Wednesday, December 3, 2014

The Rear View Mirror

Typical in the information technology sector everyone is always focused on what’s next, the latest, hottest new application, the coolest mobile telephone and of course the work around that just makes life a little easier.  Not to be ignored are all those newly fashioned functions and features. Technology at the speed of life forever changing our lives for the better, right?  Forward looking for ever.

2014 hopefully has hopefully taught us some very important lessons that should not be ignored even if we were not directly impacted.  A look in the rear view mirror can sometimes be very revealing.  We are so focused on what’s coming directly ahead of us that we refuse to see what’s going on right behind us.  So for 2014 let me list a couple of things which could have made this a better year in the security space.

Network segmentation: You can’t get there from here should be the mantra, no? Did we learn anything this past year? Network segmentation is the act or profession of splitting a computer network into subnetworks, each being a network segment or network layer. Advantages of such splitting are primarily for boosting performance and improving security.   Please review a great eWeek article clicking here.

Service Level Agreements: Service agreements are important and a quick web search can be helpful to identify some key questions for developing such important tools for your company. The Outsourcing Center has developed ten key questions for developing effective service level agreements. It’s a solid read and you’ll find plenty of similar research on the web. A service-level agreement (SLA) is a part of a service contract[disambiguation needed] where a service is formally defined. Particular aspects of the service - scope, quality, responsibilities - are agreed between the service provider and the service user. A common feature of an SLA is a contracted delivery time (of the service or performance). As an example, Internet service providers and telcos will commonly include service level agreements within the terms of their contracts with customers to define the level(s) of service being sold in plain language terms. In this case the SLA will typically have a technical definition in terms of mean time between failures (MTBF), mean time to repair or mean time to recovery (MTTR); identifying which party is responsible for reporting faults or paying fees; responsibility for various data rates; throughput; jitter; or similar measurable details. {Attribution: Wikipedia}

Too big to fail: While not at all a technical term your company would do well to heed this warning. No company is too big to fail. No one. In our recent newsletter we talked about the breach of the week. The roadway is littered with companies failing over and over again until everyone in the industry is just tired of hearing of another breach. The breaches become “white noise” a distraction from the good work being performed by many security professionals in the field. Fight complacency, challenge everything and everyone with respect and “ASK Questions”. It won’t make you popular but it will certainly make you a very, very valuable employee.  Please read the ARS Technica article   HERE because it puts good perspective of what can happen after a breach. 

Alarms: Alarms are invitations that are yelling out, “come investigate me” I’m making noise and need your direct undivided attention. Please don’t ignore alarms. The story goes like this: Hey did you hear that alarm go off? Yeah, I’m getting a cup of coffee – you want anything? Hey, maybe I’ll come with you. Great! How many times do we ignore the obvious? Alarms are put in place for a reason to warn us, right? If the alarms are not configured appropriately and are creating noise, then someone has to go in and make a determination to turn them down and accept the consequences or turn them up and act each time they alert. 

Egress Filtering: Is that a freight train of information running out of our company? Egress filtering is protecting what’s going out as well as protecting others from malware coming from inside your own company. In computer networking, egress filtering is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. Typically it is information from a private TCP/IP computer network to the Internet that is controlled. Egress filtering helps ensure that unauthorized or malicious traffic never leaves the internal network. In a corporate network, typical recommendations [2][3][4][5] are that all traffic except that emerging from a select set of servers would be denied egress. Restrictions can further be made such that only select protocols such as HTTP, email, and DNS are allowed. User workstations would then need to be configured either manually or via proxy auto-config to use one of the allowed servers as a proxy. Corporate networks also typically have a limited number of internal address blocks in use. An edge device at the boundary between the internal corporate network and external networks (such as the Internet) is used to perform egress checks against packets leaving the internal network, verifying that the source IP address in all outbound packets is within the range of allocated internal address blocks. The purpose is to prevent computers on the internal network from IP address spoofing. Such "spoofing" is a common technique used in "Denial of Service" attacks. {Attribution: Wikipedia}

Enumeration: Thanks to Wikipedia we know that Network enumeration is a computing activity in which usernames and info on groups, shares, and services of networked computers are retrieved. It should not be confused with network mapping, which only retrieves information about which servers are connected to a specific network and what operating system run on them. Network Enumeration is the discovery of hosts/devices on a network, they tend to use overt discovery protocols such as ICMP and SNMP to gather information, they may also scan various ports on remote hosts for looking for well-known services in an attempt to further identify the function of a remote host. The next stage of enumeration is to fingerprint the Operating System of the remote host.

We hope that this short laundry list helps each of you.  We understand the complications of local, national and global enterprises.  None of this is easy, but neither is dealing with the stockholders and the media if your company falls victim to a breach or other such incident.

No comments: