Recently I have been attending several conferences across the United States. The majority of these have been general IT or technology conferences. Many of the people I have spoken with were system administrators or IT managers who often had information security responsibilities. With priorities given to production issues, security was often overlooked. It is easy to see why -- IT security comes at a cost and it is difficult to see the Return on Investment (ROI). Although in the event that a security compromise does occur there is often a significant cost to the organization. Lack of funding, time, and trained personnel were reasons given as to why security had not received the attention it deserves. Based on this I would like to suggest three initiatives that any organization can take at little or no cost to improve their security posture. While these points are directed more toward organizations with novice security programs, even those with robust ones may find these ideas useful. 1. Conduct regular vulnerability and port scans on your network – If you do not know what your network weaknesses are, it is impossible to fix them. While it does take some skill and training to run and analyze these tools the learning curve is not high. I recommend that organizations perform internal vulnerability assessments on a regular basis (at least quarterly) and then have a more extensive assessment performed annually by a third party.
The two tools I recommend for starting out with this initiative are Nmap and Nessus. Nmap is fully open-source and free, while Nessus has a low-cost of under $2,000 for the professional version. Both can be configured to run automatically during off hours and scan large number of devices. Nmap is used to identify open TCP and UDP ports on your systems. One of the major issues I see are systems that are running unnecessary and/or dangerous services and protocols. For example, in the figure below from running Nmap you can see that this server has several services that could be considered dangerous (i.e. telnet, rlogin, finger) in addition to some that may not be needed (port 80, 25, 8080). Armed with this information you can take action to disable those dangerous services and investigate if the others are needed for a business purpose.
While Nmap will identify open ports Nessus will probe those services and the system for weaknesses. Nessus is an extremely powerful tool with the ability to perform authenticated (i.e., utilizing log-in credentials), unauthenticated, and compliance driven scans where the results are compared to a pre-determined configuration standard. It is based on vulnerability plugins so you can select what you want enabled. Best of all it managed through an easy to use web interface. There is an extensive body of knowledge online about configuring and using Nessus. My advice is to test out the tool on some test systems to become familiar with all the capabilities it has. By running regular port scans and vulnerability scans you will be on your way to better securing your network.
2. Log and regularly review what is happening on your network – As with the first initiative, if you don’t know what is happening on your network you will not be able to quickly respond and investigate potential security threats. Yes, I know that reviewing logs is not fun or even easy. That is why when I talk to many IT professionals they only review if there is a suspected problem. That is if they have the logs to review in the first place. I recommend collecting and analyzing your various logs (workstation, server, router, firewall, IDS/IPS) using some type of centralized security incident event management solution (SIEM). Now there are many commercial solutions that can cost thousands of dollars but below are some low-cost solutions.
• Microsoft Log Parser Studio (Free) Log Parser Studio is a utility that allows you to search through and create reports from your IIS, Event, EXADB and others types of logs. It builds on top of Log Parser 2.2 and has a full user interface for easy creation and management of related SQL queries. More info at : http://gallery.technet.microsoft.com/office/Log-Parser-Studio-cd458765 • Snare A group of open-source agents and log collector from a variety of operating systems and applications. More info at: http://www.intersectalliance.com/projects/index.html • NetWitness Investigator (Free) NetWitness investigator is a free product that allows you to investigate the network capture logs by doing live capture of network traffic or by importing PCAP files into and analyzing the results for threat analysis and network forensics More info at: http://netwitness.com/products-services/investigator-freeware • OSSIM, the open source SIEM OSSIM is an open sour security information and event management system. OSSIM collects log events from various sources and correlates data for analysis. More info at : http://communities.alienvault.com/ • Deep Log analyzer - http://www.deep-software.com/download.asp
By collecting and reviewing your logs on a regular basis you can detect and investigate potential threats proactively instead of reacting to an attack after the fact and trying to undo the damage it might have caused.
3. Learn to use Active Directory to secure your network – Microsoft gets blamed (sometimes unfairly) for a large share of security issues. However Microsoft networks can be made highly secure and one of the best ways to do this is through Active Directory and Group Policy Objects (GPO). When we conduct a vulnerability assessment or a penetration test and we come across a network that has a highly skilled Windows administrator that has locked down the network it makes our job much more difficult (or easier, depends on your perspective). Everyone knows that you can enforce basics such as password complexity and account settings, but here are some additional items you can use Active Directory for to increase your Windows security. • User rights and group management • Organize your Windows network in group policy organizational units (OUs) for effective management and policy implementation • Create Active Directory domain and ensure that all Windows machines are part of that domain • Enable Windows auditing in group policy on critical events such as user activities, file and object access etc. This will allow organizations to investigate events after that fact. • If possible, only give administrative rights to specific users in the Active Directory domain. • Install Windows Server Update Services (WSUS) on your network for the deployment of latest Microsoft patches and security updates to the system. WSUS is free software from Microsoft. Patch more often. • Backup your AD server on routinely basis. • Use a very powerful built-in Windows Management Instrumentation Command-line (WMIC) tool for incident response and forensics analysis on the systems. More information about this built-in tool can be found at http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/wmic.mspx?mfr=true
By following the advice in this post you will be on your way to improving your overall security posture. Please stay tuned to this space for future tips and advice. I would welcome your feedback on this blog, such as your own experience or if you have tips on tools and techniques.