Friday, November 21, 2014

Where to Start When Your Environment is Fucked

Lots of us have been there. You're new to an environment, they've hired you for infrastructure, security, networking, or some random odd analyst position. Whichever way it is, you come in and realize things aren't exactly where they need to be. After you get through the settling into your new desk and all the HR paperwork that keeps you busy for a full week you're ready to go. Some of you may be more proactive about this and might have gathered some intel about the company already. Which at least at that point you might get the gist that you're fucked before you even start. But honestly I love cleaning up a mess. You can't make it much worse, there is low hanging fruit a plenty, and it can be a thrill to actually get things working. Oh right! Wait! Are you on your way to compliance? Might as well throw good security practices at it and check off all the boxes on your way.

This isn't meant to be a full list, but will definitely get you started. I'll be making my personal recommendations of software, services and companies. I don't work for any of them, but I have my reasons for recommending them. If you ever have any questions, additions, or disagreements make sure to hit me up or leave a comment.

So let's start with the one you can do before starting, or hell even before applying.

1. Look for their IPs and/or domain on Shodan. It's kind of like googling your date before you go out. Except I'd rather fix and harden a thousand networks than try and change a man. If you end up seeing printers, xp workstations, telnet ports, sql servers and other horrifying things you can either run or ask for more money. You'll have your work cut out for you. I've had my issues using Shodan, but it's relatively cheap to buy credits. It seems that if you pay your searches will go through every time.

Now the rest of the steps I'll list may obviously vary depending on the state of the environment when you come into it. But I've found that (so far) going in this order yields decent results. Many people talk about how to get upper level management buy-in. My thought on this is that C-levels are still people too. Stop looking at them like they are rockstars or that they are out of touch with the company. There is no reason why you shouldn't just go and strike a conversation up with them about security and the importance of it. Of course try not to spout FUD all over the place when explaining it to them, but honestly security (or the lack of it) is scary!!!!

So what do you do when you get there?

1. Get buy-in - Not too difficult. Especially if you've found interesting things in your Shodan searching. Being able to tactfully let them know they are fucked is a good step. Don't stop there though. You had better have some good "what now" items to present them with as well. The other articles that I wrote about security on a budget are good places to start. I mean look at it from their perspective. Blue teaming is NOT their cash cow. Why should they spend money on security infrastructure if it doesn't improve their bottom line? Ooooh, but WAIT!! What happens when their revenue stream is compromised? Blue teaming is a huge component to cost avoidance.

2. Implement the free & easy stuff!!!
          - If you still need buy-in, download a trial of your favorite vulnerability scanner and scan all the things!!!! Giving a pretty report of lots of critical and high items on your list will help out tremendously as well.
          - Best practices for GPOs
http://www.grouppolicy.biz/best-practices/
http://www.infoworld.com/article/2609578/security/the-10-windows-group-policy-settings-you-need-to-get-right.html
http://www.giac.org/paper/gsec/4138/group-policy-security-risks-practices/104227
A lot of the changes will cause growing "groaning" pains as they are made. Like stronger password policies, no cached credentials, windows firewall settings, and making changes to local system/service accounts.
          -  Set local admin account passwords - http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx
          - Reduce the amount of people in Domain Admins. No one should be logging into their desktop as a domain admin. Ever. Period.
          - Fix everything listed here. Just do it.... http://blog.spiderlabs.com/2013/09/top-five-ways-spiderlabs-got-domain-admin-on-your-internal-network.html
          - Implement EMET - Dave Kennedy has a great article on pushing it out domain wide. https://www.trustedsec.com/november-2014/emet-5-1-installation-guide/
          - Disable telnet, logins over http, plain text passwords, open wi-fi, sslv3, no-shut ports that are unused, & setup port security.
          - Setup centralized logins for network devices. Use TACACS+ or radius
          - Setup urlscan on IIS servers http://www.iis.net/downloads/microsoft/urlscan
          - Setup bitlocker on laptops. This is a must if you have any chance of that laptop containing sensitive data that could be detrimental to your organization.
          - Network device configuration backups. Rancid works just as well as most of the paid ones. If you already have something that handles this then go for it and use that.
          - Install some pentesting flavor of linux and pop a box (obviously with written pre-approval). Yes this is a more advanced step and requires someone to sign off on it, but giving them their information on a white platter is another good step to gain some buy-in.
          - Patch your *nix boxes. If they were vulnerable to heartbleed (CVE-2014-0160) regenerate your SSL keys.

