etc) you greatly reduce the chances that a drive by/attack of opportunity will take you down.
However on its own, those items represent a "proven failed methodology".
Which is to say, if all you do is harden the space, without monitoring and investigating, you will fail.
Your network will get popped, hacked, cracked or other terminology meaning someone got to information and access on your network that they were not supposed to get at.
So why do it? Can't I just monitor activity and see the attacks and deal with them at that time?
If defense if doomed to failure, doesn't it make more sense to put my money into detection and reaction?
NO.
Simply put, if you cant reduce the number of attacks you cant respond in any real sense.
Think of your average *airport. Is the security fail-proof? No. Is it tight enough to stop a dedicated hijacker/attacker/bomber? No. However the in place security stops the average person from bringing a gun on board an airplane, and ups the required effort by a dedicated attacker to remove many if not most of the available avenues of attack. This reduces the number of attacks to be dealt with and that in turn makes it possible to look for the kind of original attacks that cant be defended against directly (ok the metaphor starts to break down, but hopefully you see the point).
This topic requires more discussion, proof of effectiveness, detailed reports on what works and why and to what extent. but for now, this is a good start. As an aside, Sony had neither proper defense nor accurate monitoring. they missed the incoming, the outgoing and the jumping between machines that happened inside. They cannot be used as an example of good security at any level.
Good lawyer-ing maybe.
*airport security is a hot topic and one that is debated by people much more in the know than I am.
Needless to say, many security professionals feel that US airport security is "security theater" and that it has never caught a single terrorist. I don't want to get into that discussion, but I cannot ignore its existence.
I fall on the side of "its not good security, whatever it may actually be" and I recognize that there are limits on what they can do politically. For more than that, go find one of the many blogs that harp on this non-stop.
[edited for typos]
Rather this is an open ended question for which I have a few quick thoughts.
As always with me it comes down to attacks of opportunity vs targeted attacks.
If you reduce your attack surface and harden your known attack points (firewall, wifi, desktops, remove/change default passwords, snmp, printers, etc) you greatly reduce the chances that a drive by/attack of opportunity will take you down.
However on its own, those items represent a "proven failed methodology".
Which is to say, if all you do is harden the space, without monitoring and investigating, you will fail.
Your network will get popped, hacked, cracked or other terminology meaning someone got to information and access on your network that they were not supposed to get at.
So why do it? Can't I just monitor activity and see the attacks and deal with them at that time?
If defense if doomed to failure, doesn't it make more sense to put my money into detection and reaction?
NO.
Simply put, if you cant reduce the number of attacks you cant respond in any real sense.
Think of your average *airport. Is the security fail-proof? No. Is it tight enough to stop a dedicated hijacker/attacker/bomber? No. However the in place security stops the average person from bringing a gun on board an airplane, and ups the required effort by a dedicated attacker to remove many if not most of the available avenues of attack. This reduces the number of attacks to be dealt with and that in turn makes it possible to look for the kind of original attacks that cant be defended against directly (ok the metaphor starts to break down, but hopefully you see the point).
This topic requires more discussion, proof of effectiveness, detailed reports on what works and why and to what extent. but for now, this is a good start. As an aside, Sony had neither proper defense nor accurate monitoring. they missed the incoming, the outgoing and the jumping between machines that happened inside. They cannot be used as an example of good security at any level.
Good lawyer-ing maybe.
*airport security is a hot topic and one that is debated by people much more in the know than I am.
Needless to say, many security professionals feel that US airport security is "security theater" and that it has never caught a single terrorist. I don't want to get into that discussion, but I cannot ignore its existence.
I fall on the side of "its not good security, whatever it may actually be" and I recognize that there are limits on what they can do politically. For more than that, go find one of the many blogs that harp on this non-stop.
[edited for typos]
Wednesday, December 10, 2014
A comment on passwords
Things we all know:
Passwords are important
We should not share our passwords
Passwords are annoying
We have too many passwords
Things the IT world knows about people's and passwords:
Passwords will be reused
People will add a 1 to the end
People will base them off their lives
People hate passwords
So honest truth, none of us are great with our passwords. Unless forced we rarely change them, we have a default we use for "unimportant" accounts and we often use bad passwords.
