There's been a couple of weeks that we designate as critical periods that we need
extra vigilance in security SOP / checks.
What are the checks & SOP that normally people put in place for such vigilant
a) hourly (or twice daily) check of IPS logs ?
b) any way we can check for suspicious source IP that never access our websites
& environment ?
c) I'm based in a country where we hardly heard that source IP are rarely known
to be source of malicious activities, thus one suggestion came up that after
office hours, we block all source IP from foreign countries from coming in.
However, there are too many subnets/IP to key into the perimeter firewalls
to do such blocking (& unblocking the next morning when office hours resume),
so is there any subnets, hopefully less than 50 (in particular, I'm looking at USA,
Russia & its former states like Ukraine, Lithuania etc, China & Europe countries
such as Germany, France, UK, Spain) that we can key into our rules to block?
Appreciate if anyone can provide such a list of subnets
d) I'm assuming that our monitoring/alerting systems (eg: Tivoli, BMC Patrol)
may not be necessarily alert us of suspicious traffic other than what we have
in place that traffic of abnormally (ie much higher than usual) high bandwidth
will be detected & investigated. I've seen Bash vulnerability that barely use
any bandwidth with Intrusion systems registering only 2-3 attempts : is there
any way to monitor & be alerted of such suspicious/malicious attempts
other than constantly checking the IPS logs (which can run into hundred over
thousand records in a day)
e) guess we have to be constantly updating AV & IPS signatures, possibly on
daily basis : I'm inclined to incorporate those critical ones & those of medium
& low severity ought to be tested over several days before just deploying
them: have seen quite a number of IPS signatures triggerring service or
application disruptions. We may end up DDoS ourselves with these over-
f) Guess need to ensure backups are successful
g) Any other ?