Security Measures on a Budget - Part 4

Microsoft security, everyone’s favorite topic to poke fun at. For both the offense and the defense it is considered to be our job security, the bane of our existence, and sometimes an unobtainable goal. Whether we like it or not Windows Server and Desktop environments have their roots sunk deep into the infrastructure of the corporations and homes of the world. We must learn how to actively manage Windows environments without them getting away from us. How many of you can say that your home or work environment has completely removed depreciated operating systems? XP was end of life April 8th, 2014 and the extended support for Windows Server 2003 is coming up this July (https://support.microsoft.com/en-us/lifecycle/search/default.aspx). Just please do not tell me that you have anything prior than that on your network. I know there is a good chance that you do, just don’t tell me about it. It is scary enough some of the things that are out there on the internet. From old Windows 3.1 boxes, IP cameras, electrical control systems and more. HD Moore has a great talk about the scan of the internet that he performed over the whole year of 2012 and the data he collected on internet facing systems (https://youtu.be/VuYi7gVy3dI). Which includes a large amount of windows systems.

It is extremely hard to tell companies “Just patch/upgrade everything to where it needs to be”. I realize it is not just that simple. You may have business critical applications that only run on depreciated Operating Systems, the newest OS may not run on the hardware that you do not have it in the budget to replace, or maybe you just don’t have the time. Honestly most of these are just excuses in the mind of someone in information security. You are putting convenience, money, and time before protecting your critical assets. In an upcoming article I’ll cover asset and risk management is not something many do right, but it is one of the most important planning strategies that you can have.

Moving away from the obvious upgrades to current OS and software there are still many low cost or free enhancements that you can accomplish in Windows to create a more secure environment. Many can be accomplished via Group Policy (if you are in fact on an Active Directory Domain). Here are some links that I’ve always relied on and pointed others to for reference:

Best practices for GPOs (Group Policy Objects)

http://www.grouppolicy.biz/best-practices/

http://www.infoworld.com/article/2609578/security/the-10-windows-group-policy-settings-you-need-to-get-right.html

http://www.giac.org/paper/gsec/4138/group-policy-security-risks-practices/104227

Defend your Active Directory

https://youtu.be/uccM2xtE5SA - “Active Directory: Real Defense for Domain Admins”

Set local admin account passwords
http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx

Reduce the amount of people in Domain Admins. No one should be logging into their desktop as a domain admin. Ever. Period.

Fix everything listed here. Just do it
http://blog.spiderlabs.com/2013/09/top-five-ways-spiderlabs-got-domain-admin-on-your-internal-network.html

Implement EMET
Dave Kennedy has a great article on pushing it out domain wide. https://www.trustedsec.com/november-2014/emet-5-1-installation-guide/

Setup urlscan on IIS servers
http://www.iis.net/downloads/microsoft/urlscan

Setup bitlocker on laptops. 
This is a must if you have any chance of that laptop containing sensitive data that could be detrimental to your organization.

A few of these changes will cause growing pains as they are made, others not so much. Stronger password policies can cause the user populous to come after you with pitchforks if it’s not something that you have ever needed to change before. No cached credentials, windows firewall settings, and making changes to local system/service accounts can all create changes in process that not many people will be happy with. I’m not saying it’s easy, but these should all be a part of your overall security no matter how small or large your company happens to be.

Quit your bitching and get back to work

Regarding @tableflipclub

I normally wouldn't give this stuff a second glance. More girls bitching about unfair pay/opportunities. But since you asked here we go.

Do I believe them?
     I border on the line between not wanting to give a fuck about what they are saying and trying to believe that there is that much of an abundance of these type of companies out there. Because honestly I haven't had any bad experiences like they are referring to that have kept me down. They mention mediocre men whizzing by them, being called "shrill", "abrasive", and "hard to work with".        It's hard to put your self in someone else's shoes when you haven't had those types of experiences before. Taking that sort of "fuck this I'm out of here" attitude without being skeptical is really difficult. I've had many mediocre people whiz by me. Be it because of shitty management, people knowing how to bullshit, who they knew, or maybe because I didn't like my job and was being more mediocre than they were. Because we're in a male dominated industry of course an abundance of them are going to be men.
     Maybe you are difficult to work with. Lots of people are. There are three categories that I put people in to be able to stand working with them.
1. Kick ass technically, but an absolute jerk with no other qualities.
2. An amazing person, nice, polite, hard worker, but doesn't know how to do shit.
3. Half way between (or on the rare occasion both) 1 & 2.