The problem is that there is no longer an unimportant account. Social networking accounts can be used to reset email passwords, email accounts can be used to reset almost any password, and eventually every one of those can lead back to your bank.
So what makes a bad password?
we have all seen this XKCD comic on password strength. Ok that defines (in one way) a good password, but what is a bad password?
Too short: short passwords are easy to crack or fake.
Easily guessed: There are any number of "Common Password" lists out there. If your password is anywhere on that list, you have a bad password. Just as bad, using a password that is uniquely yours, ie your favorite author/book/sport/sport team/etc. Those are also easily guessed.
Re-used: a password used in two places is bad. IF one place gets hacked, your password will likely be tried by an automated system in a bunch of standard locations. It will also be added to one or more of the known password lists and then more easily tried elsewhere during the next hack.
Unusable: This is a tough one to deal with, without help. If your password is a 42 character result of encrypting your cats dna and then multiplying it by your dog's dna.... its not going to be usable. However, you can fix this one easily with a password safe.
How to make a good password:
DON'T
Don't bother manually making a good password. Within the last 5 years more than a BILLION active passwords have been exposed. That means you can assume that whatever cool and innovative trick your using to make your passwords has been used by someone else and their password was exposed somewhere along the lines.
So don't make passwords by hand. Use a password generator.
Between the password save and the password generator you should no longer be looking at your passwords, ever.
I personally like 1password and keepass as my favorites. Lastpass and splashID are also OK, but not my favorites.
Which ever one you use, create a long password to secure it with, and then never create a password again. Let the safe generate and store and enter your password. Use the functionality built into most of them that tells you when its time to change old passwords.
Yes, the safe is a single point of failure in your personal security, however its a reasonable trade off. You, as an individual, are unlikely to get targeted. That means no one is trying to steal and crack your password safe. It does not mean that you are safe from an attack of opportunity.
Those strong passwords and thus your password safe making you a much less likely target for automated easy attacks.
and that is today's ramble.
Passwords are important
We should not share our passwords
Passwords are annoying
We have too many passwords
Things the IT world knows about people's and passwords:
Passwords will be reused
People will add a 1 to the end
People will base them off their lives
People hate passwords
So honest truth, none of us are great with our passwords. Unless forced we rarely change them, we have a default we use for "unimportant" accounts and we often use bad passwords.
The problem is that there is no longer an unimportant account. Social networking accounts can be used to reset email passwords, email accounts can be used to reset almost any password, and eventually every one of those can lead back to your bank.
So what makes a bad password?
we have all seen this XKCD comic on password strength. Ok that defines (in one way) a good password, but what is a bad password?
Too short: short passwords are easy to crack or fake.
Easily guessed: There are any number of "Common Password" lists out there. If your password is anywhere on that list, you have a bad password. Just as bad, using a password that is uniquely yours, ie your favorite author/book/sport/sport team/etc. Those are also easily guessed.
Re-used: a password used in two places is bad. IF one place gets hacked, your password will likely be tried by an automated system in a bunch of standard locations. It will also be added to one or more of the known password lists and then more easily tried elsewhere during the next hack.
Unusable: This is a tough one to deal with, without help. If your password is a 42 character result of encrypting your cats dna and then multiplying it by your dog's dna.... its not going to be usable. However, you can fix this one easily with a password safe.
How to make a good password:
DON'T
Don't bother manually making a good password. Within the last 5 years more than a BILLION active passwords have been exposed. That means you can assume that whatever cool and innovative trick your using to make your passwords has been used by someone else and their password was exposed somewhere along the lines.
So don't make passwords by hand. Use a password generator.
Between the password save and the password generator you should no longer be looking at your passwords, ever.
I personally like 1password and keepass as my favorites. Lastpass and splashID are also OK, but not my favorites.
