Our network is our castle – we can never become complacent when trusted to protect our corporate assets, customer data or sensitive information. All too often, we find ourselves asleep at the wheel, relying on all the security controls and processes we have implemented.
We must have a strong monitoring and auditing function built into our Information Security program. Heathens are in the woods, watching our every move, waiting for the chance to storm the castle, slipping through a crack or blowing down the main gate, to invade, loot and pillage.
You have passed out administrative credentials to many employees. How do you know those employees are not deviating from the expected and approved tasks?
This deviation could be malicious, or it could simply be a mistake. Either way we face many risks when we allow employees to operate as an administrator on any system – we must have some oversight in place to detect and report on anomalous activity.
How do you know your webserver is not under attack, right this very instant? Webservers are notorious for being a primary target of attack while also being one area we find with the weakest security controls.
What if someone dropped some malicious code on your Linux webserver? How would you know?
I suggest that, along with requirements definition around that latest firewall or antivirus platform, the coolest new email security product or the best-rated web filter, we include security monitoring, some form of configuration change detection, and the ability to capture, consolidate and filter logs from all our devices.
Many ways exist to do this properly, instead of just plugging in that shiny new firewall and then going back to sleep, we must remain diligent and on-guard – part of that is proper monitoring and mechanisms in place to quickly detect potential attacks.
If we utilize a Security Information and Event Monitoring solution, we can employ resources to review these logs, respond to alerts, and have some chance of catching an attack in progress, before it becomes a major emergency.
Those teams should be trained to know exactly what is suspicious and what is just noise. The secops teams should be good enough to quickly scan the logs and anything out of place will catch their eye.
In addition to active monitoring and review of logs, we must capture our configurations, whether that’s a web server or a router, and then detect when that configuration has changed. I’ve been in companies where they haven’t made any updates or checked the configuration for years.
There are mechanisms or scripts you can write that will take a hash of the configuration of the router or the web server /var/www once a day. The script does a compare of the hash from one day to the next. If the hash value changes, something has changed in your config, or something has been modified in your web server.
Once we’ve detected a change, we can inquire as to whether there was an approved change within the last 24 hours. If there was, then the alert is simply a confirmation. If there was no approved change, we must find out if an unapproved change was made, or if we’ve been compromised.
If the admin just forgot to send in a change control and added a line to the .conf file, then we just remind him of the policy and move on. If no one knows of any internal change, we must suspect that we’ve been compromised in some way.
We must now go into Incident Response mode and try to find out what was changed and what that means. From there, if we were compromised, we can quickly find it and kick them out of our server or our router.
Maintaining a secure network isn’t rocket science, but it does require expertise and diligence. We must ensure we have the right tools, the right processes, and the right expertise to utilize those tools to the greatest effect.
The Information Security professional needs to understand how a router works, what a config looks like, what goes in the /var/www folder, how a Perl script works. We must be able to quickly review logs and know what is normal and what is not.
It takes a while to get up to speed on all this, however your employer trusts that, in giving you the keys to the kingdom, that you have all the ports and moats covered properly.