Pages

Friday, November 21, 2014

Where to Start When Your Environment is Fucked

Lots of us have been there. You're new to an environment, they've hired you for infrastructure, security, networking, or some random odd analyst position. Whichever way it is, you come in and realize things aren't exactly where they need to be. After you get through the settling into your new desk and all the HR paperwork that keeps you busy for a full week you're ready to go. Some of you may be more proactive about this and might have gathered some intel about the company already. Which at least at that point you might get the gist that you're fucked before you even start. But honestly I love cleaning up a mess. You can't make it much worse, there is low hanging fruit a plenty, and it can be a thrill to actually get things working. Oh right! Wait! Are you on your way to compliance? Might as well throw good security practices at it and check off all the boxes on your way.

This isn't meant to be a full list, but will definitely get you started. I'll be making my personal recommendations of software, services and companies. I don't work for any of them, but I have my reasons for recommending them. If you ever have any questions, additions, or disagreements make sure to hit me up or leave a comment.

So let's start with the one you can do before starting, or hell even before applying.

1. Look for their IPs and/or domain on Shodan. It's kind of like googling your date before you go out. Except I'd rather fix and harden a thousand networks than try and change a man. If you end up seeing printers, xp workstations, telnet ports, sql servers and other horrifying things you can either run or ask for more money. You'll have your work cut out for you. I've had my issues using Shodan, but it's relatively cheap to buy credits. It seems that if you pay your searches will go through every time.

Now the rest of the steps I'll list may obviously vary depending on the state of the environment when you come into it. But I've found that (so far) going in this order yields decent results. Many people talk about how to get upper level management buy-in. My thought on this is that C-levels are still people too. Stop looking at them like they are rockstars or that they are out of touch with the company. There is no reason why you shouldn't just go and strike a conversation up with them about security and the importance of it. Of course try not to spout FUD all over the place when explaining it to them, but honestly security (or the lack of it) is scary!!!!

So what do you do when you get there?

1. Get buy-in - Not too difficult. Especially if you've found interesting things in your Shodan searching. Being able to tactfully let them know they are fucked is a good step. Don't stop there though. You had better have some good "what now" items to present them with as well. The other articles that I wrote about security on a budget are good places to start. I mean look at it from their perspective. Blue teaming is NOT their cash cow. Why should they spend money on security infrastructure if it doesn't improve their bottom line? Ooooh, but WAIT!! What happens when their revenue stream is compromised? Blue teaming is a huge component to cost avoidance.

2. Implement the free & easy stuff!!!
          - If you still need buy-in, download a trial of your favorite vulnerability scanner and scan all the things!!!! Giving a pretty report of lots of critical and high items on your list will help out tremendously as well.
          - Best practices for GPOs
http://www.grouppolicy.biz/best-practices/
http://www.infoworld.com/article/2609578/security/the-10-windows-group-policy-settings-you-need-to-get-right.html
http://www.giac.org/paper/gsec/4138/group-policy-security-risks-practices/104227
A lot of the changes will cause growing "groaning" pains as they are made. Like stronger password policies, no cached credentials, windows firewall settings, and making changes to local system/service accounts.
          -  Set local admin account passwords - http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx
          - Reduce the amount of people in Domain Admins. No one should be logging into their desktop as a domain admin. Ever. Period.
          - Fix everything listed here. Just do it.... http://blog.spiderlabs.com/2013/09/top-five-ways-spiderlabs-got-domain-admin-on-your-internal-network.html
          - Implement EMET - Dave Kennedy has a great article on pushing it out domain wide. https://www.trustedsec.com/november-2014/emet-5-1-installation-guide/
          - Disable telnet, logins over http, plain text passwords, open wi-fi, sslv3, no-shut ports that are unused, & setup port security.
          - Setup centralized logins for network devices. Use TACACS+ or radius
          - Setup urlscan on IIS servers http://www.iis.net/downloads/microsoft/urlscan
          - Setup bitlocker on laptops. This is a must if you have any chance of that laptop containing sensitive data that could be detrimental to your organization.
          - Network device configuration backups. Rancid works just as well as most of the paid ones. If you already have something that handles this then go for it and use that.
          - Install some pentesting flavor of linux and pop a box (obviously with written pre-approval). Yes this is a more advanced step and requires someone to sign off on it, but giving them their information on a white platter is another good step to gain some buy-in.
          - Patch your *nix boxes. If they were vulnerable to heartbleed (CVE-2014-0160) regenerate your SSL keys.

If this doesn't give you some sort of I.T. budget by now, I'm sorry. But if it does keep reading... well honestly I expect you to keep reading anyways... because I said so (in my mom voice).

3. Policies

Yea, I know.... NO ONE enjoys writing and creating policies. You have to talk to people and *shudder* collaborate. But you truly and honestly need them. Politics is a necessary evil and also there are several governing bodies that require certain policies. I am not a C-level anything by any means or even a management type person but it does take collaboration between the two to make policies that work and can be enforced.
          - http://www.sans.org/security-resources/policies/ TA DA - Take 'em and edit as you please. The SANS templates take the grunt work out of it and allow you to not spend all of your time trying to come up with the right way to say what you want to say.
          - Find out if you are required to comply to any governing body. PCI, SOX, GLB, etc. Checking boxes sucks, but it's got to be done.
          - Find out what is important to your organization. You need to make sure the right information is being protected.

4. Segmentation
          - For the love of God have a DMZ... BEHIND a firewall even. Have a firewall between that DMZ and the inside of your network also. Limit the amount of devices in your DMZ to devices that the internet needs access to. People and bots will be banging against these boxes and trying their best to get a foothold. Don't let that foothold be the end of your LAN.
          - Vlans and more vlans. While having seperate vlans is not a fool proof plan, it is part of the process. Having different silos for different purposes will help eventually for incident response, give you the capability to create ACLs between them, and if you are unfortunate enough to get a virus or botnet, it makes them less damaging.

6. Show me the $$$$$
          - Get a vulnerability scanner for realz. I am partial to Nessus. They also have just come out with PVS (Passive Vulnerability Scanner) that is pretty cool and gives you a real time view of what's going on over the wire.
          - Proper IDS/IPS/SIEM. I'm not too much of an expert on this. I've seen some implemented wonderfully and I've failed at implementing one before. I know it's needed but they need fine tuning and quite a bit of work to get them perfect. Make sure you are logging successful logins as well. If you see several failed and a successful (especially on off hours) that's a big blinky sign that you should catch.
          - Professional penetration testing. Hire a company the realizes the differences between a vulnerability assessment and a penetration test. I'm partial to TrustedSec, but Accuvant and Rapid7 are also both good companies as well.
          - Ideally all remote connections should require Two-factor. You should also follow the least-privilege rule with remote users. Check out Duo Security. It's a great company and they have some amazing support staff and engineers.

7. Extra stuff
          - If you need IP address management (IPAM) take a look at GestioIP. I've set it up and it works like a charm.
          - You had better not have your shared passwords stored in plain text. Get a password safe, or many. Free or paid they are worth it. If you're looking for enterprise level password safes, look at Thycotic (they have genius marketing as well)

No comments:

Post a Comment