Network Security Review

[BoomAM]

Hi,
Im currently in the process of writing a network security review of our work network, to cover everything from user level stuff to physical security of servers. So everything basically.

Im trying to come up with topic titles for each section, and just to check i havnt missed nout out, can people suggest sections that would need to go in please?

I have upto now

• User Security - Their passwords & assets
• User Security - What they can access thats not theres
• Server Security - Who can access which server via RDP
• Server Security -Who can physically access the servers
• Server Security - Service Accounts
• Server Security - Enterprise/Domain Admin accounts
• General bad practices for users
• AUP & whats missing
• Overall Risk Analysis
• What will change - role based permissions
• What will change - permissions on computers that arnt your own
• What will change - server access
• What will change - Enterprise/Domin admin acccess.

Bare in mind that the above are just temp titles to make it easier to see whats what. lol.

Thanks in advance all.

 

[Ev0]

I'd maybe put something in about configuration of equipment, eg. do you harden your servers after building and if so how are they audited to ensure so?

Do you run vulnerability scans against the infrastructure to highlight any potential vulnerabilities?

 

[BoomAM]

I'd maybe put something in about configuration of equipment, eg. do you harden your servers after building and if so how are they audited to ensure so?

Do you run vulnerability scans against the infrastructure to highlight any potential vulnerabilities?

Harden/run scans? No, lol.
Whilist i'd like to, its simply not possible to do.
Standard practice for servers is install, configure, test, do first backup, make live.
After that, the GPO's kick in and enable a few things here and there but thats about as far as it goes 'hardening' wise.

 

[Ev0]

Fair enough, guess it depends how far you want to go with the seucirty stuff

Vuln scans pick up on a lot of stuff that you either just don't think about or forget (or just don't care about!), but it's all relative as to how secure you need things to be.

 

[BoomAM]

Fair enough, guess it depends how far you want to go with the seucirty stuff

Vuln scans pick up on a lot of stuff that you either just don't think about or forget (or just don't care about!), but it's all relative as to how secure you need things to be.

To be honest, its mainly user centric stuff i want to concentrate on.
Such as changing permissions so that only certain dept's can access certain areas, so that people cant see more than they need, and locking down the enterprise & domain admin logins to almost nil.
Although server stuff is handy to implement at the same time, as theres 4-5 people who can access almost everything, yet have no need to.

 

[Bhoya]

There's a few things I would say you are missing that are very important, these would give you a GAP analysis on what needs to be done to meet best practice/compliance which would then be fed into your risk register.

- Audit capability. Being able to find out who did what from event logs so in the case of something nefarious you can track it back and have sufficient evidence with forensic integrity. How will the auditing be done, what tools, by who and how often. Has an impact on any compliance standards you need to meet.

- Security & AV updates. How are you doing them, what testing, what schedule.

- Policy review. A business network should have a full set of policies which go from the high-level to low-level with details of responsibilities and implications. Master policy down to SyOps or SWIs.

- Boundary review. What external connections are available and who is using them. Are they adequately protected with the right devices.

- Asset management. No company I've seen has ever gotten this right and I don't think it can be done. If you don't know what assets are out there, workstations/laptops/servers/mobile devices and who is responsible for them you won't know if anything has been stolen or if it is receiving security/AV updates.

 

[derfderfley]

Hi,
Im currently in the process of writing a network security review of our work network, to cover everything from user level stuff to physical security of servers. So everything basically.

Im trying to come up with topic titles for each section, and just to check i havnt missed nout out, can people suggest sections that would need to go in please?

I have upto now

• User Security - Their passwords & assets
• User Security - What they can access thats not theres
• Server Security - Who can access which server via RDP
• Server Security -Who can physically access the servers
• Server Security - Service Accounts
• Server Security - Enterprise/Domain Admin accounts
• General bad practices for users
• AUP & whats missing
• Overall Risk Analysis
• What will change - role based permissions
• What will change - permissions on computers that arnt your own
• What will change - server access
• What will change - Enterprise/Domin admin acccess.

Bare in mind that the above are just temp titles to make it easier to see whats what. lol.

Thanks in advance all.

Stuff that jumps out at me (YMMV);

physical security of server room(s) and comms rooms (or wherever your switches and patch panels live)

password security of all of your physical networks components (switches, routers, firewalls)

Firewall security policy & ACL's, port security measures on your switches and routers

Network change policy (firewall / router / switches)

Site disaster recovery plan

Data security (backups on/off site) & data recovery plan (restoring those all important backups)

 

[radderfire]

What about training of users against giving out their passwords over the phone etc. There's a term for it but I can't think of it off hand, social conditioning attacks maybe ...

Also, maybe an aspect of security is how the admins check up that another admin isn't up to no good.

Rgds

 

[Coldzero]

What about training of users against giving out their passwords over the phone etc. There's a term for it but I can't think of it off hand, social conditioning attacks maybe ...

