Security Practices to Preach

This document is intended for readers with some experience in information technology.

Defensive Security is a critical and effective way of thinking. In this post we'll cover it from a domain perspective aka corporate network. I'll go over each proposed layer of security and how to protect yourself as well as others while operating in these environments. The reason this is such a widespread topic is due to the level of vulnerabilities that exist on a network. Hackers have become extremely sophisticated when it comes to mining information or any sort.

Password Management-

Think about how you store keys and access codes. Is this secure? Is it backed up? If it is in fact backed up, where do you store this info? Is the storage encrypted in both locations?

So when it comes to operations it's often recommended to randomly generate your passphrases as well as consider permission access on any given resource/server. I'll go ahead now and give you some ideal choices (IMO) for systems you can easily establish.

First up is Password Safe: https://pwsafe.org/index.shtml
Password safe is a locally stored encrypted database. It allows you to store:

  • usernames
  • passphrases
  • links to online resources

    All of these can be done within each independent entry. You also have the ability to sort under directories for ease of navigation.

    If you prefer cloud storage with ease of use, look into lastpass. Their premium service is overall very cheap for auto-fill functionality. You should use 2FA software such as Google's Authentication and/or a 2FA hardware device such as Yubikey when using lastpass's service. These of course should be enabled and implemented before ever adding sensitive information under your account. Keep in mind by exposing these resources externally you are adding unnecessary risk.

    Here's a reference from Sophos for creating strong passwords and keeping yourself off word-lists: https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/

    Any passwords should be randomly generated in order to complicate things for potential attackers. You can generate passwords online using: https://passwordsgenerator.net/ among numerous other sites.

    One last point, never store passwords in plain text within a windows system. If you ever do get exploited, this is the first thing an attacker will look through in order to gain info.

    Inventory and Asset Tracking-

    This is often overlooked by far to many working in information technology. Barcode systems are good in theory but are susceptible to tampering in almost every case. Something hosted within a network server is often the most useful and effective way to track what comes/goes on your network. This can also be tricky in terms of scanning. Scanning multiple times per day is often most effective. The most effective thing I've found to date has been Lansweeper. It's a self hosted DB/Web application that allows you to add scan ranges and domain credentials for gathering information about every device on your network. It can connect using any common network port. This makes tracking Linux systems via SSH a piece of cake.

    Perhaps my favorite feature about Lansweeper is it's custom SQL reporting. You can track nearly anything as it has an enormous amount of tables used to present data by default. You can also query for values of 1 and 0. It's also great for event log tracking and resolving those pesky server errors you never paid very close attention to. Lansweeper also pulls first detected dates and last detected dates for devices based on your scans. The pages are each fully configurable and include very useful widgets which can be easily attached and edited to your liking.

    If you'd like a free solution in tech Microsoft recently released a tech preview of Project Honolulu which allows you to access certs, files, processes, registry and even device information. It only falls short on two major points, it doesn't list installed software on servers/workstations it's proprietary to Windows OS's.

    Another piece often overlooked is patching. This should be done on an OS and software level. Tools such as WSUS ensure you're keeping your corporate network OS vulnerabilities at a minimum. As far as 3rd party tools such as Ninite are extremely solid and don't interrupt users if you do need to patch while your users are working. This product was recently split from being local server and tying to AD to also using an agent platform. What I like to do from a professional perspective is run agents on my cloud instances and use the server client for patching via AD for anything on-site. With NiniteOne (Desktop Version) you can Install/Uninstall and Patch popular 3rd party solutions with ease. Ninite Pro allows you to do the same from a public web login using agent communications. (Can be a little iffy)

    Group Policy Objects (GPOs)-

    These are control patterns are rules created for domain control and optimization. These are often defined by Active Directory OU's or Users/Groups within a network. Microsoft provides quite a few simple security functions to utilize in order to give you an upper hand in the security battle.

    AppLocker allows you to set rules for whitelisted and blacklisting applications allowed within your domain:
    https://docs.microsoft.com/en-us/windows/device-security/applocker/applocker-overview

    BitLocker allows encryption utilizing TPM (BIOS) or Hardware 2FA devices:
    https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-overview

    Vulnerability Tracking-

    These products can be a burden and without some poking around many are difficult to comprehend. Rapid 7's Vulnerability Management is by far the best piece of software I've come across in this use case. This product is referred to as nexpose and its function is to perform full internal network scans while cross checking devices for CVE/exploits that could be used to elevate a hackers impact within your corporate/personal network.

    Securing Web Servers

    This gets a little tricky. Private keys are always suggested when setting up any public accessible web service/server. I'm going to go over this from a very broad perspective in order to get your brain juices flowing. Patch everything constantly... doesn't matter what it does/is. If it contains any level of company information it's valuable. Data found/mined from sites can leave you wide open depending on severity of information gained. It's also advisable to have some know how with page headers and injection. These can be tested using Burp Suite and OWASP ZAP but I'm not gonna head into detail within this post.