Solved

Regular SOP / checks during heightened attack periods

Posted on 2014-10-25
1
159 Views
Last Modified: 2014-11-10
There's been a couple of weeks that we designate as critical periods that we need
extra vigilance in security SOP / checks.

What are the checks & SOP that normally people put in place for such vigilant
checks?

a) hourly (or twice daily) check of IPS logs ?

b) any way we can check for suspicious source IP that never access our websites
    & environment ?

c) I'm based in a country where we hardly heard that source IP are rarely known
    to be source of malicious activities, thus one suggestion came up that after
    office hours, we block all source IP from foreign countries from coming in.
    However, there are too many subnets/IP to key into the perimeter firewalls
    to do such blocking (& unblocking the next morning when office hours resume),
    so is there any subnets, hopefully less than 50 (in particular, I'm looking at USA,
    Russia & its former states like Ukraine, Lithuania etc, China & Europe countries
    such as Germany, France, UK, Spain) that we can key into our rules to block?
    Appreciate if anyone can provide such a list of subnets

d) I'm assuming that our monitoring/alerting systems (eg: Tivoli, BMC Patrol)
    may not be necessarily alert us of suspicious traffic other than what we have
    in place that traffic of abnormally (ie much higher than usual) high bandwidth
    will be detected & investigated.   I've seen Bash vulnerability that barely use
    any bandwidth with Intrusion systems registering only 2-3 attempts : is there
    any way to monitor & be alerted of such suspicious/malicious attempts
    other than constantly checking the IPS logs (which can run into hundred over
    thousand records in a day)

e) guess we have to be constantly updating AV & IPS signatures, possibly on
    daily basis : I'm inclined to incorporate those critical ones & those of medium
    & low severity ought to be tested over several days before just deploying
    them: have seen quite a number of IPS signatures triggerring service or
    application disruptions.  We may end up DDoS ourselves with these over-
    zealous measures

f) Guess need to ensure backups are successful

g) Any other ?
0
Comment
Question by:sunhux
1 Comment
 
LVL 4

Accepted Solution

by:
FrankCrast earned 500 total points
ID: 40404144
Hello,

In addition to some of the steps you have outlined abive, you may also want to add vulnerability assessments using a risk-based approach. For instance, scan your most critical systems (e.g., web-facing servers, workstations/laptops, and database systems that host sensitive data) for higher severity vulnerabilities and mitigate them. Do this for both network vulnerabilities (via internal scans) and web scans (via external scans for application bugs).

Depending on the size of your company's environment and scanning tools you have available, you could start with those vulnerabilities that have known exploits, can be exploited via easy skillset (or automated tools) and can be done via remote access. I'd first close off those and make sure all internet facing systems are fully up to date and patched as well.

Another area to consider for SOPs is password management and privileged access. Double check and make sure passwords (especially those used for privileged access, cloud access and default/system accounts) have been changed to meet your SOPs.  Privileged passwords should be changed every 90 days and always after someone leaves the firm or changes roles.  Just a few more to add to your list. :-)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Three simple tips to quickly and efficiently back up and protect the contents of your PC and Mac®.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now