Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Do you remember your "first love"? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Do you remember your "first love"?

I will never forget the name of my first server - Rachel. I was very proud to be the person whose job it was to defend Rachel from all types of disruption. To this day I still remember each IP address, user account, service account and application. When patches were installed, I manually verified they had been applied successfully. I diligently reviewed the logs and configured full auditing to let me know the success and failure of just about everything. 

I have administered many servers since Rachel, but do not remember as much about them as I do about my "first love”. Consider this an invitation to fall back in love with your servers. An invitation to return back to the time when you did everything possible to defend them. It may be possible that by returning to the diligence you once had, many problems and outages could be avoided.

How can you do this? The act of actively measuring how well you manage, secure and maintain your severs can very well be the catalyst you need to return back to your "first love”. Consider creating and sending yourself a daily report that clearly shows its current security posture. What are good candidates for this report? I am glad you asked, Some of my favorites include the following. 

  • Mean time to detect a network scan
  • Mean time to identify a new administrator account
  • Mean time to identify a new service running (or not running anymore)
     

There are certainly many metrics you could track. Pick a few and diligently check them every day for the next month. You'll be glad you did! 

Feel free to use our comment page to let us know what you are doing to remember your “first love”.

 

 

Russell Eubanks

@russelleubanks

I will be teaching next: Implementing and Auditing the Critical Security Controls - In-Depth - SANS Paris September 2019

Russell

97 Posts
ISC Handler
Mean Time doesn't seem like the place to start. How to identify new services running or not running, new accounts, etc. should be the place to start. I manage a single server, and would love to see a list of things that could be reported daily that shows the security stance. I currently run logwatch and get those reports daily, but would love a list of other things to add!
Anonymous
Building upon the list of things to check for daily, I have found success with the following.


1 - Ask psexec to list all executables on a Windows system and send the output to a file using the command:

@echo off
psexec dir *.exe > %computername%_ExeFound.txt

2 - Ask WMIC to tell you the patches that are installed using the command:

wmic qfe > patches.txt - NOTE - WMIC is extensively covered at blog.commandlinekungfu.com/

3 - Use the security log to search for Successful ( and unsuccessful ) logins for administrative and service accounts

4 - Review the daily log volume, perhaps looking at the last 7 days to show trends that indicate significantly more or less than expected log volume

5 - Count the number of Remote Desktop sessions in a "normal" day

6 - Look for the events generated when the Security log is cleared


Russell Eubanks
@russelleubanks
Russell

97 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!