Which ever one you use, create a long password to secure it with, and then never create a password again. Let the safe generate and store and enter your password. Use the functionality built into most of them that tells you when its time to change old passwords.
Yes, the safe is a single point of failure in your personal security, however its a reasonable trade off. You, as an individual, are unlikely to get targeted. That means no one is trying to steal and crack your password safe. It does not mean that you are safe from an attack of opportunity.
Those strong passwords and thus your password safe making you a much less likely target for automated easy attacks.
and that is today's ramble.
Thursday, November 20, 2014
Network scanning tools - adding one more
Earlier I did a short list of tools I have used for scanning my network.
I forgot one that I use:
SoftPerfect Netscan
Which is ugly but really useful. Has a neat button for finding DHCP servers (uber useful), can list ports, shares, AD info and a bit more. IT also exports to CSV (which oddly AngryIP cannot, though I still reach for it first) which is useful when building your first couple of lists.
<aside>
Why do I care about ugly?
Emotion & Design: Attractive things work better
That's why. That is only one example of research and anecdotes showing that what we see affects how we feel. How we feel affects how well we work.
Ugly tools are not less effective, but they are less likely to be used and a tool on the shelf is useless.
</aside>
Now I have covered the tools I use regularly for scanning my network (I think).
However there are LOTS of free tools out there that each do something different and useful in network scanning.
Explore, test, find the one that fits your needs, and when all else fails combine wireshark with nmap to get the details on almost anything.
I forgot one that I use:
SoftPerfect Netscan
Which is ugly but really useful. Has a neat button for finding DHCP servers (uber useful), can list ports, shares, AD info and a bit more. IT also exports to CSV (which oddly AngryIP cannot, though I still reach for it first) which is useful when building your first couple of lists.
<aside>
Why do I care about ugly?
Emotion & Design: Attractive things work better
That's why. That is only one example of research and anecdotes showing that what we see affects how we feel. How we feel affects how well we work.
Ugly tools are not less effective, but they are less likely to be used and a tool on the shelf is useless.
</aside>
Now I have covered the tools I use regularly for scanning my network (I think).
However there are LOTS of free tools out there that each do something different and useful in network scanning.
Explore, test, find the one that fits your needs, and when all else fails combine wireshark with nmap to get the details on almost anything.
Thursday, November 13, 2014
Escalating privileges ....
Before I pointed at this talk which refers to this web page full of notes (look under files) which further points at other talks regarding security holes on windows machines using (mostly) items already on a standard windows install.
This one is entertaining but hard to understand because the one of the speakers talks very softly and the other loudly.
This one is facsinating, but ... the ....pauses....of.....the....speaker....drive...me....to....sleep.
I found it funny that the word insomnia is at the bottom of his slides.
Regardless he is clearly talented and knows what he's talking about and worth noting.
Most of this is a distraction from the basics.
As noted by my SANS instructor: "if you don't know what is on your network, and you don't know your patching level, [targeted] attacks are not what you need to worry about."
HOWEVER, having at least a passing knowledge of how these attacks work will help when you are doing the next base-unit build out and inventory. (did I mention you need to inventory and baseline your base-build so you know where your starting?)
Before I pointed at this talk which refers to this web page full of notes (look under files) which further points at other talks regarding security holes on windows machines using (mostly) items already on a standard windows install.
This one is entertaining but hard to understand because the one of the speakers talks very softly and the other loudly.
This one is facsinating, but ... the ....pauses....of.....the....speaker....drive...me....to....sleep.
I found it funny that the word insomnia is at the bottom of his slides.
Regardless he is clearly talented and knows what he's talking about and worth noting.
Most of this is a distraction from the basics.
As noted by my SANS instructor: "if you don't know what is on your network, and you don't know your patching level, [targeted] attacks are not what you need to worry about."
HOWEVER, having at least a passing knowledge of how these attacks work will help when you are doing the next base-unit build out and inventory. (did I mention you need to inventory and baseline your base-build so you know where your starting?)
Wednesday, November 12, 2014
An online training source and a comment on watching/listening
There is an excellent and inexpensive way to get more security training.