If you aren't one of these three, I would't want to work with you either.

Opinions are like assholes, everyone has one:

     We all have opinions and views that are based on where we've been in life, what we've seen, and the attitude we bring to the table. I've always been drawn to typical male job roles. The reason why is a whole other story for another day. My personal experiences have shaped my work ethic, my drive, and how I see the world. I was raised on a farm in the middle of nowhere, had a job in at orchard starting at 12, on a farm at 14, tractor supply after that, a couple more male dominated roles, and then into I.T. ALL of which were male dominated roles.
     What drew me to them was the lack of utter bullshit that large groups of women seem to spew out when all together. Yea boys can be dramatic, but it doesn't last, they don't hold grudges about stupid stuff, and I find them more pleasant to work with. Have I gotten paid less than my male counterparts? Sure I have, I know that for a fact. It's also a fact that men are more aggressive by nature, ask for more raises, take riskier career moves, and other things that would advance them faster than females would.
     So what did I do when I knew I was getting paid less than a male counterpart? I worked with my company to find out why. It wasn't because he was male btw (surprise surprise). They had offered to pay me equal, maybe a bit more. But it was still not as good as the next company. The previous year had helped shape me as a person even more, and I had grown technically. So I left, and let them know why. It wasn't because I was a girl, it was because they couldn't pay me as well as the next place.


My thoughts on sexism:

I already kind of summed them up here http://infosystir.blogspot.com/2014/08/soapbox-rant-sexism-bsideslv-bonehenge.html

It's really on my ideas of sexism in general, not so much as growing and achieving more in the workplace. But it still helps put some of my thoughts forward.


Why this type of movement annoys me:

     Quit your bitching and whining. Put your big girl panties on and get to work. Have you ever thought the reason you aren't moving up fast enough or getting paid more is because you do shitty work and need to try harder? Or maybe you really do work for a fucking horrible company, well leave and find one that treats you well. Don't ostracize everyone for the mistakes of a few. People that gravitate towards these type of movements are usually people I can't stand. Whiny, annoying, gen-x, "I deserve it because it's me" type people.
     Have I been called sexist before? Sure I have...people have tried to dox me because of being silly or not caring about the same things as them. But at the end of the day I'm the happy and content one. I don't let things get me down (too much anyways). Life isn't fair and I never forget it. But if I stop being content and happy, I change what needs to be.

I like how Georgia said it best "Do good work, speak at events, mentor young girls who are interested in tech, do anything besides just bitch about how oppressed you are please!"

The Path to Fixing Security Awareness Training

Introduction

We all know that user education and security awareness as a whole is broken in its current state. What is it that we can do to strengthen our weakest link, people? How can we demonstrate with the right type of metrics that we are successfully implementing change and producing a more secure line of defense? We treat information security defense as a process, and we preach defense in depth. There is a large portion of the information security industry that is focused on perimeter security. However, we are beginning to see a shift from strictly the data level protection to an increase in user level security and reporting. The security as a process and defense in depth mentality must be filtered down and implemented into our user training.

Broken Processes

“The reason that most Security Awareness Training programs fail is because they are TRAININGS…. not Education.”[1]

Experience and time in the industry shows that the Computer Based Trainings (CBTs) organizations require their employees to complete annually (or sometimes more often) are comparable to a compliance check box. It is a broken process. The employee is required to complete and pass this training for continued employment. Once the process is complete the knowledge is either forgotten or greatly reduced. One of the largest proven gaps occurs when the end user does not bring the information forward into their day to day working lives like they should. That is a large disconnect where it means the most. This is known as the Ebbinhaus Forgetting Curve. Repetition based on active recall has been demonstrated as effective in other areas for avoiding the curve and, therefore, is the foundational design such awareness programs should be based on.

