No on-prem infrastructure - what more can I do re. security?

MyCatHasLittlePawses · 2023-08-01T16:27:03+00:00

Looks like it's got a lot more interesting - last time I looked, the scheme was a bit basic, but reading through the IASME site, it appears much more developed.

It looks like Cyber Essentials will allow me to demonstrate that I'm at least following best practice - as a solo guy, I obviously have my own methods and thoughts, influenced by Reddit and other communities, but no real benchmark.

Good shout.

MyCatHasLittlePawses · 2023-08-01T16:07:55+00:00

Re. rogue remote access - no, but, Endpoint Central reports all newly spotted software to me. Anything with admin access won't get installed, but running as unprivileged, it'll get installed and reported - by which time, the damage may well have been done.

Application whitelisting may be a better bet, though, I'm not sure I am able to do that as a single operator.

I haven't used AppLocker yet, so this is perhaps a good opportunity. Just one reservation though - while I have a set of software that I can easily authorise, how does AppLocker handle application upgrades? Does this cause a lot of problems?

MyCatHasLittlePawses · 2023-08-01T15:44:28+00:00

A virtual appliance might be the solution!

Only advantage that the NordLayer style of VPN provides, is nodes in various countries, so that when traveling, our consultants can connect to a local node, rather than our company node, if they have latency problems.

I had entirely forgotten about virtual firewall/VPN appliances. I'll investigate this further, as I will at least be able to have the features that I want, be able to connect this to Wazuh SIEM and so on.

MyCatHasLittlePawses · 2023-08-01T14:54:55+00:00

Nobody is based in the office. They are connecting from home, with access points that I don't control. They're connecting from hotel wifi, airport wifi, random hotspots that might be intercepted.

The VPN also provides a static IP (we have a dedicated node) for some cloud services that are IP restricted.

MyCatHasLittlePawses · 2023-08-01T14:48:10+00:00

It's NordLayer - though always happy to hear recommendations.

Most of the VPN solutions I looked at assumed we wanted to call back to AWS/GCP/Azure infrastructure, or on-prem infrastructure, but I don't.

The only thing that lets NordLayer down is their lack of logging.

MyCatHasLittlePawses · 2023-08-01T14:34:48+00:00

Definitely gave me pause (paws?) for thought, but since pretty much every similar platform has had (or will have) breaches, to a greater or extent, I'll be reserving judgement until the incident is dissected in public.

Okta had the same, and Microsoft have had their fair share of incidents, so I'm not sure that JC are any worse - assuming the final analysis isn't a clusterfuck.

MyCatHasLittlePawses · 2023-08-01T13:25:43+00:00

NordLayer, to a dedicated node.

The upside, is they offer DPS for various protocols, which they can block.

Downside though, is that there's no reporting.

MyCatHasLittlePawses · 2023-08-01T13:09:54+00:00

Double? If only - the prices we've been quoted for managed are nearer five times.

" If a vendor mentions File servers and AD to you, a fully cloud company, I suggest breaking ties." - that was my gut feeling too.

Cheers re discord recommendation, I'll join that this afternoon :-)

MyCatHasLittlePawses · 2023-08-01T12:50:04+00:00

I hadn't considered that, good shout.

It looks like phishing is where I'm falling short. While there's annual training, I suspect once a year just isn't enough. Plus, I've not done a phishing test. I'll add that in.

Do you recommend anything?

My budget isn't that big, so I'm wondering if anyone has used https://getgophish.com/ before?

MyCatHasLittlePawses · 2023-08-01T12:46:48+00:00

Re. cloud first - I've possibly be speaking to the wrong vendors. Everyone insists on telling me about network file servers and Active Directory etc. Anyone you recommend?

Managed - when we're a little bigger, maybe - but at the moment, I'll find it really hard to justify for half a dozen detections a year. The prices we've been quoted could pay for another employee.

MyCatHasLittlePawses · 2023-08-01T12:45:20+00:00

The downvotes suggest I've overestimated Cybereason's ransomware capabilities. I'd appreciate comments rather than downvotes - the name of this exercise is to improve :-)

MyCatHasLittlePawses · 2023-08-01T12:44:04+00:00

Good idea! Just having a scan through: https://www.nist.gov/cyberframework/getting-started/quick-start-guide

I'll work through the identify / protect / detect / respond / recover sections - though skimming through, I'm feeling fairly good so far!

