In other news, this is the first time I’ve ever used a highlighter until it ran out of ink.
This is a continuation of my blog post series on the CompTIA Security+ exam, where I share my studying and connect it to real-world events.
Unencrypted Credentials and Clear Text
The problem: sending credentials from one machine to another in cleartext. This means that the unencrypted information could be subject to eavesdropping for use in later attacks. Cleartext credentials could also show up in logs.
The solution: don’t send credentials in clear text ¯\_(ツ)_/¯
Logs and Event Anomalies
The problem: Logs are meant to show event anomalies. You don’t want to dump ALL events into logs unless that information has a potential security implication or will be used in some form, later.
The solution: be conscientious about what needs to go into your logs so that you have a better signal-to-noise ratio. Log events that matter for security, specific to your organization.
The problem: incorrect setting of user rights and permissions, such that people have more or fewer permissions than they should.
The solution: periodic reviews and audits of rights and permissions.
The problem: when someone tries to access a resource that they don’t have permission to access. This might be because they’re making a mistake or deliberately trying to get past security. It also might be that permissions are set inappropriately.
The solution: track access violations through a SIEM system to be aware of and act on violations.
The problem: (there are many, the only one that the book mentions is) when a user attempts to use a certificate that does not have a complete chain of trust back to a trusted root.
The solution: don’t let that happen, I guess? Manage trusted certificates well so that users are not “fixing” the issue by trusting the cert anyway.
The problem: an attacker tries to steal data and export it out of your system.
The solution: don’t store data that doesn’t need to be stored. Use data loss prevent (DLP) tools as described in earlier chapters. Use firewalls and network segmentation to make it more difficult to exfiltrate.
The problem: when a device needs to be setup the correct way and you, well, botched it. This is usually a human error issue. Maybe you selected “everyone” on an access control list by accident.
The solution: regular audits, and most importantly, test that things are working as desired.
The problem: firewalls depend on rulesets to allow or block packets. Incomplete, incorrect or sloppy rulesets cause issues.
The solution: regular audits, of course. Also avoid making “temporary” rules to test out new things, because you’ll forget and they’ll become permanent.
The problem: content filters limit what users can view on a network. If the rules are too broad, you might be blocking valid or important resources.
The solution: make sure that your content filters are specialized to your organization, and that you can act to address miscommunications.
The problem: access points can be configured with rules about which traffic to grant or deny access to a network. These rules and criteria can get unwieldy to manage.
The solution: same old answer… audits and security tools to manage things at scale.
Weak Security Configurations
The problem: weak security configurations are configuration parameter choices that result in greater security risks.
The solution: avoid alloying deprecated protocols or cipher suites. Don’t allow users to have weak passwords or unlimited password attempts, and so on.
The problem: poorly trained users can weaken the security posture of a company, even if all your hardware and software is configured well.
The solution: invest in regular training for your employees.
The problem: personnel don’t adhere to written policies of the organization.
The solution: if it’s a knowledge issue, invest in policy-specific training. If it’s an awareness issue, invest in awareness training. If it’s willful disobedience, make sure your HR policy has teeth.
The problem: users inside the system who have access to and permissions on a network abuse their trust for malicious means.
The solution: make sure HR is screening new hires. Make sure you’re monitoring employee activity. And make sure you’ve got separation of duties so no single person has too much power.
The problem: attackers use social engineering against your employees.
The solution: provide your employees with comprehensive awareness training so that they can recognize and combat social engineering attacks.
The problem: social media over-sharing can result in giving away confidential information. This might help attackers with their social engineering attacks. And, employees with extreme viewpoints that they share online might land the company in hot water.
The solution: have some kind of social-media policy that lets employees know what company information is acceptable to share. Work with HR on the “extreme viewpoints” thing.
Use of Personal E-Mail
The problem: use of personal email means it’s easier for data exfiltration to happen. It also means that it’s easier for malware to get in.
The solution: prohibit use of personal email.
The problem: installation and use of software that shouldn’t be allowed on a system.
The solution: use whitelisting to restrict what can run on a machine. Don’t give users permission to install programs. Regularly audit things.
The problem: not a problem so much as a means of monitoring progress (or lack thereof).
The solution: measure the system’s current state by use of tools (default passwords, permission issues, and so on). Regularly re-measure the system and track progress or issues.
License Compliance Violations
The problem: you need valid licenses to run commercial software. If the license is not valid, then some or all of the software functionality will be unusable.
The solution: have a system to regularly check licenses and update them in a timely manner.
The problem: understanding what hardware and software you have, where it is, and how it’s configured is difficult at scale.
The solution: use tools and processes to make this a regular and as-much-as-possible automated task.
The problem: any issues related to authentication. This could mean leaving default passwords, it could also mean repeated failed logins. You get the idea.
The solution: avoid leaving default passwords in place. Log when users log-in, log-out, or have a failed log-in attempt, as needed. Act on brute-force login attempts.