Coursera
Here is the TED talk that pointed it out to me.
Offering a series of courses on on CyberSecurity from UMD - College Park. A good school. I suggest taking the Signature Track if you can afford it (a few hundred dollars) or the free version (no real proof of completion) if you can't.
Its a combination of videos and reading and online discussion, quizzes and projects.
It is not a small undertaking but it is a good overview. It goes into a lot of programming so its not absolutely ideal for IT, but its still very good.
Now, a short discussion on listening to and watching videos.
If you are like me, you have very little free time.
Once upon a time I had a 45-90minute commute.....each way. So I would listen to podcasts in the car.
I learned an awful lot of stuff, most of it utterly useless.
Then my commute changed and all of a sudden I was down to 12 minutes each way. Sounds like a win, except I missed my podcasts.
I noticed a speed button on my podcast software. I upped it from 1 to 1.25. That worked. Took some getting used to, but it meant that I could hear more than 12 minutes of podcast on my way to work. Slowly, over time, as I realized I could hear every word and understand it, I upped the speed.
Now I can listen to my usual podcasts (no major accents, topics I am familiar with) at 2.5 speed and new subject matter at 2X.
That Ted Talk I linked to above? 10 minutes. That's a lot better. Also, because the time used is shorter, I find I concentrate better.
I used to think, based on limited reading of the research, that reading faster meant better comprehension but I recently found that there is no consensus on this and the research is deeply conflicted.
That being said, for me at least, faster listening IS better.
Even Youtube lets me speed most videos up to 2X.
DO with it as you will, it might just be useful.
As for what podcasts I currently (or in the past) Listen to:
The History of Rome (completed) and now the Revolutions podcast
12 Byzantine Rulers (complete)
Hardcore History (ongoing)
My History Can Beat Up Your Politics
Ted Radio Hour
Ask Me Another
Paul Security Weekly
The Bugle
Ted Talks
BIG Ideas
Intelligence squared US
Intelligence Squared
HAK5
SANS ISC Stormcast
RadioLab
All of which looks like a lot but most only produce an hour a week at 1X and some only an hour a month and others are done so I stopped......
All in all, I take in a lot of info this way, in half the time it was meant to take up.
Coursera
Here is the TED talk that pointed it out to me.
Offering a series of courses on on CyberSecurity from UMD - College Park. A good school. I suggest taking the Signature Track if you can afford it (a few hundred dollars) or the free version (no real proof of completion) if you can't.
Its a combination of videos and reading and online discussion, quizzes and projects.
It is not a small undertaking but it is a good overview. It goes into a lot of programming so its not absolutely ideal for IT, but its still very good.
Now, a short discussion on listening to and watching videos.
If you are like me, you have very little free time.
Once upon a time I had a 45-90minute commute.....each way. So I would listen to podcasts in the car.
I learned an awful lot of stuff, most of it utterly useless.
Then my commute changed and all of a sudden I was down to 12 minutes each way. Sounds like a win, except I missed my podcasts.
I noticed a speed button on my podcast software. I upped it from 1 to 1.25. That worked. Took some getting used to, but it meant that I could hear more than 12 minutes of podcast on my way to work. Slowly, over time, as I realized I could hear every word and understand it, I upped the speed.
Now I can listen to my usual podcasts (no major accents, topics I am familiar with) at 2.5 speed and new subject matter at 2X.
That Ted Talk I linked to above? 10 minutes. That's a lot better. Also, because the time used is shorter, I find I concentrate better.
I used to think, based on limited reading of the research, that reading faster meant better comprehension but I recently found that there is no consensus on this and the research is deeply conflicted.
That being said, for me at least, faster listening IS better.
Even Youtube lets me speed most videos up to 2X.
DO with it as you will, it might just be useful.