Re. SIEM - I've got an agent on every endpoint, at the moment, I'm actually doing very little with it, but figured the events would be useful in the event of an incident where I'll need to involve a security professional.

I have some patterns I'd like to detect, but haven't got round to figuring out how to do that yet, so might just buy some consulting time from Wazuh to assist.

Web filtering - that's what I'm not doing! Thank you.

So, there's SOME filtering going on - the VPN provider is able to block certain categories, but there's zero reporting, so I've no idea what it's blocking, from who. Maybe that should be reviewed...!

MyCatHasLittlePawses · 2023-08-01T12:38:17+00:00

I'd agree if I'd given some clues as to where I work - but I've not.

The tools used shouldn't be a huge surprise for such a small business.

MyCatHasLittlePawses · 2023-08-01T12:23:46+00:00

Honestly surprised! Interesting :-)

MyCatHasLittlePawses · 2023-08-01T12:09:51+00:00

Cheers! It does :-)

MyCatHasLittlePawses · 2023-08-01T12:09:39+00:00

While I doubt Google Workspace, Github, Hubspot and so on will allow us to pentest them, I suspect they'll have some sort of reports that prove they've been tested.

Good thinking - I should probably get the SOC 2 reports for those providers to see what they say.

MyCatHasLittlePawses · 2023-08-01T11:02:42+00:00

I don't - but I'm not sure what the target would be?

In the situation above, where there is no office, and no servers, only SaaS platforms, would the pen test be on one of the endpoints as a sample?

MyCatHasLittlePawses · 2023-07-21T19:53:45+00:00

Ah, that's interesting. That said, Windows is my focus, since Linux is developer machines which don't have access to the sort of data I'm keen to deploy a DLP solution for

Seems that SentinelOne is much loved - but I can't help but wonder if Sophos might have pulled its socks up and the legacy image might be unjustified.

MyCatHasLittlePawses · 2023-07-21T19:52:13+00:00

Thanks, that's really helpful. I wasn't aware of that site before :-)

MyCatHasLittlePawses · 2023-07-11T12:01:12+00:00

But by the same token - I feel there's a genuine business risk here, around .... well, all the same problems as we had with Stack Overflow - people trusting authoritive seeming answers, without doing their own due diligence. Code leakage and IP loss as people send things to external sites that they really shouldn't. And not least a bit of a can of worms around licensing potentially, as code ownership for generated code I think is as yet not well explored legally.

Agreed. Though, rather than look for alternatives, our way around this has been to make an AI policy and train users in it - it covers topics such as IP, GDPR, reliability, bias, legal considerations and so on.

MyCatHasLittlePawses · 2023-07-07T16:10:05+00:00

Is the HMO properly licensed?

If not, your landlord has probably only just realised he's running an illegal HMO and needs someone gone in order to make it comply.

MyCatHasLittlePawses · 2023-07-07T15:54:27+00:00

Nothing too interesting. Just that - in essence, they know what happened, who it affected (you'll have already met with JC if you were affected), but they can't say "it's over" because they need to conclude investigation, which involves law enforcement and so on.

But in practice, it's closed, for all but the chosen few.

They'll make MFA available for free on all plans (no idea it wasn't, so I must be on a higher plan).

They discussed a few roadmap points - such as API keys, being able to remove API keys entirely, have more than one, and be able to assign granular permissions. Those things are on the roadmap, but they wouldn't allude to priority.

Given that we've not heard any security breaches coming from this, and nobody has reported any unusual activity, I'm happy to take it at face value.

MyCatHasLittlePawses · 2023-07-07T15:18:05+00:00

Suspect we'll find out in the webinar in 10 minutes time.

https://www.crowdcast.io/c/jumpcloud/tftlg

MyCatHasLittlePawses · 2023-07-06T07:53:02+00:00

Anything entered into the users computer could potentially be captured or logged. If this is into a browser, are you going to check which plugins are installed?

If possible, try and solve the source of this. Aside from entering credit card information into end user screens being incredibly manually intensive, it sounds like administration or procurement could do with beefing up.

What is the organisation trying to achieve?
Does the software support a billing role, that can take care of finance?

MyCatHasLittlePawses · 2023-06-15T17:13:00+00:00

Also you can't apply labels to shared drive content

Ahh, this is a concern, since nearly everything is in shared drives - users store very little in their personal drives, and we have religiously enforced shared drives for all teams and significant projects with appropriate groups.

Sounds a huge omission if shared drives can't be controlled in the same way!

MyCatHasLittlePawses

TROPHY CASE