“...basic training in mnemonic techniques can help overcome those differences in part. He asserted that the best methods for increasing the strength of memory are:

1. better memory representation (e.g. with mnemonic techniques)
2. repetition based on active recall (esp. spaced repetition).”[2]

Bridging the Gap

Repetition is a proven successful way to bridge the gap of compliance, teaching our users real life skills, and helping secure the infrastructure that we are responsible for protecting. This is best implemented with a comprehensive hands-on security phishing and awareness rewards program. A full program design will provide a maturity that the CBTs have not. While they are a good value add and can be used to reinforce the real life scenarios, relying on them as a primary means of security awareness training will not provide the value or insight to the first line of defense. By consistently reinforcing the CBTs with a custom built awareness program you increase the end user’s skills and boost the organization’s immunity to phishing and social engineering threat factors.

Building Your Own Program

Building a mature and strategic program from the ground up is achievable with executive support and cultural alignment. An awareness program need not equate to thousands of dollars spent on creating flashy presentations and brown bag luncheons to draw crowds. Teaching by example and rewarding for good behavior is what will improve upon the user’s awareness.

“The point has never been to make everyone experts in security, it has always been to arm the employees with basic knowledge so that in the event something out of the ordinary occurs, it may help notify the security team.” [3]

An important takeaway and key point to remember is that it is not the employee’s responsibility to know the difference between a legitimate phish and spam, or that they should be hovering over links in emails before clicking. It is our job to have a program that is open enough and easy enough for them to report abnormalities or when something is not quite right.

1. Establish Objectives

The direction of an organization’s security awareness program should be tailor fit and reassessed periodically. With the constant changing threat landscape, maturity of user understanding, and a progressing industry, the objectives should be thought of as a moving target. An objective one year of decreased malware removals on desktops may mature past that to increased reporting of phishing/vishing attacks. However, establishing an aggressive set of objectives can result in a failed or unrealistic program. Concentrating on one or two achievable objectives at the beginning of a new program will allow you to accomplish a more specific goal. We can then adjust the target periodically to reflect the organization’s and program’s maturity.

2. Establish Baselines

Many organizations do not have formal security awareness training, so establishing a baseline should begin with a live fire exercise testing the skills and real world knowledge of a good subset of your users. Having a realistic outlook on where your security posture stands in relation to not only technical baselines, but also cultural norms should be standard practice. It is important to know how the users currently respond to threats and irregularities. Establishing an engagement with a certified and skilled penetration testing company can help you baseline these responses. By having a third party assess the skills of your users with professional phishing campaigns you will gain valuable insight into data that you may currently not have.

3. Scope and Create Program Rules and Guidelines

When the user or employee is being treated essentially as a customer, rules and guidelines should be well thought out and strategized. Miscommunications will only impede the learning process, making succeeding with the program more difficult. Align the rules to be consistent with the organization’s culture to have a higher adoption rate. Having multiple levels of input will enable you to have clear and concise program instructions and rules leading to an easier implementation.

4. Implement and Document Program Infrastructure

You are taught in driver’s education to wear your seat belt, look both ways, and adjust your mirrors. The first time you have a close call or even worse a real accident, you now have a real world experience that your mind falls back on each time you make a decision. It is the same with security awareness. The shock of the accident now gives the employee pause when future emails show up that may look a little odd and out of place. Afterwards the training teaches them what could possibly be at risk when they click through the illegitimate link. Setting up the phishing attacks to automatically redirect to a website that aligns with the program theme will create a connection between real life events and the message being presented for education.

5. Positive Reinforcement

One of the most important parts is letting them know that it is ok that they fell victim to the attack.  This must be a consistent message throughout the education material. The more comfortable the user feels reporting the incident, the more cooperation and adoption you will witness. Assure the user that it will always be better coming from an internal training attempt than a real phishing attack, and practice makes perfect. The training should include what to look for, and more importantly how to report something abnormal. With a great first line of defense and solid Incident Response (IR) procedures, you will be far better off securing the human element, the weakest security link.

