OSI Security - Penetration Testing & Web Application Security Consultants
  • Home
  • Try
  • Pricing
  • Services
    • Managed Monthly Penetration Testing Service
    • Managed Quarterly Penetration Testing Service
    • Email Security Review
    • Request a quote for Penetration Testing
    • Bug Bounty Penetration Test
    • Remote Support
  • Solutions
  • Company
    • Advisories
    • Customers
    • News and Press Releases
    • Blog
    • Contact
    • Careers
  • Home
  • Try
  • Pricing
  • Services
    • Managed Monthly Penetration Testing Service
    • Managed Quarterly Penetration Testing Service
    • Email Security Review
    • Request a quote for Penetration Testing
    • Bug Bounty Penetration Test
    • Remote Support
  • Solutions
  • Company
    • Advisories
    • Customers
    • News and Press Releases
    • Blog
    • Contact
    • Careers

Security in Depth: Where to begin

28/7/2017

 
A frequent question commonly asked when working in Security is "Where do I begin?"
Talking about Information Security can easily turn into information overload, which is why communication skills are essential for working in the industry. So in order to answer this big question, I have come up with a Security Checklist, which is an overview of where to begin, without overlooking essential things.

Patch everything, immediately: It doesn't matter if there is a business requirement for some software, if it’s vulnerable and there’s publicly available exploit code or an easy to use exploitation tool available then it is going to be compromised.

Update default passwords: This in my opinion is common sense; however, funny thing about common sense is its quite hard to come across these days. Honestly if you want a one way path to being compromised and even being a part of a botnet, ignore this advice. This includes your firewall, servers and any IoT device that you buy and connect to your network.

Don't Reuse Passwords: Reusing passwords means once one device is compromised, what else can be compromised? Use a password manager such as KeePass (KeePassX for Apple) to keep track of passwords, don't write them down or you open yourself to a different arsenal of problems.

Network Segmentation: Devices should be segmented logically by type; set up choke points between device types and heavily filter based on port and protocol. Consider how an attacker moving from one segment to another can be restricted. Consider how you can prevent an end-user device compromised by a phishing attack from reaching the servers. What about the mobile devices too? What can they access?

Manage in and out of band: If your management plane is separated either logically, or physically from your data plane, it makes the task of an attacker monitoring or modifying that traffic one step harder.

Use Secure Protocols: Using good protocols is essential i.e. SSH not telnet, SMTP/S not SMTP etc. It compliments managing in and out of band.

Disable What You Don't Need: Continuing off of the last note, disable any protocols you don't need. This can help mitigate against being attacked. For example: NetBIOS-NS and SMB.

PSK for wireless is not good enough: PSK networks be cracked off-site (once a handshake has been captured, which can take seconds) but also there are key distribution and key management issues. Also consider administrator login details for each AP, this has to do with default passwords. You should look in to deploying 802.1X which utilises client-side digital certificates and active directory authentication. You should have a plan for protecting against stolen or infected end-user devices and you should have a plan for access revocation.

Proper Mobile Device Management: Remote erase, a secure pin number and encryption-at-rest are essential. Your company policy will give you the specifics of whether fingerprint access is acceptable, but you should accept that devices will be lost and stolen. The data on the device should be protected as should the access the device has in to your internal network – such as VPNs. Encrypt the data on the device so that it cannot be accessed or modified; enable remote wipe which may help with damage limitation; have the ability to be able to revoke a devices access to the VPN. This is all part of proper MDM.

Restrict User Input: If you’re writing a web application then contextually filter user input through a white-listing approach to match each expected input – e.g if you're asking for a postcode does the input look like a number? Does it limit the inout to 4 characters long?

Restrict User Access: Network Access Control applies to both wireless and wired networks and should be rigorous. Don’t restrict access based on something public and easily forged such as MAC addresses but instead utilise something like client-side certificates or active directory integration to determine whether machines should be allowed access. For web applications and external infrastructure restrict access to administrative interfaces to administrative machines only.

Weak Encryption will be Broken: There’s a lot more to cryptography that just what encryption algorithm you’re using. With implementation issues, algorithm issues, hashing issues, padding issues, PRNG issues. There’s a lot of complexity and a lot that can go wrong, on top of this clients seem to take ages to fix default support for weak encryption. Get rid of old and weak ciphers quickly and remove broken ciphers immediately. Try to keep a real world understanding of the risks of each attack and new weakness, and how bad the issues are. Some issues are minor, whereas attacks like RC4 NOMORE are a big deal.

Trust but Verify: Test your systems. It doesn't matter how great you think the level of your security is, test your systems, and test them manually. We believe human driven testing far beats automated testing.

Before attackers come, have a plan to response: If a company is not adequately prepared for the efficient handling of an incident then a time of tension becomes one of crisis. Having procedures, and plans for when an attack comes is essential. This is the same as going to war, it just happens to be with the use of computers. Would you go into a war unprepared?

"Appear weak when you are strong, and strong when you are weak" - Sun Tzu, The Art of War
    View my profile on LinkedIn

    Archives

    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    December 2015
    August 2015
    April 2014
    May 2013
    April 2013
    July 2012
    May 2012
    November 2011
    August 2011
    July 2011
    February 2011
    January 2011
    October 2010
    August 2010
    June 2010

    Categories

    All
    Apache
    Backdoor
    Best Practice
    Configuration
    Credentials
    Desktop
    DNS
    Encryption
    Exploit
    Firewall
    Hardening
    HTTP
    HTTP/S
    IDS
    Information Disclosure
    Linux
    Malware
    Man-in-the-middle
    Newsletter
    Patch
    Policy
    Samba
    Server
    Service
    SMB
    SMTP
    Unix
    VPN
    Vulnerability
    Web Browser
    Web Server
    Zero Day

    RSS Feed

NSW Government ICT Services (SCM0020) approved supplier
OSI Security is an approved supplier to the Victorian Government
OSI Security is an approved supplier to the Queensland Government
OSI Security is an approved supplier to the New Zealand Government
Picture
External Penetration Testing
Managed Security Services
​Source Code Review
Web Application Security Testing
Firewall Configuration and Rulesets
WiFi Access Point and Client Auditing
Forensics and Data Recovery
System Hardening and Configuration
Metasploit Pro
Tenable Nessus
Acunetix Web Scanner
Nexpose Vulnerability
Secunia Software Inspection
Elcomsoft Password Cracking
PortSwigger BurpSuite
HP Fortify
 
Contact
Clients
Advisories
Privacy policy
​
Ethics Statement
Disclosure Policy
OSI SECURITY ACN 144 579 751 © 2010 - 2025.
​ALL RIGHTS RESERVED. SYDNEY, AUSTRALIA.
Join newsletter

Picture

OSI Security is proud to support a number of recognised charities, development projects and industry groups...

The Australian Computer Museum Society Incorporated
Hackers Helping Hackers
sqlmap.org
Metasploit Framework
2600-AU Australia