If you are like most in the information technology (IT)
security field, you are inundated with alerts, systems that need patching and
investigating bogus emails. To be successful, you need to have a hyper focus on
When you perform vulnerability scans and you manage a large
number of systems, you are not going to be able to patch all of the
vulnerabilities that are discovered on the system. You need to review the list
and focus and patch the most important vulnerabilities as not every
vulnerability needs to be addressed right away. The most important vulnerabilities
are ones that are being actively exploited in the wild, those certainly need to
be patch as soon as possible. If a vulnerability on the list has a lower chance
of being exploited, it should be addressed, but take care of the most critical
I have seen to many people attempting to fix every
vulnerability on the list, which can take time and resources away from more
important tasks. I have also seen some that look at the vulnerability list,
deem it daunting and do not make process on it.
Logging and Alerting
Logs and alerts needs to be tuned. If you have setup
alerting and it just goes to a folder in outlook for you to review later, you
have already lost. Alerts need to be tuned so that you can take action on the
important alerts and not be inundated with false positive alerts. Purchasing a
SIEM or a managed SIEM can help tame the alerts and make them somewhat useful
When setting up logging you need to define what is important
to log and send those logs to a central location. Those logs should at some
point be put into a SIEM or some sort of syslog combined with a monitoring and
alerting system to you can take action on them if you need to. This also allows
you to avoid having to look at numerous locations for logs, saving valuable
Finally, appoint someone to be in charge of alerts as alerts
by committee will not work.
Define what is
important to protect
Any IT security professional will tell you that you are not
going to be able to protect everything, but the security controls you put in
place are critical to your success.
The first step in this process is to define which data and
systems are critical or have a high value to protect. This then allows you to
build the controls you need to protect the data and systems as needed.
For example. a file server that contains critical customer
data is much more important than a file server that just contains IT software
install files. You would design controls are the critical data, such as ACL’s,
encrypting the data and software to record who has accessed the data and what
they did with the data. You would not put the same controls on the data with
the software installs.
You can not provide the same level of protection to all
systems, so you need to divide and conquer.
Setup the proper
firewall controls and rules
I have been working on firewall’s for over 20 years and what
always amazes me is how poorly firewalls are setup.
The first item that always sticks out is how many old and
unused rules and objects are still configured on the firewall. By allowing old
rules to be enabled on a firewall, it could allow access to a system you did
not intent to or open up a vulnerability you did not consider.
The second item I have seen is allowing any service and any
network to go outbound. Typically, most servers do not need internet access, if
they do, it should only be for the services and functions that are necessary.
(For example, a DNS server allowed out to resolve names, smtp server outbound
to send email).
You should also enable the threat capabilities on firewalls.
If your firewall has the ability to setup Anti-Virus and IPS functions, do it.
If it also has the ability to send files up to the Internet to be analyzed by a
sandbox, do that also. About fifty percent or more of Internet traffic is being
sent encrypted, so you might want to decrypt the SSL traffic so you can better
detect incoming threats.
Geo-blocking is another feature that is very important to
enable on the firewall. Blocking access to countries that contain known actors can
better protect your network and is relatively easy to enable.
The list I have provided above is really just a start. A
well-defined IT security program is developed over time and the business buying
into the culture of security. If you do not have business buy in, and you users
are bypassing your controls without consequences, you will be helpless in
defending your network.
If is also important to be a bit flexible with your security
approach, sometimes it makes sense to make exceptions to your IT security
polices to fit a business need. A good way to fail and lose creditability is to
say no just because you can or because you have a Napoleon power trip. You need
to be part of the solution, not part or contribute to the problem. What I mean
by that, it I have seen many IT professionals in general enforce polices just
because they think they are right, but it they are ultimately wrong and costs
the business and the users of IT systems valuable time and money.