6. Gamification

Gamification is actually a scientific term that roughly means applying game principles to a situation. The simplest definition of those principles is: 1) Goal establishment, 2) Rules, 3) Feedback, and 4) Participation is voluntary.[4]

Being able to reward for good behavior is an essential part of the program as well. Employees should not feel ashamed to come to the right people for help, or afraid of being reprimanded for making a mistake. Gamification works well in many aspects of life, why should this be any different? Turn the program into something catchy and a small budget cannot just satisfy your expectations, but exceed them. Making a lottery of gift cards, discounted services, and other items to enforce the brand of the program and put something in the user’s hand will reinforce the message you are giving.

7 . Define Incident Response Processes

Incident response (IR) looks different in every organization. If you have a current proven method of IR you are already well on your way to including an awareness program into your current structure. Use the newly created program as a case study for testing procedures and policies. This will allow you to flush out any inconsistencies, inefficiencies, or unplanned situations. Assessing each step of the process will give the needed information to add or change policies to fit the needs of the organization around certain types of attacks.

Gaining Meaningful Metrics

“Successful metrics programs include well-defined measurements and the necessary steps to obtain them” [5]

Measurements

There are an abundance of measurements to take throughout a security awareness program. Depending on your program and your goals you may have more tailor fit measurements to take.

Here are some common totals to track.

• E-mails sent
• Emails opened
• Links clicked
• Credentials harvested
• Reports of phishing attempts
• Emails not reported on
• Hits on training sites

Tracking success rate and progress

Keeping track of click percentages, phishes reported, and incidents reported is a good start and necessary. However, charting your gains and losses with structured data over time will give your organization a deeper understanding of the progress made. Successful education and retained knowledge will be apparent with the increase and decrease of certain measurements and the success of goals set for metrics. Periodic assessment of shifts in metrics should be performed to assist with guidance of the education program’s goals and other possible implementations or changes in the current environment's security structure.

Important Metrics

Measures are concrete, usually measure one thing, and are quantitative in nature (e.g. I have five apples). Metrics describe a quality and require a measurement baseline (I have five more apples than I did yesterday).[6]

The metric of how much your security posture has increased in reference to your baseline is the key goal and quality control. Seeing increased reporting changes in suspicious activity on your network should align with a lower amount of malware, DNS queries to blocked sites, or other activity on the network that would lead an analyst to believe the possibility of a targeted attack has been blocked. The ability to link key metrics back to specific departments, buildings, or roles provides the information you need to scope more directed education.

 References

1. https://www.trustedsec.com/march-2013/the-debate-on-security-education-and-awareness/
2. http://en.wikipedia.org/wiki/Forgetting_curve
3. http://ben0xa.com/security-awareness-education/
4. http://www.csoonline.com/article/2134189/strategic-planning-erm/how-to-create-security-awareness-with-incentives.html
5. Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats - Bill Gardner & Valerie Thomas
6. https://cio.gov/performance-metrics-and-measures/

FTP/SFP on ubuntu with shared directory across users and protocols

I ran into an interesting issue the other day. I was setting up a new SFTP server with the following  requirements:

1.  A particular legacy device that was not capable of using SFTP needed to connect to the server with FTP. 
2. All other users should have their own SFTP directory access as before.
3. The FTP user needs access to one of the same directories that the SFTP user needs.


Ok fine no big deal, so I'll just set up SFTP and FTP side by side and restrict who is allowed to actually FTP to the box.  I figured I could do this with symlinks, but nope. Filezilla (the client of choice in this case) sees the symlink as a file and wouldn't recognize it as a separate directory. So here are the steps.

Following instructions from http://www.krizna.com/ubuntu/setup-ftp-server-on-ubuntu-14-04-vsftpd/ I setup vsFTPd and ssh for SFTP

Step 1 » Update repositories.

$ sudo apt-get update

Step 2 » Install VsFTPD package using the below command.

$ sudo apt-get install vsftpd

Step 3 » After installation open /etc/vsftpd.conf file and make changes as follows.

