IT Security: Ways to Tell an Insider Has Gone Rogue

 

Malicious User- @SeniorDBA

When you are looking for ways to protect your network from attack, you should also consider how you will protect assets from users with authorized access. Employees and contractors with legitimate access to your business systems and data could be responsible for more data breaches than you might assume. Most insider data breaches are caused by accidental or negligent access, but you must consider how you would detect malicious access because the results can be disastrous to your business and even your career.

If you look at the caches of documents and data provided to the public in recent years, it has been provided by insiders with elevated access. These disgruntled  employees collected all the data they could find and shared them with the public, which could disclose business intelligence or even customer data like credit card or health data. A 2017 Verizon survey puts the number of insider-led data breaches at 77 percent.

Most security solutions focus on protecting enterprise assets from outsiders, with little information on how to block legitimate insiders from unauthorized access to critical data. The key to dealing with insider threats is to log all activities by personnel accessing your most sensitive data and to identify indicators of malicious intent. Once you have identified the personnel and their potentially malicious behavior (copying data, exfiltrating sensitive files, etc.)  you can alert the proper personnel to execute actions to cut off access and begin remediation, which could include legal action.

Continue reading “IT Security: Ways to Tell an Insider Has Gone Rogue”

Advertisements

Building a Security Operations Center (SOC)

Cybersecurity - @SeniorDBA

Cybersecurity is an important part of you business, and includes many aspects of security from development to infrastructure systems plus everything from document and data retention to how you deal with data breaches.

Cybersecurity Overview

Cyberspace and its underlying infrastructure are vulnerable to a wide range of risks stemming from both physical and cyber threats and a wide range of hazards. Sophisticated cyber actors and nation-states exploit vulnerabilities to steal valuable information and even money. They are also developing capabilities to disrupt, destroy, or threaten the delivery of essential services. A range of traditional crimes are now being perpetrated through cyberspace. This includes the production and distribution of child pornography and child exploitation conspiracies, banking and financial fraud, intellectual property violations, and other crimes. All of these illegal activities have substantial human and economic consequences. These are some of the aspects of cybersecurity that you need to consider when building an environment around IT Security:

  • Rapid Detection – Building a system that allows your team to rapidly detect and prevent system compromise from an attack. This includes perimeter defenses to alert technicians of an active attack and the ability to respond to a breach as quickly as possible. This includes the ability to identify systems being actively attacked and which systems are not currently under attack.
  • Incident Response – Your technicians must have the tools available to deny access to assets when that asset is involved in a suspected incident, but they must also have the tools to quarantine the data on those systems and block additional access to any suspicious users as quickly as possible. Some tools allow for an automated response during an incident that can be helpful to smaller teams to respond quickly, but this can also be a curse if a poorly tuned system causes multiple false positives.
  • Alarm Events – Systems must send meaningful and actionable alerts to your security team. Alarms can tell you something is wrong before you can easily see the problem with your naked eye, but they could also be the source of false alarms or send alerts from redundant sources that make an issue seem worst than it really is by doubling or tripling the quantity of alerts.
  • Network Visibility – Tools that allow your team to identify new endpoints and visualize the entire network will allow them to quickly identify problems and react to unauthorized endpoints.
  • Vulnerability Prevention – The ability to identify malware and known vulnerabilities is the key to a stronger and more secure network. The ability to protect each endpoint from suspicious software, unauthorized downloads, and generating vulnerability alerts are essential to targeting corrective actions before an attacker finds these issues.

Continue reading “Building a Security Operations Center (SOC)”

VMware ESXi 6.7 Guest OS Compatibility Guide

VMware ESX - @SeniorDBA

VMware ESXi 6.7 supports a wide range of Windows guest operating systems:

Vendor 32 or 64 Bit OS Release Name
Microsoft 64 Windows Server 2019
Microsoft 64 Windows Server 2016
Microsoft 32 Windows 10
Microsoft 64 Windows 10
Microsoft 64 Windows Server 2012  R2
Microsoft 64 Windows Server 2003 R2
Microsoft 32 Windows Server 2003 R2
Microsoft 64 Windows Server 2012
Microsoft 64 Windows 8.1
Microsoft 32 Windows 8.1
Microsoft 64 Windows 8
Microsoft 32 Windows 8
Microsoft 64 Windows 7
Microsoft 32 Windows 7
Microsoft 64 Windows Server 2008  R2
Microsoft 64 Windows Server 2008
Microsoft 32 Windows Server 2008
Microsoft 64 Windows Vista
Microsoft 32 Windows Vista
Microsoft 64 Windows Server 2003
Microsoft 32 Windows Server 2003
Microsoft 32 Windows XP
Microsoft 64 Windows XP
Microsoft 32 Windows 2000

Continue reading “VMware ESXi 6.7 Guest OS Compatibility Guide”

What’s new in SQL Server 2017 – Database Engine

Database Engine - @SeniorDBA

This post describes the improvements made to the SQL Server Database Engine for SQL Server 2017 (14.x). SQL Server 2017 includes many new Database Engine features, enhancements, and performance improvements.