As for what podcasts I currently (or in the past) Listen to:
The History of Rome (completed) and now the Revolutions podcast
12 Byzantine Rulers (complete)
Hardcore History (ongoing)
My History Can Beat Up Your Politics
Ted Radio Hour
Ask Me Another
Paul Security Weekly
The Bugle
Ted Talks
BIG Ideas
Intelligence squared US
Intelligence Squared
HAK5
SANS ISC Stormcast
RadioLab
All of which looks like a lot but most only produce an hour a week at 1X and some only an hour a month and others are done so I stopped......
All in all, I take in a lot of info this way, in half the time it was meant to take up.
suggested basics reading
Just some links I found that are useful for basic reading/watching/listening:
I have not yet found a good list of security basics for the IT department of small and medium sized organizations.
I'm looking, as I want my list to be based of research not gut.
I was at last years ShmooCon and there was an EXCELLENT talk on good inexpensive basic security. I had a five minute talk with the speakers trying to work out a way to extend their talk into a full blown conference. I was over-reaching. Just now, a full year later, I'm bringing this to your attention.
WATCH THIS FIRST it is that shmoocon talk posted on youtube.
The first 36 minutes focuses almost exclusively on AppLocker, a very useful and important tool in the IT toolbox.
Next up is client side firewalls. A much maligned and seriously overlooked option that makes a BIG difference in how things work. That is most of what they cover, but listen to the words and concepts. They are talking about the basics, not the fancy expensive stuff. Listen to minute 47 and 48. Aaron states "make it too expensive to attack you and they will go elsewhere".
These two succeed in putting good basic security into their environment.
The rest of us should follow suit.
The SANS reading room, basics section.
An older writeup by someone working in the pharmaceutical world. Not great but does have some good ideas.
CSO Online basics series, some of which is very good and much of it is .... not so good. read carefully.
Mississippi Government page on basic online security which is mostly a group of links, much of which is worth reading.
I have not yet found a good list of security basics for the IT department of small and medium sized organizations.
I'm looking, as I want my list to be based of research not gut.
I was at last years ShmooCon and there was an EXCELLENT talk on good inexpensive basic security. I had a five minute talk with the speakers trying to work out a way to extend their talk into a full blown conference. I was over-reaching. Just now, a full year later, I'm bringing this to your attention.
WATCH THIS FIRST it is that shmoocon talk posted on youtube.
The first 36 minutes focuses almost exclusively on AppLocker, a very useful and important tool in the IT toolbox.
Next up is client side firewalls. A much maligned and seriously overlooked option that makes a BIG difference in how things work. That is most of what they cover, but listen to the words and concepts. They are talking about the basics, not the fancy expensive stuff. Listen to minute 47 and 48. Aaron states "make it too expensive to attack you and they will go elsewhere".
These two succeed in putting good basic security into their environment.
The rest of us should follow suit.
The SANS reading room, basics section.
An older writeup by someone working in the pharmaceutical world. Not great but does have some good ideas.
CSO Online basics series, some of which is very good and much of it is .... not so good. read carefully.
Mississippi Government page on basic online security which is mostly a group of links, much of which is worth reading.
Tuesday, November 11, 2014
Secure Messaging - an EFF review
Very Interesting.
This is NOT in the basics. However it is worth noting.
Many if not most of us use chat/messaging of some sort every day.
We often consider those conversations private. Unfortunately they are often no more private than a discussion in a crowded bar or party. It will take some effort for others to listen in, but its far from private.
The EFF has done a high level basic overview of a great many messaging services and programs available today.
Then they put their findings into a chart (HERE).
Go look, read carefully, tell me what you think.
The interesting notes I picked up on in my first read through were:
1) Gchat sucks for security
2) The various i-Apps are surprisingly not as bad
3) Adium and Pidgin, old standbys for me from my last job, really are very good, of course the server back end needs to be secure as well..... using them with google chat will not give you the same results.
Take-away: for most of us out there, there is not a lot of choice. Your average person does not run their own XMPP server. They want their data accessible from one tool, and they want to use the same service their friends use.
For those of us tasked with running secure environments, you have to think about where you will spend your resources. Your time is not limitless and unless you really lucky, neither is your budget.
