Solved

Regular SOP / checks during heightened attack periods

Posted on 2014-10-25
1
155 Views
Last Modified: 2014-11-10
There's been a couple of weeks that we designate as critical periods that we need
extra vigilance in security SOP / checks.

What are the checks & SOP that normally people put in place for such vigilant
checks?

a) hourly (or twice daily) check of IPS logs ?

b) any way we can check for suspicious source IP that never access our websites
    & environment ?

c) I'm based in a country where we hardly heard that source IP are rarely known
    to be source of malicious activities, thus one suggestion came up that after
    office hours, we block all source IP from foreign countries from coming in.
    However, there are too many subnets/IP to key into the perimeter firewalls
    to do such blocking (& unblocking the next morning when office hours resume),
    so is there any subnets, hopefully less than 50 (in particular, I'm looking at USA,
    Russia & its former states like Ukraine, Lithuania etc, China & Europe countries
    such as Germany, France, UK, Spain) that we can key into our rules to block?
    Appreciate if anyone can provide such a list of subnets

d) I'm assuming that our monitoring/alerting systems (eg: Tivoli, BMC Patrol)
    may not be necessarily alert us of suspicious traffic other than what we have
    in place that traffic of abnormally (ie much higher than usual) high bandwidth
    will be detected & investigated.   I've seen Bash vulnerability that barely use
    any bandwidth with Intrusion systems registering only 2-3 attempts : is there
    any way to monitor & be alerted of such suspicious/malicious attempts
    other than constantly checking the IPS logs (which can run into hundred over
    thousand records in a day)

e) guess we have to be constantly updating AV & IPS signatures, possibly on
    daily basis : I'm inclined to incorporate those critical ones & those of medium
    & low severity ought to be tested over several days before just deploying
    them: have seen quite a number of IPS signatures triggerring service or
    application disruptions.  We may end up DDoS ourselves with these over-
    zealous measures

f) Guess need to ensure backups are successful

g) Any other ?
0
Comment
Question by:sunhux
1 Comment
 
LVL 4

Accepted Solution

by:
FrankCrast earned 500 total points
Comment Utility
Hello,

In addition to some of the steps you have outlined abive, you may also want to add vulnerability assessments using a risk-based approach. For instance, scan your most critical systems (e.g., web-facing servers, workstations/laptops, and database systems that host sensitive data) for higher severity vulnerabilities and mitigate them. Do this for both network vulnerabilities (via internal scans) and web scans (via external scans for application bugs).

Depending on the size of your company's environment and scanning tools you have available, you could start with those vulnerabilities that have known exploits, can be exploited via easy skillset (or automated tools) and can be done via remote access. I'd first close off those and make sure all internet facing systems are fully up to date and patched as well.

Another area to consider for SOPs is password management and privileged access. Double check and make sure passwords (especially those used for privileged access, cloud access and default/system accounts) have been changed to meet your SOPs.  Privileged passwords should be changed every 90 days and always after someone leaves the firm or changes roles.  Just a few more to add to your list. :-)
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Suggested Solutions

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now