If this doesn't give you some sort of I.T. budget by now, I'm sorry. But if it does keep reading... well honestly I expect you to keep reading anyways... because I said so (in my mom voice).

3. Policies

Yea, I know.... NO ONE enjoys writing and creating policies. You have to talk to people and *shudder* collaborate. But you truly and honestly need them. Politics is a necessary evil and also there are several governing bodies that require certain policies. I am not a C-level anything by any means or even a management type person but it does take collaboration between the two to make policies that work and can be enforced.
          - http://www.sans.org/security-resources/policies/ TA DA - Take 'em and edit as you please. The SANS templates take the grunt work out of it and allow you to not spend all of your time trying to come up with the right way to say what you want to say.
          - Find out if you are required to comply to any governing body. PCI, SOX, GLB, etc. Checking boxes sucks, but it's got to be done.
          - Find out what is important to your organization. You need to make sure the right information is being protected.

4. Segmentation
          - For the love of God have a DMZ... BEHIND a firewall even. Have a firewall between that DMZ and the inside of your network also. Limit the amount of devices in your DMZ to devices that the internet needs access to. People and bots will be banging against these boxes and trying their best to get a foothold. Don't let that foothold be the end of your LAN.
          - Vlans and more vlans. While having seperate vlans is not a fool proof plan, it is part of the process. Having different silos for different purposes will help eventually for incident response, give you the capability to create ACLs between them, and if you are unfortunate enough to get a virus or botnet, it makes them less damaging.

6. Show me the $$$$$
          - Get a vulnerability scanner for realz. I am partial to Nessus. They also have just come out with PVS (Passive Vulnerability Scanner) that is pretty cool and gives you a real time view of what's going on over the wire.
          - Proper IDS/IPS/SIEM. I'm not too much of an expert on this. I've seen some implemented wonderfully and I've failed at implementing one before. I know it's needed but they need fine tuning and quite a bit of work to get them perfect. Make sure you are logging successful logins as well. If you see several failed and a successful (especially on off hours) that's a big blinky sign that you should catch.
          - Professional penetration testing. Hire a company the realizes the differences between a vulnerability assessment and a penetration test. I'm partial to TrustedSec, but Accuvant and Rapid7 are also both good companies as well.
          - Ideally all remote connections should require Two-factor. You should also follow the least-privilege rule with remote users. Check out Duo Security. It's a great company and they have some amazing support staff and engineers.

7. Extra stuff
          - If you need IP address management (IPAM) take a look at GestioIP. I've set it up and it works like a charm.
          - You had better not have your shared passwords stored in plain text. Get a password safe, or many. Free or paid they are worth it. If you're looking for enterprise level password safes, look at Thycotic (they have genius marketing as well)

