Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Terminal Security Survival Guide (4)-- Security configuration Management

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

Security configuration management

The default configuration is to give the highest availability and least security.

Consolidating the default configuration will reduce many terminal security incidents, and in addition, any normative compliance policy begins with an out-of-the-box guidance, so this is a reasonable start.

Security configuration Management guidelines:

A. the correct configuration will change over time: there are millions of ways to configure the system, secure, highly available, and the right combination of performance usually requires a judgment that keeps pace with the times, unless your standards are legal and immutable. Don't laugh-it's a viable choice.

B. the security policy for the terminal needs to be evaluated periodically: even if you have got the best configuration through countless meetings, it will become out of date when the business and tasks change, when the software is updated, or a new exposure is detected, and then we need to update the policy against them, which is usually associated with annual audit work. But when important business changes, this work needs to be carried out in real time.

C. Unnecessary services and ports are very dangerous: use application and service identification to begin to reduce things that have nothing to do with the business when the software is discovered, unwanted web servers, unauthorized file-sharing software, media players and unused programs all need to be found and then shut down.

D, users and their access: user credentials have become a new target in today's threat storm. * * frequently track available accounts and credentials, but are not closely monitored and actively used. Once these accounts and vouchers become legal, they can easily evade testing because their activities are part of the normal business. * use a variety of technologies to steal employees' credentials, so they can access the company's systems and networks. Complex phishing activities can deceive even the most suspicious users into entering their credentials on fraudulent websites, and advanced malware allows information criminals to grab employees' credentials when they enter them on infected terminals, what's more, information criminals do not need to try to obtain company credentials through their employees. It is common to reuse company vouchers on third-party sites, so some criminals focus on stealing login credentials through social engineering. You know, this is a good opportunity to give them access to the company's system.

Another worry is that when employees leave, if the account is not eliminated in time, it will be abused by insiders or external actors, for example, a dissatisfied employee who terminates his contract can access the company's system remotely. There are many potential problems.

BOOT CAMP

1. Standard operating procedures: strengthen your software platform and software through standard procedures. The goal of this program is to provide an enumerated setting that every system administrator can implement. Program validation against security best practices, such as CIS, can also make your standardized procedures easier. All organizations have exceptions. CEO may insist on using MAC or the marketing department may require a new editing software to ensure that all exceptions need to have a standard configuration and indicate the owner and expiration date, and must be re-evaluated and reviewed when they are overdue.

2. Use a secure golden image: the new system needs to use a standard image that contains a management image. If the system is affected, the most common, fast and easy way is to replace it through a secure image instead of spending a lot of time manually repairing the terminal. Ensure that it is legal to deploy these system upgrades, so these changes are associated with documentation for owners and responders.

3. Old software: one of the most important considerations for your security situation is to choose a good tool and application that can run in your environment. Many * use old vulnerabilities (existing in OS or deployed software). It is very important to check the manufacturer's updates and patches and all security instructions for old software. Make sure that all potential vulnerabilities are marked. What needs to be mitigated by means other than patches, choosing a set of standard applications will also allow you to detect anomalies and unauthorized installations in your daily software audit.

4. Monitor who has "come in": administrators and terminal accounts, which can be used to audit and create relevant rules, need to be carefully monitored, set up automatic alarms to mark those authorized account activities, set up policies to require users to change their credentials frequently, and train users through irregular security awareness training.

5. Use secure communications: unencrypted communications and credentials may be intercepted and reused by users, so make sure that the remote protocol is strongly encrypted. If strong encryption is not available for the application, you may need to seriously consider removing the authorized list or take other measures to strengthen the asset. These include the associated networks and terminals, and the server's mandatory management of access.

ADVANCED TRAINING (monitoring everything)

6. Monitor all changes: now that you have clearly identified what is the security baseline of the system configuration, you need to look at each asset type and monitor all system changes against the security baseline, tripwire enterprise, to ensure that daily business changes are automatically promoted. And authorized unconventional business changes are allowed.

7. Monitoring everything, including OT,IIOT devices, is a challenge because OT hardware often uses proprietary protocols to tell your SCM vectors about their capabilities, TO actions, IIOIIOT devices, IOT device monitoring.

8. Alarm for administrator accounts: monitoring network events and tracking alarms when forged or blacklisted IP is detected, alarms need to be issued, combined with network and system events, which may not be authorized and destroyed by the system.

COMBAT READY

9. Comprehensive analysis: unauthorized change alarms for the system will be sent as events, and for SIEMs, for security event management and association, automatic port and service detection will also be aimed at new users.

Complex, conflicting policies can be applied to specific combinations of users and terminals, and you can also monitor RSoP to calculate the cumulative impact of multiple settings in the terminal window. RSoP is the policy setting group for the impact of specific users, no matter what possible, automatically reconcile these changes, tripwrie log center can merge logs through all exit points and alerts, when these require the direct use of proxies, but not detected.

Tripwire log center can act as receiving SIEM, log analysis system and event correlation, which helps save money when forwarded to SIEM products based on a large number of data processes.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report