I'd like to thank everyone for the great advice! I have already reached the realization that my job encompasses far more than just security; however, this is still part of my job. I really don't spend more than 30 mins on a "weird" alert unless I see other indicators that confirm what I'm seeing. My personal goal for our organization is simple really! Educate the handful of users I have, operate with a consistent patch cycle (automating as much as possible), review my logs. I have started implementing the "20 Critical Controls" and have been able to automate most of them (still a work in progress).
Again, thank you! The advice has really put me at ease... Knowing that the job is never really done, I feel I'm on the right track. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Josh More Sent: Friday, August 10, 2012 8:36 AM To: PaulDotCom Security Weekly Mailing List; Shaun Curry Subject: Re: [Pauldotcom] How do I fill the gap of knowing how important "good" security is and actually doing something about it? Congratulations, you've graduated. More seriously, our culture does us a disservice through the schooling process. Classes are great when the amount you have to learn is the majority of what can be taught in a classroom format (I suspect the magic number is 80%). However, once accumulated enough baseline knowledge, the mode fails dramatically. In this case, there is no class that will solve your problem, as your knowledge gaps are unique to you. At this point, the best way to learn experimentation, sharing your thoughts with others and willingness to be wrong (and have it pointed out to you in public forums). I recognize, of course, that this is not directly helpful, so to address your current concern, consider the following workflow: 1) Is this truly the most critical issue on which you should focus? * I've found that I can do more good in an organization addressing patch management and workstation/server hardening than chasing packets down rabbit trails. This will depend, of course, on your specific environment and key skillset. 2) If it is the most critical, consider what the alert could be indicating. Decide if it truly is critical. * IP spoofing against your VOIP system could be part of a social engineering attack, a "free international call" attack, harvesting information from voicemails, etc... look for secondary indicators. * Port scans detection can include true port scans or can be an external app negotiating for a control or data channel. Do you need control/data channels to those sources? If not, kill the source and forget about it. 3) If you have to dig deeper (or just want to), review the actual packets. If you're weak on this, play with the free PCAPs at http://wiki.wireshark.org/SampleCaptures/ . * Packet reading is a high learning-curve activity. Whether it makes sense to build that skill depends on how easy it is for you and how interesting you find it. Personally, I'm stronger in other areas, so I focus there. Remember, most organizations select "best" practices and them implement them as poorly as possible. If you are the one and only admin in your organization, it is very likely that you should not be spending your time on these sorts of activities. (I have an entire presentation on why this is the case, but this is not the forum for such a rant.) Go back to point 1 several times a day to decide if this is what truly matters. Odds are that you'd be better served by finding ways to automate your daily, weekly or monthly tasks, communicating your concerns to nontechnical people and focusing on centralizing data management. Most smaller organizations often have so many ways for malicious people (inside or outside) to interfere with operations or steal data that network-based attacks are lower on the attacker's priority list. Build defenses and indicator traps along the most likely threat vectors and monitor those. Once you have reasonable certainty that they are clean, expand you r program. If you learn anything new as you do this, share it with others. -Josh More On Thu, Aug 9, 2012 at 9:26 PM, Shaun Curry <[email protected]> wrote: > Hello everyone! > > I have difficult issue... I am sys admin and the one and only IT person > for a small organization. I have attended SANS courses and have > listened to pauldotcom for years now. I have been learning a lot in > the area of network security, but I need to fill a crucial gap in my > knowledge. > > Here's the scenario: > > I review my logs daily and started noticing some strange things. For > example, an "IP Spoof" with an internal IP address talking to my VOIP > server. I see port scans coming from facebook domain that are > obviously apps. > > I see things that alarm me; however, I don't know how to verify the > validity of what I'm seeing. I know that sometimes you can get false > positives and sometimes an all in one IDS/IPS/Firewall can get it > wrong. I'm feeling a bit lost! I know that I can expect port scanning and I > tend to ignore it. > But some of the other things I'm seeing just leave me very nervous... > > I'm doing my best and as far as I can tell it's been working well, but > there has to be a good training course or two that I can take that > will teach me how to identify this stuff quicker and more easily. > > Do you just learn this stuff as you go? Is experience the key? > > If anyone has advice I'd appreciate it! I can't be the first or only > person to reach this point.... > > > > Thanks! > > > > Shaun Curry > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
