jesterson 5 years ago

Maybe someone will disagree, but I believe there is no shortcuts or one-fits-all solution when it comes to security. Structure of modern information systems is extremely diverse making single path approach not working in vast majority of cases.

My answer would be quite boring I guess but it does the job to improve resilience:

- Analyse your system and identify potential vulnerabilities; - Analyse you vulnerabilities against your risk model (identify the most crucial ones); - Mitigate risks from most important to least one; - Rinse, repeat regularly;

  • badrabbit 5 years ago

    What you said improves your known attack surface for sure. But what do you mean vulnerabilities? CVE's? If so that's inadequate.

    What I mean is, system and network architecture on it's own often creates vulnerabilities for that risk model. Let's say you have product X,it is well patched and well configured. Except!, anyone can access it from the intranet and internet. Is this a vulnerability? Can a random attacker password spray product X ,gain access and leverage that access for $profit? It's not exactly a CVE but it can be a vulnerability.

    I say invest in good security/IT architects.

badrabbit 5 years ago

1) Implement a good EDR solution. By far, I can't think of any other change or investment that has had better ROI. So much visibility! And you can quickly implement detections and controls based on attacker TTP which has a greater ROI than playing whack-a-mole with CVEs or rely on updated firewall rules,av rules,selinux rules,etc...

2) Log as much as possible and do something with the logs. Log everything and continue to improve your SIEM or security stack based on new threat intel.

3) Low effort,high ROI low hanging fruits. 2FA everything. Mutual certificate auth where i can. Turn on bitlocker. Make people use password managers,ssh pubkey auth. If you have typical corporate firewall/proxy: block any domain that isn't categorized or newly registered.

4) this is what I think will be good ,haven't done it IRL: segment network well. Remote management can only happen from jump boxes. Be hostile against removable drives. 5) Taking first step of NIST's incident response lifecycle seriously,preparation: Playbooks(Online and Offline),checklists,emergency communication channels. Document important assets and related contact when SHTF. And actually have a routine table top excercises and penetration tests (as the corporate wallet allows)

6) I hate that I put this last,but: good security tooling. Typical stuff like an in-house sandbox,dedicated DFIR platform.

This should go without saying: you need people to do this and it really does start from the top (leadership).

  • phaus 5 years ago

    2) Log as much as possible and do something with the logs. Log everything and continue to improve your SIEM or security stack based on new threat intel.

    This is a good one. If you have a SIEM + Log Aggregation setup and you don't have robust logging and/or aren't feeding those logs into it, you should have saved yourself some time and burned the money you spent on it.

moviuro 5 years ago

- Keep up with the latest trends (supply chain, credential leaks, etc.) and published CVEs (a CERT can help)

- Risk analysis with business stakeholders (maybe they care nothing for confidentiality, but tons for integrity, or there are market regulations a security expert has no knowledge of)

As said by jesterson, there's no silver bullet in security, only adequate counter-measure given a threat model.

  • badrabbit 5 years ago

    Keep up with it and do what? Threat intel is nice but quite a waste of time if you can't adapt to new threats by implementing or adapting security controls fast.

netsectoday 5 years ago

Practice some red team exercises against your apps and infrastructure, or do it against a site in the wild and responsibly disclose what you found to them - then harden your systems against your tactics.

  • badrabbit 5 years ago

    Assuming you have staff that can do red teaming and more staff that can review the results and implement changes. Purple teaming is also nice and works better (my opinion) than red vs blue teaming for smaller teams.

dieFledermaus 5 years ago

Title is lacking the "Ask HN:" preface which probably explains the low response/activity.

Spooky23 5 years ago

The key is basic competence in configuration management, siem and most importantly segmentation.

Patch and have configuration standards.

Segmentation is harder. Keep systems separated and minimize admin privilege.

runjake 5 years ago

Continuous, ongoing end user education, by far.

It must be a regular thing. Threats change, people forget, people lower their guard.

  • chelmzy 5 years ago

    I agree but it can be almost impossible to scale efficiently. My organization has ~20,000 employees and at-least another 5000 contractors that use our email system.

rblack0814 5 years ago

Well I dont know seeing how someone sent a link with all your members contacts and hidden links to multiple codes. If theres an admin or anyone who would like to see the "live" spread sheet let me know.You can reach me at rblack0814@gmail or blackr6770@gmail. Theres live email addresses of most of the people on herrle and have not a clue who any of you are. Ive been maliciosly hacked by developers now for two years and not just me but my kids also.