Also, maybe an aspect of security is how the admins check up that another admin isn't up to no good.

Rgds

Social engineering to answer your question.

 

[radderfire]

Social engineering to answer your question.

That's the one!

 

[smargh]

Remote laptops: encryption and their malware/VPN protection, USB sticks and general removable media (inc. things like digital cameras connected by USB - they're still autorun/.lnk carriers), client OS & Flash/Reader/other app updates, new starters/leavers & termination procedures.

Network monitoring & the required manpower or automation (inc. budget requirements): endpoints, security event logs, firewall logs, searching & reporting of, intrusion alerting (no false positives!), data loss prevention tools. Perhaps also file access logs, disaster recover procedures, what to do if a senior admin goes rogue and deletes data & its backups, off-site backups and their restore timeframe if they need to be used. IT acceptable use policy - requires HR backing.

 

[BoomAM]

Some good stuff here.
I dont think i'll be using all of it, as some arnt applicable and some might be ott for my uses, but still all suggestions welcome and are good for seeding ideas.

 

[Danny UK]

As you've mentioned physical security, you might also want to consider the security and reliability of your power and cooling systems, i.e. access to switchrooms, process for isolations, etc.

 

[anything I don't mind]

The biggest vulnerability in corporate networks imo is social engineering and the fact that most corporate networks leave the local admin account active and every pc on the network will have the same local admin password due to it being an image. Ideally local admin account should be disabled completely. It is very easy for someone to send a trojan through to a user that might get past spam filters and then setup a reverse tcp on port 80 that will bypass most commercial firewalls. Which will then give the person a shell on the pc and they can dump the hashes, including the local admin password which then in some cases can give them access to every pc on the network.

No wireless access point should be available on the internal network imo. They are too easy to crack even wpa. Plus users always want a quick and easy password for their wifi so that makes it less secure as well.

But your list is quite good, i will steal it for my own uses, thanks

 

[tntcoder]

No wireless access point should be available on the internal network imo. They are too easy to crack even wpa. Plus users always want a quick and easy password for their wifi so that makes it less secure as well.

Wireless is fine in the enterprise if setup correctly, using something like RADIUS for example.

 

[derfderfley]

Wireless is fine in the enterprise if setup correctly, using something like RADIUS for example.

And then split off into a DMZ (with a very restrictive Firewall ruleset) away from the rest of your network

 

[beast_gts]

Risk Analysis, Site disaster & data recovery plans have been mentioned but what about the procedure if a incident/breach is suspected? Who gets notified first, what gets unplugged, etc. (And I've forgotten the proper name for it!)

 

[jfish]

Stuff that jumps out at me (YMMV);

physical security of server room(s) and comms rooms (or wherever your switches and patch panels live)

password security of all of your physical networks components (switches, routers, firewalls)

Firewall security policy & ACL's, port security measures on your switches and routers

Network change policy (firewall / router / switches)

Site disaster recovery plan

Data security (backups on/off site) & data recovery plan (restoring those all important backups)

A good starting point is to read the PCI DSS standards, which covers all areas of network security from data access to physical access. In my role I have implemented a lot of systems based around PCI DSS as all my clients (major banks) require us to be PCI DSS complaint, and we get audited every 6 months to make sure we arent slipping on this.

 

[Praetorian]

Definitely some good advice in here!

With regards to jfish's recommendation of reading the PCI-DSS (no offence intended s'ah), be wary when you read it as its meant as a guideline not as a definitive ... some recommendations will drive you round in circles when really the solution is simple I've experienced this many times as I'm a penetration tester by trade so unfortunately come across this all too often.

Other things:
*Change control on all devices, not just limited to network devices;
*User Acceptance Policies (UAP) defining what can occur on the network (.e.g users plugging in their own personal laptops etc) and also what is allowed within the systems provided (email, web access, streaming etc);
*General network security policies: AV must be installed and automagically updated through whatever method is available, patching of systems to occur on a regular basis etc;
*3rd party verification: use of external security companies who will test the infrastructure/applications using an appropriate scheme (CHECK/CREST/OSSTMM) etc and then provide a report back to you on technical issues identified but rating them also against your specific business activities;
*Overall physical security of the companies facilities: ID cards, access logs, asset management;
*Regular reviews of build techniques/hardening guides and adequately audited.

The list can be endless but then you may end up with systems that aren't able to be used as the need for security has overridden the requirement to actually use them so its a balancing act

One last one, some companies like to select several employees to form part of a review board that meet every 6-12 months and go through what policies are currently in place and do a simulated run of different scenarios to see how they stack up and whether improvements can be made. Yes this is more edging towards ISO27001 and ISO9001 however both of those are good frameworks to base policies around like what people have already mentioned

*apologies for the bible or if it is of no use*

 

[J.B]

I may be somewhat bias but a proper pentest and vulnerability assessment from an external company is a valuable thing to have. Of course, depends on your budget.