Read it over, think on how it affects you, and in all likelihood, go back to what you were doing before.
Knowledge is power, time is money, so ....
Borrowing from physics: The integral of power over time defines the work performed.
Which is a long way to go in order to say:
If you put your knowledge to work, you save (or make) money during that time.
In this case, knowledge of how to handle basic security situations, put into the hands of your staff and put to use will save LOTS of time and money down the road.
This company http://www.knowbe4.com/ takes the (sadly) unusual (in the IT world) step addressing the root cause of many i not most security breeches. The average worker's lack of knowledge.
How many times has someone held the door for your in a place that requires swipe cards to get in? Or buzzed you into a building without asking who you are and why your there?
That person is being nice and completely undoing any security usefulness of a very expensive lock.
That person probably thinks they are doing nothing egregious, and depending on the location and time it likely is harmless..... right up until its not.
If that person knew the math and the consequences, they probably wouldn't be so "nice". They would probably understand that this act of kindness to a stranger is misplaced and in many ways an act of sabotage to their building or office.
KnowBe4 works with staff to train them in how to think about security, to avoid phishing scams and even spear phishing attacks.
I have not had the opportunity to work with them, as they are outside my current budget, but I have had long conversations with their sales people and engineers. I am impressed with the approach and track record.
Check them out.
Monday, November 10, 2014
Scanning that network
Some options:
There is the master of all network scanner: Nmap and its Front end ZenMap (downloaded in the same package) Of which Hak5 has done a lovely little series on using.
but it aint pretty, and often feels like hunting mosquitoes with a howitzer.
I will admit this, with time and effort you will get more specific and more useful information from Nmap than most other free tools. However for your first review of your environment, it will create more confusion than clarity.
If your on a windows machine, there is an old but excellent sysinternals (hey, go with people you trust, and you cant get much more trustworthy than them) tool called ShareEnum which is part of the SysinternalSuite. Its starting to show its age, but its still solid(interestingly, MS says the suite was updated on 9-11-14, but this specific tools was not). It will give you the machines, shares, IPs, some ports and SNMP responses for a list of community strings.
Speaking of SNMP scanning, McAfee (I know, I know, but its a scan tool, not an antivirus machine killing pile of wonderfulness) makes a free and useful if clunky looking SNMP scanning tool called SNScan.exe which is pretty fast but really a one trick pony.
For full network inventory, including users on your AD, machines and switches, you can use something like spiceworks or lansweeper. Both are free, but spiceworks is unlimited free use, lansweeper costs money after the first 100 "assets". As management tools go, its inexpensive, but Im not certain its worth even that cost when compared with spiceworks or a more expensive solution.
The downside to spiceworks of course is dealing with the constant marketing, but that's how they pay for the service and software you get.
Between these items, and the AngryIP Scanner I talked about earlier, you can get a good basic scan going.
Of note, Lansweeper and Spiceworks will help you keep track of the scan results over time.
The rest that I mentioned (well..... nmap....but.....) not so much.
However, making sense of that data on round one, not always so easy.
Friday, November 7, 2014
RTFM....The BOOK
I said before that Read The F*****G Manual was an important part of the basics.
Well two people in the industry with far more chops than me took that to heart and wrote it down.
Ben Clark wrote and published the Red Team Field Manual. (amazon link: http://www.amazon.com/Rtfm-Red-Team-Field-Manual/dp/1494295504/ref=sr_1_1?ie=UTF8&qid=1415380905&sr=8-1&keywords=rtfm )
This is not a basics book. This is a book of references and tricks used by pen-testers and useful to anyone deep enough into security to be testing their environment in the same way.
Again, I highly recommend the book, but not as a basic or beginner item.
Don Murdoch wrote and published the Blue Team Handbook (amazon link: http://www.amazon.com/Blue-Team-Handbook-condensed-Responder/dp/1500734756/ref=sr_1_1?s=books&ie=UTF8&qid=1415381049&sr=1-1&keywords=blue+team+handbook )
This is a more useful book to the average sys-admin because it is geared more as a how-to than as a straight up reference. It augments your basic security understanding specifically as pertains to incident response. It in no way replaces a good basic foundation.
