Threat Level: green Handler on Duty: Richard Porter

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Back to Basics: Writing Change Requests in Natural Language

Published: 2017-09-25
Last Updated: 2017-09-25 15:02:49 UTC
by Richard Porter (Version: 1)
0 comment(s)

Back to Basics

Back to Basics is a new series focusing on the boring stuff. Tweaking and tuning the things we already do. In these articles we will discuss things that have worked and tips to get them working. This diary will focus on change requests. (see, boring …)

There are several great resources that outline change requests process and or how to stand up a governing policy [1] [2]. Some ‘googleFu’ will get you started and on the way to a decent program. One thing that reminded me of teaching days in Security Leadership (MGMT 512) is how changes are written. Imagine some senior business executive calls and says “Hey we have XYZ App launching tomorrow and the ABC team can’t seem to get to N” and so begins the classic argument of ‘if we could just get those security folks out of our way, we could do our jobs.’ Yes, in 2017 that sentiment still exists.

Instead of telling business executive “There is no way I’m putting that rule in the firewall!” a better conversation to have would go something like “So you want all users to have any access to the server from anywhere at anytime?”

Now before we get excited and think that the conversation will go our way, hold on! Said executive may not have the full picture and may say “Yes, we need this up now.” According to Dark Reading and probably many other sources the number one of the top five firewall mistakes happens to be *ding ding ding!* broad firewall policies [4]. “Okay Mr. ‘So in So’, this is outside of normal policy and change request procedures, I’ll need two executives to approve it and sign off on this. Can we remove this policy after some investigation?”

Referencing both National Institute of Standards and Technology (NIST) and SysAdmin, Audit, Network, Security (SANS), they state include as much information as possible [1] [2]. The goal here is to enhance that with some natural language.

Emergency Change Request Addendum:

Mr. So in So, Vice President of Such in Such, in concurrence with Ms. Such in So, Vice President of Something, have agreed that the new Widget Money Making Service firewall policy rule that follows is approved. ‘All users and all applications on any port at any time from anywhere can access the Widget Money Making Service.’ This firewall policy will remain in effect indefinitely.

The natural language idea may not be new? That is why we are getting back to boring basics, Having seen the above scenario play out a short time ago, it needed to be brought back up. In the above case, using natural language gave one of the two executives a moment of pause and it actually worked. Instead of giving into the software developers, the business leader asked them “Do you really need all that access?” This author was not around for the answer, however, noted the impact natural language had on the change.

 

Back to Basics Tips: Change Requests in Natural Language

  • Translate the request into natural human readable language
  • Ask probing questions about the need of the change
  • Establish if there is a time limit on the change
  • For unnatural or out of policy changes attempt to get more than one exec to approve (note: this something for the business to establish as policy before hand. It is not wise to make this up on the fly)

 

Let us know if you attempt this, and what the results are?

References:

[1] https://www.sans.org/summit-archives/file/summit-archive-1493830822.pdf

[2] https://www.nist.gov/publications/guide-security-focused-configuration-management-information-systems

[3] https://www.sans.org/course/security-leadership-essentials-managers-knowledge-compression

[4] https://www.darkreading.com/operations/5-most-common-firewall-configuration-mistakes-/a/d-id/1322225?

Keywords:
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Forensic use of mount --bind
Sep 24th 2017
1 day ago by Jim (6 comments)

What is the State of Your Union?
Sep 22nd 2017
2 days ago by Russell (0 comments)

Malspam pushing Word documents with Hancitor malware
Sep 22nd 2017
3 days ago by Brad (0 comments)

Emails threatening DDoS allegedly from Phantom Squad
Sep 21st 2017
3 days ago by Brad (0 comments)

Email attachment using CVE-2017-8759 exploit targets Argentina
Sep 21st 2017
4 days ago by Brad (3 comments)

Ongoing Ykcol (Locky) campaign
Sep 20th 2017
4 days ago by Renato (0 comments)

New tool: mac-robber.py
Sep 19th 2017
6 days ago by Jim (1 comment)

Getting some intelligence from malspam
Sep 18th 2017
1 week ago by Xme (3 comments)

View All Diaries →

Latest Discussions

Placement of MSSP accessible log collector
created Sep 12th 2017
1 week ago by Anonymous (0 replies)

Placement of MSSP accessible log collector?
created Sep 12th 2017
1 week ago by Anonymous (0 replies)

Emsisoft Anti-Malware & Emsisoft Internet Security 2017.8 released
created Sep 2nd 2017
3 weeks ago by Anonymous (0 replies)

Strange validation attempts on DSHIELD project
created Aug 31st 2017
3 weeks ago by DrGreen (0 replies)

DShield Sensor
created Aug 21st 2017
1 month ago by Thomas (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
2 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 month ago by Johannes (12 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 month ago by Xme (2 comments)

OAUTH phishing against Google Docs ? beware!
May 3rd 2017
4 months ago by Bojan (6 comments)

Checking out the new Petya variant
Jun 27th 2017
2 months ago by Brad (6 comments)