Uncomment the below lines (line no:29 and 33).

write_enable=YES
local_umask=022

» Uncomment the below line (line no: 120 ) to prevent access to the other folders outside the Home directory.

chroot_local_user=YES

and add the following line at the end.

allow_writeable_chroot=YES

» Add the following lines to enable passive mode.

pasv_enable=Yes
pasv_min_port=40000
pasv_max_port=40100

Step 4 » Restart vsftpd service using the below command.

krizna@leela:~$ sudo service vsftpd restart

Step 5 » Now ftp server will listen on port 21. Create user with the below command.Use /usr/sbin/nologin shell to prevent access to the bash shell for the ftp users .

$ sudo useradd -m john -s /usr/sbin/nologin
$ sudo passwd john

Step 6 » Allow login access for nologin shell . Open /etc/shells and add the following line at the end.

/usr/sbin/nologin

Now try to connect this ftp server with the username on port 21 using winscp or filezilla client and make sure that user cannot access the other folders outside the home directory.

Please note using ftp on port 21 is a big security risk . it’s highly recommended to use SFTP. Please continue for SFTP configuration

Secure FTP ( SFTP )

SFTP is called as “Secure FTP” which generally use SSH File Transfer Protocol . so we need openssh-server package installed , Issue the below command if it’s not already installed.

$ sudo apt-get install openssh-server

Step 7 » Create a new group ftpaccess for FTP users.

$ sudo groupadd ftpaccess

Step 8 » Now make changes in this /etc/ssh/sshd_config file.

» Find the below line

Subsystem sftp /usr/lib/openssh/sftp-server

and replace with

Subsystem sftp internal-sftp
Match group ftpaccess
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

» and comment the below line ( Last line).

#UsePAM yes

Step 9 » Restart sshd service.

$ sudo service ssh restart

Step 10 » The below steps must be followed while creating Users for sftp access.

Create user john with ftpaccess group and /usr/bin/nologin shell.

$ sudo useradd -m john -g ftpaccess -s /usr/sbin/nologin
$ sudo passwd john

Change ownership for the home directory.

$ sudo chown root /home/john

Create a folder inside home directory for writing and change ownership of that folder.

$ sudo mkdir /home/john/www
$ sudo chown john:ftpaccess /home/john/www

------------------------------------------------------------------------------------------------------------

After following those instructions I had two separate users. We'll call them FTP and SFTP.

FTP and SFTP had their own home directories (for some reason writing this sounds like I'm explaining the birds and the bees)

I needed to make sure that FTP was the only user that could use that protocol. All other users when setup can SFTP, but only explicit accounts will be allowed to FTP.

1. Create /etc/vsftpd.user_list and add the user you want to ONLY use FTP 

2. Add to /etc/vsftpd.conf

userlist_deny=NOuserlist_enable=YESuserlist_file=/etc/vsftpd.user_list

As I said the symlinks to another shared directory wasn't working. So I added another group "SHAREDFILES" and added both of the users to it. I used 

$ sudo mount --bind /var/SHAREDFILES /home/FTP
$ sudo mount --bind /var/SHAREDFILES /home/SFTP

Found that here (http://www.proftpd.org/docs/howto/Chroot.html)

Add that to your fstab (etc/fstab) so your mounts show up after reboot

$ sudo nano /etc/fstab

/var/SHAREDFILES /home/FTP none defaults,bind 0 0

/var/SHAREDFILES /home/SFTP none defaults,bind 0 0

Yay for legacy systems that can't SFTP!!

Where to Start When Your Environment is Fucked

Lots of us have been there. You're new to an environment, they've hired you for infrastructure, security, networking, or some random odd analyst position. Whichever way it is, you come in and realize things aren't exactly where they need to be. After you get through the settling into your new desk and all the HR paperwork that keeps you busy for a full week you're ready to go. Some of you may be more proactive about this and might have gathered some intel about the company already. Which at least at that point you might get the gist that you're fucked before you even start. But honestly I love cleaning up a mess. You can't make it much worse, there is low hanging fruit a plenty, and it can be a thrill to actually get things working. Oh right! Wait! Are you on your way to compliance? Might as well throw good security practices at it and check off all the boxes on your way.

This isn't meant to be a full list, but will definitely get you started. I'll be making my personal recommendations of software, services and companies. I don't work for any of them, but I have my reasons for recommending them. If you ever have any questions, additions, or disagreements make sure to hit me up or leave a comment.

