Can you believe it’s already May? Spring is here, flowers are in bloom, and the grill is fired up. I really enjoy springtime. It’s a revitalizing time of year and it’s a great time to reflect on what we’ve accomplished so far this year. In the past few weeks, we’ve discussed patch management and using vulnerability scanning to see what vulnerabilities are in your infrastructure, and then we dove into the importance of data backups, as well as passwords and policies such as using MFA and proactively identifying compromised passwords to help secure your infrastructure.
On the other hand, it’s also a great time to look forward and make plans to accomplish goals! So let’s get started this month.
Incident response and readiness
Something what always comes to mind when I hear the word May, is may-day, as in Help! I served in the military in the US Navy. Fire is “el numero uno” threat to us out there aboard a ship. We drilled day and night to combat shipboard fires, and when the bells went off signaling a fire everyone was instantly engaged and focused on the task at hand. We didn’t scatter like mice when the lights come on.
Each person knew exactly what they were supposed to do, because we trained so often and everything was planned. One of our topics this month is incident response. You need a plan, so that when an incident occurs you can react in an instant. A plan instills in every person what their role is in this emergency. Incident response plans can mean the difference between success and failure of a business or organization. They are priceless!
The necessity of outbound traffic filtering
As many of you know, most firewalls today come with a default rule set permitting all outbound traffic to flow freely. This is because it makes for easy deployment. You put the firewall in place, and traffic flows outbound unimpeded. Nobody complains that you ruined their day because they can’t look at cat memes on the web (sorry Adrian)!
I pose to you a question. Is this ok? Not permitting the viewing of cat memes, but allowing all traffic outbound, unfiltered?
If you said no, you’re correct. This is not good security practice. We should be blocking most outbound ports. Is there a need for Telnet, SSH, and ephemeral ports to be permitted (among many others)? That depends. Does the organization need these ports open?
Why is outbound filtering necessary you ask? When command and control (CNC) malware is installed it needs to phone home. And most often, it phones home over an ephemeral port such as 34691 (random number I selected). If you only permit a few ports outbound, that port most likely isn’t one of them and you just successfully prevented an incident. We’ll discuss this more in depth later this month!
Standardizing secure configurations
Center for Internet Security (CIS) puts out an annual top 20 security controls you should use to protect your infrastructure. This year number five is is Secure configurations for hardware and software on devices, and number 11 is Secure configuration for network devices. These CIS folks are pretty smart, so I’m guessing there’s something to this (insert evil laugh here).
Why should we bother with standardizing configurations? By doing so, we eliminate poor configuration practices. If we create a proper “build sheet” for workstations that includes installation of all organization specific software, endpoint protection software, patches, and anything else we can come up with, then each and every workstation should be secure from the beginning.
The same goes for every other type of device. This topic comes down to ensuring standardization, and if we build good security into the standards we’ll be in a better security posture.
Wow, what a great start to May! Now get out there, smell the flowers (unless you have allergies), fire up the grill, and enjoy the weather! I’ll see you back here next week where we’ll dive into incident response plans.