Back to Basics – System Hygiene

April 13, 2017 | Views: 3250

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Back to Basics, Information Security: Today we all are running good so far with old and new security products to give us secure environments. However, we are dying in our knowledge of basics. What do we mean by “basics of information security”? The basics are nothing but hygiene. Similar to how we keep good hygiene at our house, work place, or body to keep ourselves strong enough from virus attacks; our systems and security hygiene need to be in good condition to provide protection.

Today if our CEO or CIO asks for our security posture we show them an executive summary pulled by our SOC team, from SIEM, or VA scan results. However, no one is showing how many of our non-critical devices are vulnerable or configured without any protection. These devices are able to be logged into anonymously and are capable like servers, which users are using more than our data center applications and servers during the day.

Few examples are open to FTP ports on our network printer, open telnet o a network printer, unauthenticated HTTP access to network printers which is being used by end users and is connected to a data center server to centrally manage the print queue. Open shares on our server, users’ desktops, and I am not even talking about SAN drives (Network drives) which are well managed by active directory. I am talking about open shares available on individual data center servers. These shares are enabled by IT admins for easy data transfer like backups etc. However, at log run, these folders start accumulating sensitive data. Even if the folders have read only rights to “Everyone”, any user from the domain can read and download the data to their desktop which goes completely un-monitored. The reason I am saying un-monitored is because no organization integrates every server with DLP, specially when downloading or reading is happening internally.

We should understand the basics about what hackers do once they gain control of one of our end user machines, and how insiders help organized criminals to gain our data. Once hackers are inside the network they start scanning your network system for open access, using their own custom scripts written in PowerShell. Unfortunately, even if you set PowerShell Execution restrictions, there are tons of ways to bypass this. The custom script, which is never seen by anyone in the world, will go undetected by most antiviruses and runs directly in the memory.

Below is a list of tasks which hackers attempt first in order to search within your network without doing any intelligent exploits.

  • Search for windows open shares and files that have access to/by everyone (Simple sysinternal tool or custom script can do this in few minutes).
  • Anonymous FTP’s ( any custom port scan script created in PS).
  • Network Printers and there open ports which allow unauthenticated access.
  • Unauthenticated SMTP servers.(Telnet using DOS or putty on default SMTP ports).
  • Password never expiry users from Active directory (Every users in domain have read only rights to query domain users password configuration).
  • Exception folder list from registry (red only registry rights are enough)
  • Exception users from active directory OUGroup names (Every users in domain have read only rights to query LDAP).
  • Passwords written in script and laying on windows open share folders.
  • Etc etc etc …

Above are the few things which attackers look for once he/she is in your network.

As a SOC analyst, rather than only monitoring SIEM, one should also check to see if the above things are in place or not. I am sure we all agree that hackers will hack our network, and our job is to make their work difficult during and post exploitation. The greatest challenge here is who owns the cleanup of this basic? IT/Desktop team or infosec? I believe hygiene in house is everyone’s job and not just your mom’s “job.”

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
1 Comment
  1. You’re in the right place, my friend. This site has been so useful for me on learning the basics to what I have a desire to learn. Start with the ComTIA Security+ course and proceed to Penetration Testing and Ethical Hacking course. These two courses will jump start you into the world of learning cyber security.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel