Solved

Regular SOP / checks during heightened attack periods

Posted on 2014-10-25
1
166 Views
Last Modified: 2014-11-10
There's been a couple of weeks that we designate as critical periods that we need
extra vigilance in security SOP / checks.

What are the checks & SOP that normally people put in place for such vigilant
checks?

a) hourly (or twice daily) check of IPS logs ?

b) any way we can check for suspicious source IP that never access our websites
    & environment ?

c) I'm based in a country where we hardly heard that source IP are rarely known
    to be source of malicious activities, thus one suggestion came up that after
    office hours, we block all source IP from foreign countries from coming in.
    However, there are too many subnets/IP to key into the perimeter firewalls
    to do such blocking (& unblocking the next morning when office hours resume),
    so is there any subnets, hopefully less than 50 (in particular, I'm looking at USA,
    Russia & its former states like Ukraine, Lithuania etc, China & Europe countries
    such as Germany, France, UK, Spain) that we can key into our rules to block?
    Appreciate if anyone can provide such a list of subnets

d) I'm assuming that our monitoring/alerting systems (eg: Tivoli, BMC Patrol)
    may not be necessarily alert us of suspicious traffic other than what we have
    in place that traffic of abnormally (ie much higher than usual) high bandwidth
    will be detected & investigated.   I've seen Bash vulnerability that barely use
    any bandwidth with Intrusion systems registering only 2-3 attempts : is there
    any way to monitor & be alerted of such suspicious/malicious attempts
    other than constantly checking the IPS logs (which can run into hundred over
    thousand records in a day)

e) guess we have to be constantly updating AV & IPS signatures, possibly on
    daily basis : I'm inclined to incorporate those critical ones & those of medium
    & low severity ought to be tested over several days before just deploying
    them: have seen quite a number of IPS signatures triggerring service or
    application disruptions.  We may end up DDoS ourselves with these over-
    zealous measures

f) Guess need to ensure backups are successful

g) Any other ?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 4

Accepted Solution

by:
FrankCrast earned 500 total points
ID: 40404144
Hello,

In addition to some of the steps you have outlined abive, you may also want to add vulnerability assessments using a risk-based approach. For instance, scan your most critical systems (e.g., web-facing servers, workstations/laptops, and database systems that host sensitive data) for higher severity vulnerabilities and mitigate them. Do this for both network vulnerabilities (via internal scans) and web scans (via external scans for application bugs).

Depending on the size of your company's environment and scanning tools you have available, you could start with those vulnerabilities that have known exploits, can be exploited via easy skillset (or automated tools) and can be done via remote access. I'd first close off those and make sure all internet facing systems are fully up to date and patched as well.

Another area to consider for SOPs is password management and privileged access. Double check and make sure passwords (especially those used for privileged access, cloud access and default/system accounts) have been changed to meet your SOPs.  Privileged passwords should be changed every 90 days and always after someone leaves the firm or changes roles.  Just a few more to add to your list. :-)
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Behavior-based and anomalies detection for Symantec 2 44
Cisco 3650x ACL 8 50
Dropbox phishing tutorial 5 69
Lost or Stolen Laptops 13 39
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question