The goal is to present some (basic) that the operational security teams (a.k.a Blue Team) can use in order to make the life harder to the pen-testers.
Some numbers about the security breaches :
- Verizon report: Quantify the impact of a data breach with new data from the 2015 DBIR
- top 3 industries that are under attack: public sector, it sector, financial services
- 70% of the attacks are targeting a second victim; so the first victim is a step stone to reach the target
- 90% off the incidents have as root cause the peoples (the weakest link).
Good security programs are built in and not bolt on.
External defenses tips and tricks:
Don’t talk to strangers:
- implement blocks from all the emerging cyber-threats lists.
- reject specific user agent strings.
- ban the port scanning.
If you are going to talk be sure to know who is it
- disable smtp/verify/validation.
- analyze the certificates and (external) domain age.
- use SPF for the email validation
- use DNS analysis
- don’t forward DNS
Internal defenses tips and tricks:
Your internal network is an hostile environment; treat it as such
- monitor inside more than outside.
- segmentation of all servers from users.
- never use VPN pools; always tie a user to a specific IP address.
- remove your network default route.
- intercept all http/s requests.
Users have the ability to use the company resources
- white-list the approved and managed software.
- disallow local admin privileges.
- users should only be allowed to go to categorized sites; any other traffic must be denied.
- host based firewals, ids and behavioral analysis.
- scans all hosts for vulnerabilities on a regular basis.
- randomize all the local admin passwords.
Servers have specific purposes
- do not install workstation software.
- manage updates centrally.
- segment the servers.
- standards images should have no additional services installed.
- do not allow the use of local account to log in remotely.