So let's start with the one you can do before starting, or hell even before applying.

1. Look for their IPs and/or domain on Shodan. It's kind of like googling your date before you go out. Except I'd rather fix and harden a thousand networks than try and change a man. If you end up seeing printers, xp workstations, telnet ports, sql servers and other horrifying things you can either run or ask for more money. You'll have your work cut out for you. I've had my issues using Shodan, but it's relatively cheap to buy credits. It seems that if you pay your searches will go through every time.

Now the rest of the steps I'll list may obviously vary depending on the state of the environment when you come into it. But I've found that (so far) going in this order yields decent results. Many people talk about how to get upper level management buy-in. My thought on this is that C-levels are still people too. Stop looking at them like they are rockstars or that they are out of touch with the company. There is no reason why you shouldn't just go and strike a conversation up with them about security and the importance of it. Of course try not to spout FUD all over the place when explaining it to them, but honestly security (or the lack of it) is scary!!!!

So what do you do when you get there?

1. Get buy-in - Not too difficult. Especially if you've found interesting things in your Shodan searching. Being able to tactfully let them know they are fucked is a good step. Don't stop there though. You had better have some good "what now" items to present them with as well. The other articles that I wrote about security on a budget are good places to start. I mean look at it from their perspective. Blue teaming is NOT their cash cow. Why should they spend money on security infrastructure if it doesn't improve their bottom line? Ooooh, but WAIT!! What happens when their revenue stream is compromised? Blue teaming is a huge component to cost avoidance.

2. Implement the free & easy stuff!!!
          - If you still need buy-in, download a trial of your favorite vulnerability scanner and scan all the things!!!! Giving a pretty report of lots of critical and high items on your list will help out tremendously as well.
          - Best practices for GPOs
http://www.grouppolicy.biz/best-practices/
http://www.infoworld.com/article/2609578/security/the-10-windows-group-policy-settings-you-need-to-get-right.html
http://www.giac.org/paper/gsec/4138/group-policy-security-risks-practices/104227
A lot of the changes will cause growing "groaning" pains as they are made. Like stronger password policies, no cached credentials, windows firewall settings, and making changes to local system/service accounts.
          -  Set local admin account passwords - http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-automate-changing-the-local-administrator-password.aspx
          - Reduce the amount of people in Domain Admins. No one should be logging into their desktop as a domain admin. Ever. Period.
          - Fix everything listed here. Just do it.... http://blog.spiderlabs.com/2013/09/top-five-ways-spiderlabs-got-domain-admin-on-your-internal-network.html
          - Implement EMET - Dave Kennedy has a great article on pushing it out domain wide. https://www.trustedsec.com/november-2014/emet-5-1-installation-guide/
          - Disable telnet, logins over http, plain text passwords, open wi-fi, sslv3, no-shut ports that are unused, & setup port security.
          - Setup centralized logins for network devices. Use TACACS+ or radius
          - Setup urlscan on IIS servers http://www.iis.net/downloads/microsoft/urlscan
          - Setup bitlocker on laptops. This is a must if you have any chance of that laptop containing sensitive data that could be detrimental to your organization.
          - Network device configuration backups. Rancid works just as well as most of the paid ones. If you already have something that handles this then go for it and use that.
          - Install some pentesting flavor of linux and pop a box (obviously with written pre-approval). Yes this is a more advanced step and requires someone to sign off on it, but giving them their information on a white platter is another good step to gain some buy-in.
          - Patch your *nix boxes. If they were vulnerable to heartbleed (CVE-2014-0160) regenerate your SSL keys.

If this doesn't give you some sort of I.T. budget by now, I'm sorry. But if it does keep reading... well honestly I expect you to keep reading anyways... because I said so (in my mom voice).

3. Policies

Yea, I know.... NO ONE enjoys writing and creating policies. You have to talk to people and *shudder* collaborate. But you truly and honestly need them. Politics is a necessary evil and also there are several governing bodies that require certain policies. I am not a C-level anything by any means or even a management type person but it does take collaboration between the two to make policies that work and can be enforced.
          - http://www.sans.org/security-resources/policies/ TA DA - Take 'em and edit as you please. The SANS templates take the grunt work out of it and allow you to not spend all of your time trying to come up with the right way to say what you want to say.
          - Find out if you are required to comply to any governing body. PCI, SOX, GLB, etc. Checking boxes sucks, but it's got to be done.
          - Find out what is important to your organization. You need to make sure the right information is being protected.

