Re: How do I fill the gap of knowing how important "good" security is and actually doing something about it?

[Shaun Curry <scurry () smsd gs>]

I'd like to thank everyone for the great advice!

I have already reached the realization that my job encompasses far more than just security; however, this is still part 
of my job.  I really don't spend more than 30 mins on a "weird" alert unless I see other indicators that confirm what 
I'm seeing.  My personal goal for our organization is simple really!  Educate the handful of users I have, operate with 
a consistent patch cycle (automating as much as possible), review my logs.  I have started implementing the "20 
Critical Controls" and have been able to automate most of them (still a work in progress).

Again, thank you!  The advice has really put me at ease...  Knowing that the job is never really done, I feel I'm on 
the right track.

-----Original Message-----
From: guppie () starmind org [mailto:guppie () starmind org] On Behalf Of Josh More
Sent: Friday, August 10, 2012 8:36 AM
To: PaulDotCom Security Weekly Mailing List; Shaun Curry
Subject: Re: [Pauldotcom] How do I fill the gap of knowing how important "good" security is and actually doing 
something about it?

Congratulations, you've graduated.

More seriously, our culture does us a disservice through the schooling process.  Classes are great when the amount you 
have to learn is the majority of what can be taught in a classroom format (I suspect the magic number is 80%).  
However, once accumulated enough baseline knowledge, the mode fails dramatically.  In this case, there is no class that 
will solve your problem, as your knowledge gaps are unique to you. At this point, the best way to learn 
experimentation, sharing your thoughts with others and willingness to be wrong (and have it pointed out to you in 
public forums).

I recognize, of course, that this is not directly helpful, so to address your current concern, consider the following 
workflow:

1) Is this truly the most critical issue on which you should focus?
   * I've found that I can do more good in an organization addressing patch management and workstation/server hardening 
than chasing packets down rabbit trails.  This will depend, of course, on your specific environment and key skillset.

2) If it is the most critical, consider what the alert could be indicating.  Decide if it truly is critical.
   * IP spoofing against your VOIP system could be part of a social engineering attack, a "free international call" 
attack, harvesting information from voicemails, etc... look for secondary indicators.
   * Port scans detection can include  true port scans or can be an external app negotiating for a control or data 
channel.  Do you need control/data channels to those sources?  If not, kill the source and forget about it.

3) If you have to dig deeper (or just want to), review the actual packets.  If you're weak on this, play with the free 
PCAPs at http://wiki.wireshark.org/SampleCaptures/ .
   * Packet reading is a high learning-curve activity. Whether it makes sense to build that skill depends on how easy 
it is for you and how interesting you find it. Personally, I'm stronger in other areas, so I focus there.


Remember, most organizations select "best" practices and them implement them as poorly as possible.  If you are the one 
and only admin in your organization, it is very likely that you should not be spending your time on these sorts of 
activities. (I have an entire presentation on why this is the case, but this is not the forum for such a rant.)  Go 
back to point 1 several times a day to decide if this is what truly matters. Odds are that you'd be better served by 
finding ways to automate your daily, weekly or monthly tasks, communicating your concerns to nontechnical people and 
focusing on centralizing data management. Most smaller organizations often have so many ways for malicious people 
(inside or outside) to interfere with operations or steal data that network-based attacks are lower on the attacker's 
priority list. Build defenses and indicator traps along the most likely threat vectors and monitor those.  Once you 
have reasonable certainty that they are clean, expand you
 r program.

If you learn anything new as you do this, share it with others.

-Josh More



On Thu, Aug 9, 2012 at 9:26 PM, Shaun Curry <scurry () smsd gs> wrote:
> Hello everyone!
>
> I have difficult issue...  I am sys admin and the one and only IT person 
> for a small organization.  I have attended SANS courses and have 
> listened to pauldotcom for years now.  I have been learning a lot in 
> the area of network security, but I need to fill a crucial gap in my knowledge.
>
> Here's the scenario:
>
> I review my logs daily and started noticing some strange things.  For 
> example, an "IP Spoof" with an internal IP address talking to my VOIP 
> server.  I see port scans coming from facebook domain that are 
> obviously apps.
>
> I see things that alarm me; however, I don't know how to verify the 
> validity of what I'm seeing.  I know that sometimes you can get false 
> positives and sometimes an all in one IDS/IPS/Firewall can get it 
> wrong.  I'm feeling a bit lost!  I know that I can expect port scanning and I tend to ignore it.
> But some of the other things I'm seeing just leave me very nervous...
>
> I'm doing my best and as far as I can tell it's been working well, but 
> there has to be a good training course or two that I can take that 
> will teach me how to identify this stuff quicker and more easily.
>
> Do you just learn this stuff as you go?  Is experience the key?
>
> If anyone has advice I'd appreciate it!  I can't be the first or only 
> person to reach this point....
>
>
>
> Thanks!
>
>
>
> Shaun Curry
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com