I wanted to do a quick review of three classic areas you can improve your security and try to dislodge some of the bad practices many organizations are involved in.
Monitoring – Learn your environment. Spend time writing rules specific to your environment. Monitoring is a running joke in the security community it is often done so poorly. I remember one instance where a colleague of mine laughed with delight recalling a time when a monitoring system detected his 0-day during a test run. “It actually detected it,” he commented “so then I got around it.” That is all the explanation that was needed, it is that easy. Do not just look for “bad things.” You need to know your network and your systems if you ever hope to discover attacks.
Testing – If you are not modeling real world threats then you don’t have a good read on your security. I once had a company jokingly say to me “I am not going to pay you to tell me I need awareness training.” Another one said “I don’t need testing on that network because it is air gapped.” I have even had a financial institution tell me “We don’t have security problems.” Well long story short the first did in fact need awareness training, browser patches and a few other things and the second was not in fact air gapped, and the third did have security problems. They all learned the hard way. Testing is the easy way, so let’s start raising the scope, rules, and time constraints. Let’s raise the bar a little. It is a lot less painful to have a pen tester deliver the news, then to be on the evening news.
Patch Management – I cannot remember the last time I was on a network where all of the software was provided by a single vendor. Yet I often see networks where only systems supported by one vendor ever see patches in a timely manner. The other systems are often ignored sometimes for years. Patch management applies to all systems.
Well that is it for now, monitor, test, patch, and do it well.