Jump to content
OpenSecurity.global
  • Recently Browsing   0 members

    No registered users viewing this page.

  • 0
Kevin Beaumont

Most under valued security control?

Question

So in the age of ‘you must buy EVERYTHING EVER to be secure’, what’s the most undervalued security controls or products, do we think?

The unsung heroes of InfoSec. 

Share this post


Link to post

14 answers to this question

Recommended Posts

  • 2

Excel

I can't think of a tool in InfoSec that's used more (until you get to a level where you have an excel minion and your most used tool then becomes powerpoint).

As techies we always focus on the technical toys, but so much of what we do in conveying risk (one way or another) to end users and people just understand a nice colourful conditionally formatted excel spreadsheet.

Explain the potential vulnerabilities that may arise from their crappy web app and we're ignored because we're doom and gloom merchants, given them a nice graph showing how they suck at something compared to others and they get it.

So, I'd love to say Metasploit, Nessus, Splunk or something big and shiney, but for me, the most undervalued security control is a security analyst with good communication skills and a copy of excel! 

  • Like 3

Share this post


Link to post
  • 3

windows updates, host based firewalls, av, disabling macros, disabling shit like LLMNR/NETBIOS, using a jump box... all the boring easy (ok relatively easy) low cost shit that most orgs don't do! 🙂

  • Like 1

Share this post


Link to post
  • 2

I'm going to focus on controls/stuff you can do without spending cash. 

  1. Patch your shit. Seriously. When I get some more time I'll write up a long form post on how you can "nudge" the server, app and network teams to think it's a really good idea to do this but this should be a key focus for anyone working in blue teams. 
  2. When you've finished patching the above go around again and look for all the stuff you've missed. Then patch it. The repeat the process on a regular basis. 
  3. Lock down your admin creds (particularly in AD) and reject any app that "requires" Domain Admin/Local Admin or similar to run. Trust me, they don't - it's just lazy implementation guides from the vendor, start digging and there will be a method that allows the app to run via a standard user account.
  4. Close the easy gaps first. Attackers are lazy, and they'll use the minimum required to get in. Review your firewall rules for example: any permit tcp inbound 139/445 ones in there? bin them. 
  5. Look for/ask for security guides or hardening guides from your existing vendors. They should all have them, and the likes of Microsoft/Cisco/Apple/insert large IT provider here are generally very good at telling you how to secure their stuff if you go and look for it.
  • Like 3

Share this post


Link to post
  • 2

Another one to throw in, for windows environments is windows event forwarding, and sysmon. Lovely.

Share this post


Link to post
  • 1

As others have mentioned, asset management/inventory is vastly underrated. Especially as we continue to develop perimeter-less architectures and expand in to the cloud. Shadow IT was bad when people were just buying their own gear... Now anyone with an unchecked corporate expense card can spin up some cloud resources and you'll never know. Time to start building communications channels with the finance department.

  • Like 1

Share this post


Link to post
  • 0

Excel for sure, or these days, PowerBI, I guess.

another candidate is a good hardware, software inventorying tool. I personally love LanSweeper for a great flexible easy to config app with superb reporting. So to preface @John Kelly post,

0. Know what shit you have 🙂

Edited by Ian Chisholm
  • Like 1

Share this post


Link to post
  • 0
10 minutes ago, Ian Chisholm said:

another candidate is a good hardware, software inventorying tool. 🙂

Damn, as somebody who spent 14 years at an IT auditing vendor before coming into Security, that should have been my go to answer 🙂

You can't protect what you don't know you have!

Share this post


Link to post
  • 0

+1 for robust asset management. 

I often hear statements like "we don't even know how many servers we have".  Sadly, it's sometimes said with a 'badge of honour' tone, as in "we're so big and important, we can't possibly keep track of it all".

Beyond that, if we're talking product, honey pots and tokens usually represent good value.

Share this post


Link to post
  • 0

Blocking Windows executables from running in data directories and temporary locations (eg. %APPDATA%).  Trivial to implement and potentially stops lots of email-borne malware dead in its tracks.  Anything legit which requires this (IIRC TeamViewer does?) can be whitelisted individually.

  • Like 2

Share this post


Link to post
  • 0

Undervalued control? Using an OS patching product that is so easy and simple to use that no one gets behind month to month. People get fancy about this, especially when talking about expanding scope to cover some or all other software, and that's when admins start avoiding it, leave, and new ones never pick it up fully. Or solving the "patched OS" problem some other way (auto spin down and spin up new boxes at a regular cadence, for example).

Honorable control mentions to app execution controls (+1 to Alan Coo!), asset/software inventories, and especially attack surface/exposure inventory. Threat modeling.

 

Undervalued tool? I'm a fan of all tools that are more surgical in nature, than big fancy suites/products that all have built-in blindspots and lack of agility. ("You can do custom whatever using our proprietary markup/WYSIWYG" doesn't count; no one does that shit.) I'll go with nmap, but from an external source. Go home, nmap scan your entire enterprise IP address range. Know what's open and hanging out in the cyber wind.  (Every year this gets a little less important as enterprises move to clouds, open ports consolidate down to web apps, and endpoints become the quicker way in.)

 

Bonus tool: It might not be undervalued around here, but having a percentage of your sysadmins/developers who have a security-centric mindset. A good sysadmin who wants to practice good security is worth several+ dedicated infosec people. Find those people who "get" security, and make them your best allies. They'll allow you to get things done that middle management usually hees and haws about.

 

Bonus: Overutilized? Most risk management practices. (Would make a good panel topic.)  And today's spate of "we'll prioritize your vulnerabilities for you" products and services. IMO, if a company has this need to fill, no additional tool/process is going to really help them much. They probably just need to patch and track patching better.

 

Honestly, there's so many things.... 🙂

  • Like 1

Share this post


Link to post
  • 0

+1, Asset and Inventory managment . It is surprising how late in your organizations security journey you realize that it should have been one of your early investments into security controls

 

Policies and procedures maybe not be the most under valued security control, but could very well be the least invested in security control

  • Like 1

Share this post


Link to post
  • 0

On asset control,

It's not just about knowing what you have.  It's knowing who owns what you have.

Any pillock can run an nmap scan.  Going "well, who's responsible for that, then?" is what repeatedly bites us on the arse.  Though we're a lot better now than we were.

  • Like 1

Share this post


Link to post
  • 0

Unsexy but true; it’s the security policy stupid. Many orgs rely on inherited policies or worse just copy others found on the web.

A fit for purpose and maintained policy defines what needs protecting. If you do not define that you’re pissing controls into the wind.

 

  • Like 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Members online now

    No members to show

×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy