This is a guest diary submitted by Tomasz Miklas. Interested in providing a guest diary yourself? Please send a proposal (title/outline) using our contact form. Interested in becoming a hanlder and regular contributor? See you Handler Roadmap.
Some time ago I was asked to help with incident response for a small company. While the incident itself was not very exciting, the lessons learned were a bit more than a surprise. The victim was shocked how spectacularly they failed even though they considered themselves to follow good security practices or at least to be above the “low hanging fruit” category. This is classic example of false sense of security.
Key lessons learned:
--
Tomasz Miklas
Twitter: @tomaszmiklas
|
Handlers 76 Posts Jan 6th 2014 |
Thread locked Subscribe |
Jan 6th 2014 8 years ago |
I'm not sure "they considered themselves to follow good security practices" can be followed by "all of the IT systems and components used the same administrator password [which] could be found in a publicly readable backup script", without a facepalm or two during or after that statement.
|
oleksiy 34 Posts |
Quote |
Jan 6th 2014 8 years ago |
RE: DST
That is why everything should be on UTC/GMT/ZULU time. It will never matter what state DST is in under these circumstances. In addition, any central logging / SEIM worth it's salt will support localization of time zones during log indexing. Finally, using the same time servers across an environment is critical. Even if that time is wrong, every device will be collectively wrong together. This goes a long way to stitching an event together using logs across many different systems and devices. It is also a requirement in PCI DSS 3.0 and ISO 27001:2013, if you need something more than "best practice" to make your case ;) |
oleksiy 14 Posts |
Quote |
Jan 6th 2014 8 years ago |
Yes, time mis-synchronization is my principle pet peeve. You know how they say that ex-smokers are the most intolerant of smokers? In a former scientific career I actually caused a loss of days of research and tens of thousands of dollars because of a time synch problem for which I was responsible. It literally can add a sizable chunk to to the cost of an incident response engagement in terms of analytic hours, and contribute to mass uncertainty. It is amazing that large commercial enterprises can spend tens of millions on IT and pointedly neglect something that is trivial in terms of deployment cost, and zero hardware cost.
|
Anonymous |
Quote |
Jan 6th 2014 8 years ago |
@oleksiy: this is the difference between rather optimistic self-assessment by the organization and the hard reality check. False sense of security, often failing at total basics.
|
Tomasz 3 Posts |
Quote |
Jan 6th 2014 8 years ago |
"Different countries observe DST on different dates - for example in US, Mexico and most of Canada DST begins about two weeks earlier than European countries."
Yes... some countries go forward instead of backwards. Some countries occassionally cancel or reschedule DST. Timezones are a real pain: http://www.youtube.com/watch?v=-5wpm-gesOY |
Mysid 146 Posts |
Quote |
Jan 6th 2014 8 years ago |
IMHO Homeland Security should request that Congress abolish DST.
|
PhilBAR 24 Posts |
Quote |
Jan 7th 2014 8 years ago |
IMO, the U.S. should not only abolish DST but also our timezones (following China's example). We shouldn't be messing with time but instead, adjusting our human schedules to where we geographically live. Using one timezone, if you live on the east coast, your workday runs from 8am to 5pm. If you live on the west coast, your workday runs from 11am to 8pm. If you live in Europe, your workday runs from 2pm to 11pm. Why we, as humans, decided to modify time to fit our needs is baffling. I would vote for a world-wide standardization on Zulu time if I had the chance. Timezones and DST are outdated concepts based on outdated reasons and cause nothing but confusion. In today's modern world, we should all be on the same time. Want to have a conference call between your office in Denver and your supplier in Copenhagen tomorrow at 6:00pm? No problem, 6:00pm in Denver is 6:00pm in Copenhagen and 6:00pm everywhere.
I remember once I had a red-eye flight during a DST change and I thought I had 1hr and 30mins for my connection when I really only had 30mins. Timezones and DST are terrible concepts in real life and even worse in cyber life. |
da1212 69 Posts |
Quote |
Jan 9th 2014 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!