Caveat: I have not yet read either book. All my knowledge on them comes from listening to interviews with both authors. I intend to read the Blue team book and get/use the RTFM and I will update this post when I do.
Some Notes
It is my intention to update the blog weekly.
Normal updates will have a tag of RSP (regularly Scheduled Post) while other items that are small thoughts won't.
When I can, I will go back and comment on/update old posts with new data.
If the data is big enough, the update will be a post of its own.
Most of this is obvious stuff, but hey, if its not said it might be missed.
AAaaaannnnnnd....We're back
OK, three years ago I moved, thought I was going to be without a job for a while, and started a Security blog to help me learn network and computer security.
Immediately after starting the blog I got a job that took ALL my time and focus.
And now I moved again, but am maintaining my job.
In the intervening years I have learned a great deal about computer and network security.
I'm going to attempt to keep a regular blog for the purpose of gathering my thoughts on the subjet.
So let's start:
1) DO NOT go to security conferences until you have the basics down. (basics to be covered next time)
2) DO read and listen to topic specific news on the subject daily.
3) NEVER assume or even think that your done.
In the end, the basics are simple but HUGELY important and ridiculously time consuming.
I do not claim to have them down perfectly, I do not claim to have them fully understood.
I am working on them and I invite you to work along with me.
Step one:
INVENTORY
Do you know what you have in your environment?
Do you know what it does?
Whats on your network?
What does your network even look like?
All these things and more go into your inventory.
Why?
Because you can't fix or secure what you don't even know you have.
Here is how I did my first (yes, I have more than one) inventory. I happen to have a system for end point management already in place, but you can use something like SpiceWorks ( http://www.spiceworks.com/ ) if you have nothing else to help with all of this. It does not replace a physical inventory but it speeds up much of the software legwork.
1) Grabbed a simple IP scanner (angryIP at the time http://angryip.org/ there are better/more complete tools out there but for a first effort, its not bad) and scanned my known network (lets say 10.0.0.1/24) and then because I had the sneaking suspicion I
a) Scanned the entire block (10.0.0.0/8) in pieces
b) Scanned common blocks (eg 192.168.0.0 and 172.16.0.0) as well
Those steps wont necessarily provide useful information for everyone, but I did find items on the network that were not known to have connectivity before this. I exported all of it to Excel, more for the mac addresses than the IPs which I knew would change.
2) I did a walkabout. I walked from room to room, noting machines, network drops, equipment, APs and anything else that fell into my world. This data went into the same spreadsheet.
3) I started matching up data where I could so I could see what holes were left in my Knowledge. Which MAC addresses did I not have? Which ones did I have that I could not place?
4) Servers came next, specifically what software did I have on them? What Ports did each piece of software use?
5) Then I returned to the desktops, using my management tools, I collected a list of all installed software.
6) Switches and APs were then plotted: what connects to what, in which building and room, drop and port? What firmware versions? What OSes?
7) Firewall Rules: I listed them all out and made a data flow diagram showing what inspections are made to data coming in and going out.
8) Collate and report: turning the spreadsheet and diagrams into usable data is hard and time consuming. For one thing, at this point you don't even know for certain what is important. For me, I made an install count of software. I found that certain items were installed everywhere, others in only some places and others were one-off installs. Those lists made it much easier to find issues and make changes later on. I made sure to list all my hardware with as much data as possible on a single sheet, then I used VLookups to create lists of hardware based on specific criteria in other sheets. This meant I only needed to update one list to get updates data in all lists.
I did much of the same for software.
All of this took the better part of two weeks to do properly, while handling support and maintenance duties at the same time.
Now I have given you a taste of step one.
Next time I will list out all the basics as I see them. Then we will continue to talk about how I approached it, what tools I used, which podcasts and news feeds I keep an eye/ear on and where it all goes next.
Your comments and constructive criticism are very much welcome.
Subscribe to:
Comments (Atom)