Monday, November 10, 2014

Security Measures on a Budget - Part 3

In this article I want to cover what you and your team can do for your application security. Chances are you don’t write your own software packages, and if you do I’m not sure I can help you much! There are still plenty of measures that you can take to ensure that you’re buying a good product, the products that you currently have are secure, or ways that you can secure applications that you already possess. There are certain sets of application security rules. Some that pertain to web applications, others that pertain to writing secure code, and more that are still being worked on and directed. I’ll go over some of them here as well as some software hardening guides for applications.
OWASP otherwise known as the Open Web Application Security Project (http://owasp.org) is one of the largest collaborations of application security practices and guidelines. “Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.” They publish a great guide called the OWASP top 10. Which lists the top ten most common web vulnerabilities and how to go about combatting them. If you are looking at getting a web application or hosting one in the cloud, it’s always a good sign if the engineers on the project know about OWASP or have hardened their application to those standards. They cover such a wide area of views on this topic as well. From secure coding practices, to CISO communications and planning initiatives, to local chapter meetings, and some great literature and classes.
Another organization that is near and dear to my heart is called I Am The Cavalry (http://iamthecavalry.org). I currently volunteer for them as well. They are a somewhat newer organization and they are working on building information security frameworks into public infrastructure from the ground up. They are currently focusing mostly on the automotive industry, but are also making headway into healthcare devices, critical infrastructure, and other embedded systems. One of the practices that they would like to implement is a guide on secure software purchases. I had originally joined due to the fact that working in healthcare I would see a lot of different software packages and you realize how poorly written and configured the majority of them are. I love the passion that the organizers had and I wanted to help with their initiative.
In a less security conscious environment it would be much easier to look at the bells and whistles of what a software can do, and less on what a malicious person could do with it. This isn’t just an anomaly in healthcare software and devices, it affects every industry. When you look at a software package things like price per user, licensing fees, hardware costs, administrative overhead, and the like all usually come into play. There is so much more that should be assessed before spending a good part of your budget on a software that you might be building your company up with. Here is a good basic list to start with as a checklist for when you are working with your software vendors:
                    1.        The use of Java:
                                1.1.        Java on workstations is extremely exploitable. The less you have it in your environment the better. Vendors will sometimes not only require it, but require outdated, unsupported versions of it. This is usually a deal breaker for me.
                    2.        Firewall rules:
                                2.1.        While the local workstation/server software firewall isn’t the end-all-be-all of PC security, it does definitely help. Don’t let the software vendor tell you that you need it turned off.
                                2.2.        Small exceptions are fine. Find out what port or .exe needs allowed through.
                    3.        Anti-virus:
                                3.1.        Lots of people in the infosec industry say that anti-virus is dead. There are so many malware and rookits out in the wild that it doesn’t matter. But I believe it does.
                                3.2.        Security is a process, and processes have lots of moving parts. A/V should not only be installed on all of your endpoints, but it should be running scheduled and live scans as well.
                    4.        Windows Updates:
                                4.1.        Make sure you know who’s responsibility it is to keep the workstations/servers/appliances up to date. It’s very painful if the software company has a difficult approval process for updates.


            Whatever software you have implemented in your organization, chances are there is a good hardening guide out there for it. Particularly vulnerable applications include Wordpress, IIS, Apache, & Exchange (as well as every other mail server platform). If you have any specific questions feel free to reach out to me on twitter @infosystir.

Saturday, November 8, 2014

Security Measures on a Budget - Part 2

    In my last article I covered some places that you can find good best practice guides as well as some of the organizations that provide these guides. In this second part of Security on a Budget I’ll go over some good networking practices that you may not currently be doing. I can not stress how important best practices are, especially in security. These security holes are some of the first things that criminal attackers will look for, and what will show up as high risk on a vulnerability assessment. Unfortunately they are also common practice on many types and sizes of networks. There always comes a point when a business has to take calculated risks. But sometimes you don’t even have a way of calculating the risks because of so many unknowns. Rest assured all best practices mentioned here should be adhered to.
    The first thing I’ll go over is network segmentation. Having a broad flat network without any physical firewall separation is a bad practice, and fixing it is relatively cheap to accomplish. Not only should you put firewalls in place between your internet facing devices/servers (DMZ), but also between key portions of your network, can create a good security posture if implemented correctly. One of the best ways to implement a firewall in an already existing environment is to put the firewall inline so it can see all the traffic, and then start creating restrictive rules. The least privilege is always a best practice. This step allows only the devices that are authorized to pass network traffic to certain points. Along with the addition of firewalls one can segment with vlans as well. Vlan1, the default vlan,  should not be a production vlan. Different types of devices can also be segmented off into their own vlans with access lists between them. While access lists are very helpful and also free, they should be used in addition to the firewalls.
    Something that is free and very easy to accomplish, is turning on port security as well as disabling switch ports that are not in use. Port security, when enabled, will automatically disable a switch port if one device is unplugged and replaced with another. These both prevent malicious people or potentially infected devices from being plugged into your network without the proper security scanning and vetting. It is a good security measure to perform virus and vulnerability scans on equipment before it is attached to your network. I have seen on multiple occasions, computers or equipment ship from a vendor already infected with malware and viruses. A tool that can help out with streamlining changes such as this is Rancid. Rancid (http://www.shrubbery.net/rancid/)  can not only save backups of your switch and router configuration, but it can also push changes such as this to cut down on time spent logging into each device and manually typing out commands. Automation tools like this can be extremely powerful and should be used on a test environment if you are unsure of the effects.
    Another piece of free software is Netdisco (http://www.netdisco.org). You can download it as a virtual machine and there is little setup needed to get it up and working in your environment. It is a network reporting tool that will keep track of all MAC addresses, IP addresses, Vlans, manufacturers, and the like on your local area network. It is all web based and very easy to use and gather reports from. It will also let you know what versions of firmware are on your switching and routing infrastructure. Speaking of firmware, updating the firmware on all infrastructure devices is also best practice. As well as changing default snmp community strings, setting your idle timeouts, and creating complex passwords. An authentication manager such as TACACS+ can provide you with centralized authentication if your hardware supports it.