  • CLR assemblies can now be added to a whitelist, as a workaround for the clr strict security feature described in CTP 2.0. sp_add_trusted_assembly, sp_drop_trusted_assembly, and sys.trusted_asssemblies are added to support the white list of trusted assemblies (RC1).
  • Resumable online index rebuild resumes an online index rebuild operation from where it stopped after a failure (such as a failover to a replica or insufficient disk space), or pauses and later resumes an online index rebuild operation.
  • The IDENTITY_CACHE option for ALTER DATABASE SCOPED CONFIGURATION allows you to avoid gaps in the values of identity columns if a server restarts unexpectedly or fails over to a secondary server.

Continue reading “What’s new in SQL Server 2017 – Database Engine”

OSI Network Model Described

Networking - @SeniorDBA

In the late 1970s, the International Organization for Standardization (ISO), created an abstract model of networking, called the Basic Reference Model, as standard X.200. This model is a conceptual model that describes the communication functions of a telecommunication or computing system without regard to its underlying internal structure and technology. Their goal was to promote  interoperability of diverse communication systems. The Open Systems Interconnection model (OSI model) partitions a communication system into seven abstraction layers.

In the OSI model, control is passed from one layer to the next, starting at the application layer (Layer 7) in one network device, and proceeding to the bottom layer, over the channel to the next network device and back up the hierarchy. The OSI model takes the task of inter-networking and divides that up into what is referred to as a vertical stack that consists of the following 7 layers.

Continue reading “OSI Network Model Described”

PCI DSS – Centralized Log Management System

SIEM - @SeniorDBA

The collection of event logs is required under the PCI DSS, which would be used to reconstruct the scope and timeline of a data breach if the network of a company that accepts credit cards is compromised. This means more companies are using their security logs to detect and analyze malicious incidents. While some might say these companies could be collecting too much log data (think billions of events per day) it is easier to exclude data in your analysis than to find details of an attack without enough log data.

A centralized log management system can help you collect all the relevant logs into a standardized format, help prevent editing/deletion of valuable evidence, provide a simple interface to perform analysis, limit who has access to the logged events, and provide one location to schedule a backup of huge amounts of data.

Security event logging basics

The best guide to security logging is the National Instituted of Standards & Technology (NIST) Guide to Computer Security Log Management (Special Publication 800-92). Although it was originally written in 2006, it still provides the basics of security log management, so it can be very helpful to anyone new to the process.

Continue reading “PCI DSS – Centralized Log Management System”

Microsoft Product Roadmap for 2018

 

There has been several recent announcements from Microsoft, outlining there proposed product releases for 2018. There has been so many announcements it might be difficult for you to keep track ofthem all, but the good news is there are people tracking the announcements for you. In this article from Gladys Rama, we get an easy to follow list of announcements from Microsoft.

Windows 10 (UPDATED: 5/29)
“Redstone 4”: Released
“Redstone 5”: Fall 2018
Teams and Skype for Business (UPDATED: 5/17)
Anticipated release: Teams updates throughout 2018, with Skype for Business Server 2019 coming in the second half of the year
Office 2019 (UPDATED: 4/27)
Anticipated release: Preview in Q2 2018, with general availability in the second half of the year
SharePoint Server 2019 (UPDATED: 5/21)
Anticipated release: Preview in June 2018, with general availability in the second half of the year
Exchange Server 2019
Anticipated release: Preview in Q2 2018, with general availability in the second half of the year
Dynamics 365 (UPDATED: 4/12)
Anticipated release: Updates throughout 2018, with a model revamp being implemented in spring
Windows Server and “Project Honolulu” (UPDATED: 5/30)
Anticipated release: Windows Server “semiannual channel” release in May 7, 2018 and in the fall, with Windows Server 2019 coming in the second half of 2018
Project Honolulu: Released
Roadmap Archives
2017 | 2016 | 2015 | 2014 | 2013 | 2012 | 2011