The Sans Top 20 and you Week 2

Last week I wrote about the SANS top 20 security recommendations for small business, I focused on the first point, know what you have hardware. I decided this week I would focus on the second point. Know what you have software. In brief software is all of the stuff on your computer which allows you to do things. I would like to make a point here that while the Computers Operating System is software, it's not what I'm referencing this week.

Ok, I work in I.T., and more than once I've been called to someone's desk with a comment on, "My program doesn't work!", To which the typical I.T. response is, "What program?" Part of the issue is as I.T. professionals we don't often go through the trouble of limiting what people can put onto their PC's. After all, people want games, cool fonts, screen saver packages, etc… In this day and age many of those things are done on the internet using flash, but that's not something I'm looking to go too far into this week either!

I remember in one particular case I had a MAC user. Let's go ahead and call him user X. I was doing some traffic analysis on our network using OPENdns. Open DNS allows filtering and metrics on DNS data from networks. It's free and can be checked out at opendns.org. I noticed a lot of traffic going to a series of IP addresses. I did some reputation checking using mxtoolbox, and reputation authority. I found out that these IP's had a nasty reputation for being associated with botnets. I then found out after using the built-in MAC OSX firewall that the traffic was being placed on the net by you guessed it, a screen saver!

This covers why we need to know what programs are on PC's and a little bit of how you can track programs which are negative, but a better approach would be proactive! Spiceworks can check which programs are on your network. It can do this by scanning for .exe's. Spiceworks as I mentioned last week is free, and great to use! You can also use Microsoft's built-in software policies. I most recently used these on a terminal server to force programs to only run from one directory and then locked it down. This also stops people from accidently installing things. I next recommend restricting local admin rights on PC's. This limits the amount of damage that can occur. The last step with things like this is rescanning PC's. No matter how hard you try someone will typically find a way to get unwanted programs onto PC's. Remember, a non-technical solution to this could be a policy which states what is acceptable on a local network. For starters, NO non-approved software!

The SANS top 20 and you Week 1

    I came across some very interesting information the other day. Apparently the SANS institute (System Administration Networking and Security), has a list of 20 items that a business can implement at no cost. I realize that time is money too. Soooo, even if there is no direct monetary value attached to the ideas, someone still has to put them in place. If I was naming this list it would say 20 good ideas for security (definitely a cheap way to get it done). While I won't be covering this whole document right now, I plan to dive into it more over the next few weeks. Here is the link to the article if someone get's to jumpy and can't wait (http://www.sans.org/reading_room/whitepapers/hsoffice/small-business-budget-implementation-20-security-controls_33744)

    Ok, so the real question is why do we care about securing networks? How effective are the ideas listed in this article? According to SANS, the adoption of this program in 2009 resulted in an 88% drop in vulnerabilities. In other words the number of systems which were vulnerable went down a lot. It bears reminding that a vulnerability is a weakness which may be exploited in a system. It is like locking a window in your house. Just because a windows is open doesn't mean a thief will break into it. So, onto the vulnerabilities, let's start with item one on the list.

1. Inventory of authorized and unauthorized devices.
   

Small bushiness's are notoriously busy doing everything in their power to make money. When a computer is broken they buy a new one. When they network goes down they call a guy to fix it. That guy buys some equipment and puts it into place. The problem is solved and business as usual goes on. This happens over a long timeline. No one considers any of it, after all things are working. At some point in this a company get's to a size where they need a little more formal I.T. help. The company may hire an MSP (managed service provider). This MSP may make their network more complicated. They may host the e-mail for the company, or offer to take care of the Anti-Virus system. However, and I can only speak from my experience, they will not document what happens. They won't serialize the PC's on the network and list the MAC (Media Access Control) number. As an interesting aside you can tell a lot by one of these. Most likely what kind of equipment it is or where it came from. Check these links out for further information. (http://www.coffer.com/mac_find/ , http://en.wikipedia.org/wiki/MAC_address). That is because while these things are helpful, they are not vital to the immediate need of a business. However, they are vital to the integrity of a business's information.

    I mentioned some of this in last week's post. I won't belabor the point, but if I knew what the good items on the network were, I could have isolated the bad one by Mac address. So, how does one go about getting this inventory going? There are certainly many ways to accomplish this. However, for free, I would start with spice works. This piece of software will scan your network and figure out what you have on it. If you have managed switches, you can also check the ARP tables (Address Resolution Protocol) on those switches. If you are in a domain environment, and you have a file server, you can check the ARP table there as well. You can even check your DHCP server. This will have the same information. In order to track ongoing changes, SANS recommends sourcefire RNA, this will make alerts when a new device is added. However, I was unable to find any information about getting Sourcefire for free. Spiceworks will do this. While the notification will be less automatic, it will help you notice when something new shows up.

    While this doesn't cover everything in a hardware inventory, I hope it does point out some simple steps.

    
 

     

Documentation is not a four letter word

I have recently found myself in a position where I have begun to appreciate the importance of documentation. A few years ago I worked in a small help desk, most of the time my duties included password resets and some of the smaller minutiae of IT. I remember thinking to myself, "why would I take time to write down what happens?" As luck would have it, I'm no longer working in that role or environment. Information Technology exists for most businesses to keep things running. However, as I've learned recently IT becomes vital to an organization when it exists to help that organizations meet goals. Technology is about making things happen in ways that enhance those it serves.

OK, so I recently found myself in a situation. I was working on a network and found that several PC's were getting rogue DHCP address. I began to wonder if there was an issue. I asked myself, "where is the AP?" I then wondered if documentation of all the WAP's around was available. After a search I found out that it wasn't. So I did what anyone would do. I figured out the IP of the DCHP server. I ended up checking MAC address tables and figuring out which switch it was connected to. Then since I knew where the WAP was relatively, I used a Wi-Fi analyzer to track down the offending AP and disabled it. It turns out this AP wasn't malicious, but it was something a previous admin had left in place and forgotten about.

While the WAP I found wasn't malicious in nature, I did learn several valuable lessons from the experience.

1. Know what is on your network. If you don't have documentation, create it.
   
2. Disable unused ports in rooms. Document
   
3. Make sure you have the capability to track down rogue AP's. This can be as easy as an APP on a phone. WiFi analyzer for android worked for me. (Document what you use and how you use it)
   

While there are numerous other things which can be done, the list I provided is the bare minimum. It is my hope that this article illustrates some simple documentation, and the benefits of having it.

 

 

Introduction

My name is Dan Patterson.  I am a Network Administrator from Omaha, Ne.  I am creating this blog to discuss information security issues, and responses for small and medium businesses.  In my experience many of these smaller companies are unable to afford the manpower or equipment necessary to secure their networks.  Smaller companies face many of the same threats as their larger counterparts, and as such need to have a practical way to defend themselves!