4. Segmentation
          - For the love of God have a DMZ... BEHIND a firewall even. Have a firewall between that DMZ and the inside of your network also. Limit the amount of devices in your DMZ to devices that the internet needs access to. People and bots will be banging against these boxes and trying their best to get a foothold. Don't let that foothold be the end of your LAN.
          - Vlans and more vlans. While having seperate vlans is not a fool proof plan, it is part of the process. Having different silos for different purposes will help eventually for incident response, give you the capability to create ACLs between them, and if you are unfortunate enough to get a virus or botnet, it makes them less damaging.

6. Show me the $$$$$
          - Get a vulnerability scanner for realz. I am partial to Nessus. They also have just come out with PVS (Passive Vulnerability Scanner) that is pretty cool and gives you a real time view of what's going on over the wire.
          - Proper IDS/IPS/SIEM. I'm not too much of an expert on this. I've seen some implemented wonderfully and I've failed at implementing one before. I know it's needed but they need fine tuning and quite a bit of work to get them perfect. Make sure you are logging successful logins as well. If you see several failed and a successful (especially on off hours) that's a big blinky sign that you should catch.
          - Professional penetration testing. Hire a company the realizes the differences between a vulnerability assessment and a penetration test. I'm partial to TrustedSec, but Accuvant and Rapid7 are also both good companies as well.
          - Ideally all remote connections should require Two-factor. You should also follow the least-privilege rule with remote users. Check out Duo Security. It's a great company and they have some amazing support staff and engineers.

7. Extra stuff
          - If you need IP address management (IPAM) take a look at GestioIP. I've set it up and it works like a charm.
          - You had better not have your shared passwords stored in plain text. Get a password safe, or many. Free or paid they are worth it. If you're looking for enterprise level password safes, look at Thycotic (they have genius marketing as well)

Security Measures on a Budget - Part 3

In this article I want to cover what you and your team can do for your application security. Chances are you don’t write your own software packages, and if you do I’m not sure I can help you much! There are still plenty of measures that you can take to ensure that you’re buying a good product, the products that you currently have are secure, or ways that you can secure applications that you already possess. There are certain sets of application security rules. Some that pertain to web applications, others that pertain to writing secure code, and more that are still being worked on and directed. I’ll go over some of them here as well as some software hardening guides for applications.

OWASP otherwise known as the Open Web Application Security Project (http://owasp.org) is one of the largest collaborations of application security practices and guidelines. “Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.” They publish a great guide called the OWASP top 10. Which lists the top ten most common web vulnerabilities and how to go about combatting them. If you are looking at getting a web application or hosting one in the cloud, it’s always a good sign if the engineers on the project know about OWASP or have hardened their application to those standards. They cover such a wide area of views on this topic as well. From secure coding practices, to CISO communications and planning initiatives, to local chapter meetings, and some great literature and classes.

Another organization that is near and dear to my heart is called I Am The Cavalry (http://iamthecavalry.org). I currently volunteer for them as well. They are a somewhat newer organization and they are working on building information security frameworks into public infrastructure from the ground up. They are currently focusing mostly on the automotive industry, but are also making headway into healthcare devices, critical infrastructure, and other embedded systems. One of the practices that they would like to implement is a guide on secure software purchases. I had originally joined due to the fact that working in healthcare I would see a lot of different software packages and you realize how poorly written and configured the majority of them are. I love the passion that the organizers had and I wanted to help with their initiative.

In a less security conscious environment it would be much easier to look at the bells and whistles of what a software can do, and less on what a malicious person could do with it. This isn’t just an anomaly in healthcare software and devices, it affects every industry. When you look at a software package things like price per user, licensing fees, hardware costs, administrative overhead, and the like all usually come into play. There is so much more that should be assessed before spending a good part of your budget on a software that you might be building your company up with. Here is a good basic list to start with as a checklist for when you are working with your software vendors:

                    1.        The use of Java:

                                1.1.        Java on workstations is extremely exploitable. The less you have it in your environment the better. Vendors will sometimes not only require it, but require outdated, unsupported versions of it. This is usually a deal breaker for me.

