Back to Basics, Information Security: Today we all are running good so far with old and new security products to give us secure environments. However, we are dying in our knowledge of basics. What do we mean by "basics of information security"? The basics are nothing but hygiene. Similar to how we keep good hygiene at our house, work place, or body to keep ourselves strong enough from virus attacks; our systems and security hygiene need to be in good condition to provide protection.Today if our CEO or CIO asks for our security posture we show them an executive summary pulled by our SOC team, from SIEM, or VA scan results. However, no one is showing how many of our non-critical devices are vulnerable or configured without any protection. These devices are able to be logged into anonymously and are capable like servers, which users are using more than our data center applications and servers during the day.Few examples are open to FTP ports on our network printer, open telnet o a network printer, unauthenticated HTTP access to network printers which is being used by end users and is connected to a data center server to centrally manage the print queue. Open shares on our server, users’ desktops, and I am not even talking about SAN drives (Network drives) which are well managed by active directory. I am talking about open shares available on individual data center servers. These shares are enabled by IT admins for easy data transfer like backups etc. However, at log run, these folders start accumulating sensitive data. Even if the folders have read only rights to "Everyone", any user from the domain can read and download the data to their desktop which goes completely un-monitored. The reason I am saying un-monitored is because no organization integrates every server with DLP, specially when downloading or reading is happening internally.We should understand the basics about what hackers do once they gain control of one of our end user machines, and how insiders help organized criminals to gain our data. Once hackers are inside the network they start scanning your network system for open access, using their own custom scripts written in PowerShell. Unfortunately, even if you set PowerShell Execution restrictions, there are tons of ways to bypass this. The custom script, which is never seen by anyone in the world, will go undetected by most antiviruses and runs directly in the memory.Below is a list of tasks which hackers attempt first in order to search within your network without doing any intelligent exploits.
- Search for windows open shares and files that have access to/by everyone (Simple sysinternal tool or custom script can do this in few minutes).
- Anonymous FTP’s ( any custom port scan script created in PS).
- Network Printers and there open ports which allow unauthenticated access.
- Unauthenticated SMTP servers.(Telnet using DOS or putty on default SMTP ports).
- Password never expiry users from Active directory (Every users in domain have read only rights to query domain users password configuration).
- Exception folder list from registry (red only registry rights are enough)
- Exception users from active directory OUGroup names (Every users in domain have read only rights to query LDAP).
- Passwords written in script and laying on windows open share folders.
- Etc etc etc ...
Above are the few things which attackers look for once he/she is in your network.As a SOC analyst
, rather than only monitoring SIEM, one should also check to see if the above things are in place or not. I am sure we all agree that hackers will hack our network, and our job is to make their work difficult during and post exploitation. The greatest challenge here is who owns the cleanup of this basic? IT/Desktop team or infosec? I believe hygiene in house is everyone's job and not just your mom's "job."