Solved

Regular SOP / checks during heightened attack periods

Posted on 2014-10-25
1
163 Views
Last Modified: 2014-11-10
There's been a couple of weeks that we designate as critical periods that we need
extra vigilance in security SOP / checks.

What are the checks & SOP that normally people put in place for such vigilant
checks?

a) hourly (or twice daily) check of IPS logs ?

b) any way we can check for suspicious source IP that never access our websites
    & environment ?

c) I'm based in a country where we hardly heard that source IP are rarely known
    to be source of malicious activities, thus one suggestion came up that after
    office hours, we block all source IP from foreign countries from coming in.
    However, there are too many subnets/IP to key into the perimeter firewalls
    to do such blocking (& unblocking the next morning when office hours resume),
    so is there any subnets, hopefully less than 50 (in particular, I'm looking at USA,
    Russia & its former states like Ukraine, Lithuania etc, China & Europe countries
    such as Germany, France, UK, Spain) that we can key into our rules to block?
    Appreciate if anyone can provide such a list of subnets

d) I'm assuming that our monitoring/alerting systems (eg: Tivoli, BMC Patrol)
    may not be necessarily alert us of suspicious traffic other than what we have
    in place that traffic of abnormally (ie much higher than usual) high bandwidth
    will be detected & investigated.   I've seen Bash vulnerability that barely use
    any bandwidth with Intrusion systems registering only 2-3 attempts : is there
    any way to monitor & be alerted of such suspicious/malicious attempts
    other than constantly checking the IPS logs (which can run into hundred over
    thousand records in a day)

e) guess we have to be constantly updating AV & IPS signatures, possibly on
    daily basis : I'm inclined to incorporate those critical ones & those of medium
    & low severity ought to be tested over several days before just deploying
    them: have seen quite a number of IPS signatures triggerring service or
    application disruptions.  We may end up DDoS ourselves with these over-
    zealous measures

f) Guess need to ensure backups are successful

g) Any other ?
0
Comment
Question by:sunhux
1 Comment
 
LVL 4

Accepted Solution

by:
FrankCrast earned 500 total points
ID: 40404144
Hello,

In addition to some of the steps you have outlined abive, you may also want to add vulnerability assessments using a risk-based approach. For instance, scan your most critical systems (e.g., web-facing servers, workstations/laptops, and database systems that host sensitive data) for higher severity vulnerabilities and mitigate them. Do this for both network vulnerabilities (via internal scans) and web scans (via external scans for application bugs).

Depending on the size of your company's environment and scanning tools you have available, you could start with those vulnerabilities that have known exploits, can be exploited via easy skillset (or automated tools) and can be done via remote access. I'd first close off those and make sure all internet facing systems are fully up to date and patched as well.

Another area to consider for SOPs is password management and privileged access. Double check and make sure passwords (especially those used for privileged access, cloud access and default/system accounts) have been changed to meet your SOPs.  Privileged passwords should be changed every 90 days and always after someone leaves the firm or changes roles.  Just a few more to add to your list. :-)
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

On Beyond Tools A conversation I recently had with the DevOps manager of a major online retailer really made me think about DevOps monitoring tools (https://www.onpage.com/devops-incident-management-tool/). The manager and I discussed how sever…
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question