PaulDotCom mailing list archives
Re: How do I fill the gap of knowing how important "good" security is and actually doing something about it?
From: Shaun Curry <scurry () smsd gs>
Date: Fri, 10 Aug 2012 14:39:41 +0000
I'd like to thank everyone for the great advice! I have already reached the realization that my job encompasses far more than just security; however, this is still part of my job. I really don't spend more than 30 mins on a "weird" alert unless I see other indicators that confirm what I'm seeing. My personal goal for our organization is simple really! Educate the handful of users I have, operate with a consistent patch cycle (automating as much as possible), review my logs. I have started implementing the "20 Critical Controls" and have been able to automate most of them (still a work in progress). Again, thank you! The advice has really put me at ease... Knowing that the job is never really done, I feel I'm on the right track. -----Original Message----- From: guppie () starmind org [mailto:guppie () starmind org] On Behalf Of Josh More Sent: Friday, August 10, 2012 8:36 AM To: PaulDotCom Security Weekly Mailing List; Shaun Curry Subject: Re: [Pauldotcom] How do I fill the gap of knowing how important "good" security is and actually doing something about it? Congratulations, you've graduated. More seriously, our culture does us a disservice through the schooling process. Classes are great when the amount you have to learn is the majority of what can be taught in a classroom format (I suspect the magic number is 80%). However, once accumulated enough baseline knowledge, the mode fails dramatically. In this case, there is no class that will solve your problem, as your knowledge gaps are unique to you. At this point, the best way to learn experimentation, sharing your thoughts with others and willingness to be wrong (and have it pointed out to you in public forums). I recognize, of course, that this is not directly helpful, so to address your current concern, consider the following workflow: 1) Is this truly the most critical issue on which you should focus? * I've found that I can do more good in an organization addressing patch management and workstation/server hardening than chasing packets down rabbit trails. This will depend, of course, on your specific environment and key skillset. 2) If it is the most critical, consider what the alert could be indicating. Decide if it truly is critical. * IP spoofing against your VOIP system could be part of a social engineering attack, a "free international call" attack, harvesting information from voicemails, etc... look for secondary indicators. * Port scans detection can include true port scans or can be an external app negotiating for a control or data channel. Do you need control/data channels to those sources? If not, kill the source and forget about it. 3) If you have to dig deeper (or just want to), review the actual packets. If you're weak on this, play with the free PCAPs at http://wiki.wireshark.org/SampleCaptures/ . * Packet reading is a high learning-curve activity. Whether it makes sense to build that skill depends on how easy it is for you and how interesting you find it. Personally, I'm stronger in other areas, so I focus there. Remember, most organizations select "best" practices and them implement them as poorly as possible. If you are the one and only admin in your organization, it is very likely that you should not be spending your time on these sorts of activities. (I have an entire presentation on why this is the case, but this is not the forum for such a rant.) Go back to point 1 several times a day to decide if this is what truly matters. Odds are that you'd be better served by finding ways to automate your daily, weekly or monthly tasks, communicating your concerns to nontechnical people and focusing on centralizing data management. Most smaller organizations often have so many ways for malicious people (inside or outside) to interfere with operations or steal data that network-based attacks are lower on the attacker's priority list. Build defenses and indicator traps along the most likely threat vectors and monitor those. Once you have reasonable certainty that they are clean, expand you r program. If you learn anything new as you do this, share it with others. -Josh More On Thu, Aug 9, 2012 at 9:26 PM, Shaun Curry <scurry () smsd gs> wrote:
Hello everyone! I have difficult issue... I am sys admin and the one and only IT person for a small organization. I have attended SANS courses and have listened to pauldotcom for years now. I have been learning a lot in the area of network security, but I need to fill a crucial gap in my knowledge. Here's the scenario: I review my logs daily and started noticing some strange things. For example, an "IP Spoof" with an internal IP address talking to my VOIP server. I see port scans coming from facebook domain that are obviously apps. I see things that alarm me; however, I don't know how to verify the validity of what I'm seeing. I know that sometimes you can get false positives and sometimes an all in one IDS/IPS/Firewall can get it wrong. I'm feeling a bit lost! I know that I can expect port scanning and I tend to ignore it. But some of the other things I'm seeing just leave me very nervous... I'm doing my best and as far as I can tell it's been working well, but there has to be a good training course or two that I can take that will teach me how to identify this stuff quicker and more easily. Do you just learn this stuff as you go? Is experience the key? If anyone has advice I'd appreciate it! I can't be the first or only person to reach this point.... Thanks! Shaun Curry _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- How do I fill the gap of knowing how important "good" security is and actually doing something about it? Shaun Curry (Aug 09)
- Re: How do I fill the gap of knowing how important "good" security is and actually doing something about it? Conrad Constantine (Aug 09)
- Re: How do I fill the gap of knowing how important "good" security is and actually doing something about it? Josh More (Aug 10)
- Re: How do I fill the gap of knowing how important "good" security is and actually doing something about it? Shaun Curry (Aug 10)