Security Measures on a Budget - Part 1

Talk to a security vendor and they’ll try to sell you the moon to secure your network, data, email, and everything else. But what are you already doing to strengthen your security posture without breaking your budget? I believe that it’s always best to try the free tools and resources first. Not only will it give you experience and insight into what is out there, but you may also find one of the many great solutions out there. This four part series of articles will go over what you can do with free or budget friendly items to get as far as you can on a mission to a better security posture. First we’ll focus on reasons why and some good places to find information as well as good starting points for finding best practice guides, next network security, then on application security, and finally on windows security.

“Many attacks on Internet and network systems have no particular target. The attacker simply sends a large broadcast that uses any unprotected system as a staging point from which to launch an attack. Using computers without basic protections like firewalls, anti- virus software, and user education not only affects your own business, but many other businesses as the virus is spread around the Internet.
Your system’s lack of protection makes you a target: it can destroy your computer, your network, and can contribute to a virus distribution that slows or halts portions of the Internet. All of us who use the Internet have a responsibility to help create a culture of security that will enhance consumer and business confidence. But most importantly, failing to heed best practice advice could hurt your company significantly” -  Internet Security Alliance Guide1

The ISA is a great resource for articles and publications on information security best practices. Attackers will always be attempting to get in.

Whether it’s a targeted attack, or your network just falls in the mix with a larger list around the world. Best practices across your infrastructure go a long way in preventing the broad automated attacks. Here are a couple daily reads good for any size business:
1. http://isc.sans.edu - The Internet Storm Center was created in 2001 following the successful detection, analysis, and widespread warning of the Li0n worm. Today, the ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers.2
2. http://dashboard.csoonline.com - This dashboard combines some of the more important feeds from around the internet combined all into one easy to read format. It includes some industry specific feeds as well as provides a good quick overview on daily security happenings.


1. http://bit.ly/UbyO2q
2. https://isc.sans.edu/about.html

Vulnerability Assessments and Penetration Tests: The differences and why you need both

It’s 2014. There is so much data out there. How much are you responsible for? If you own data and it rests under your control you are at risk, it’s as simple as that. What are you actively doing to mitigate those risks or report on them? Two very important additions to any security planning would be Vulnerability Assessments and Penetration Tests. While both can teach you a lot about the weak spots in your infrastructure they are both equally different and important.
A Vulnerability Assessment (VA) will show you all of the places on your network that are susceptible to attack due to improper configuration, missing patches, or unsupported software. You should expect to end up with a list of vulnerabilities listed from most to least critical. This list will help you prioritize items that need remediated in your network and applications. Common findings include missing windows or adobe/java patches, insecure passwords, improper IIS/apache or SQL configurations. The report may also include recommendations on network changes including restructuring and segmentation.
 Many different organizations are required to have VAs from Approved Scanning Vendors (ASV’s) to be considered compliant. PCI DSS, HIPAA, & SOX are some of the standards that require compliance, depending on your business model you may fall under one or more. With a little work, running your own VA scans are something that should be done. While running them yourself doesn’t qualify towards compliance, it is still a good idea to perform tests between ASV’s coming out on site. Some of the most popular scanning packages are Nexpose, Nessus, Qualys, and Burp Suite. With a little research and the approval from your organization you can go a long way with preventative steps between VAs.
A Penetration test (pentest) is a simulation of an internal or external (or both) attack on your network. There is usually a goal in mind, like accessing a company database, modifying or capturing files, or accessing key infrastructure. The deliverable for this test would be a report of how your system was breached, what was able to be accessed, and what can be done to remediate. If something shows up on a Vulnerability Assessment, it can be used by an attacker in some fashion. One other thing that can be leveraged during a pentest is probably one of the weakest elements in your organization, the human element. Things such as phishing (fake emails) , pretexting (fake calls) , tailgating (following people into secure areas), and the like can be used to gain access to areas or systems that don’t even have a technical vulnerability. 
You can consider a Penetration Test like a fire drill compared to the Vulnerability Assessment which is more of a building inspection. While both are giving you a better look into the security of your network they are equally different and important. If you haven't yet, I highly suggest contacting an information security company and scheduling one.