                    2.        Firewall rules:

                                2.1.        While the local workstation/server software firewall isn’t the end-all-be-all of PC security, it does definitely help. Don’t let the software vendor tell you that you need it turned off.

                                2.2.        Small exceptions are fine. Find out what port or .exe needs allowed through.

                    3.        Anti-virus:

                                3.1.        Lots of people in the infosec industry say that anti-virus is dead. There are so many malware and rookits out in the wild that it doesn’t matter. But I believe it does.

                                3.2.        Security is a process, and processes have lots of moving parts. A/V should not only be installed on all of your endpoints, but it should be running scheduled and live scans as well.

                    4.        Windows Updates:

                                4.1.        Make sure you know who’s responsibility it is to keep the workstations/servers/appliances up to date. It’s very painful if the software company has a difficult approval process for updates.

            Whatever software you have implemented in your organization, chances are there is a good hardening guide out there for it. Particularly vulnerable applications include Wordpress, IIS, Apache, & Exchange (as well as every other mail server platform). If you have any specific questions feel free to reach out to me on twitter @infosystir.

Security Measures on a Budget - Part 2

    In my last article I covered some places that you can find good best practice guides as well as some of the organizations that provide these guides. In this second part of Security on a Budget I’ll go over some good networking practices that you may not currently be doing. I can not stress how important best practices are, especially in security. These security holes are some of the first things that criminal attackers will look for, and what will show up as high risk on a vulnerability assessment. Unfortunately they are also common practice on many types and sizes of networks. There always comes a point when a business has to take calculated risks. But sometimes you don’t even have a way of calculating the risks because of so many unknowns. Rest assured all best practices mentioned here should be adhered to.
    The first thing I’ll go over is network segmentation. Having a broad flat network without any physical firewall separation is a bad practice, and fixing it is relatively cheap to accomplish. Not only should you put firewalls in place between your internet facing devices/servers (DMZ), but also between key portions of your network, can create a good security posture if implemented correctly. One of the best ways to implement a firewall in an already existing environment is to put the firewall inline so it can see all the traffic, and then start creating restrictive rules. The least privilege is always a best practice. This step allows only the devices that are authorized to pass network traffic to certain points. Along with the addition of firewalls one can segment with vlans as well. Vlan1, the default vlan,  should not be a production vlan. Different types of devices can also be segmented off into their own vlans with access lists between them. While access lists are very helpful and also free, they should be used in addition to the firewalls.
    Something that is free and very easy to accomplish, is turning on port security as well as disabling switch ports that are not in use. Port security, when enabled, will automatically disable a switch port if one device is unplugged and replaced with another. These both prevent malicious people or potentially infected devices from being plugged into your network without the proper security scanning and vetting. It is a good security measure to perform virus and vulnerability scans on equipment before it is attached to your network. I have seen on multiple occasions, computers or equipment ship from a vendor already infected with malware and viruses. A tool that can help out with streamlining changes such as this is Rancid. Rancid (http://www.shrubbery.net/rancid/)  can not only save backups of your switch and router configuration, but it can also push changes such as this to cut down on time spent logging into each device and manually typing out commands. Automation tools like this can be extremely powerful and should be used on a test environment if you are unsure of the effects.
    Another piece of free software is Netdisco (http://www.netdisco.org). You can download it as a virtual machine and there is little setup needed to get it up and working in your environment. It is a network reporting tool that will keep track of all MAC addresses, IP addresses, Vlans, manufacturers, and the like on your local area network. It is all web based and very easy to use and gather reports from. It will also let you know what versions of firmware are on your switching and routing infrastructure. Speaking of firmware, updating the firmware on all infrastructure devices is also best practice. As well as changing default snmp community strings, setting your idle timeouts, and creating complex passwords. An authentication manager such as TACACS+ can provide you with centralized authentication if your hardware supports it.