James Thew - Fotolia
Security is on everyone's brain these days after the high profile breaches at Target, Sony and Home Depot -- recent news indicates the latter company had to spend north of $43 million in just one calendar quarter as it cleans up the mess the breach left. You might be asking yourself what you can do to make sure your network is as safe as possible from what happened to these victims.
Keep in mind of course that security is a process, not a destination. You will never reach a point at which you are totally secure. You can't check a box and say you are safe from all vulnerabilities and exploitations. Rather, you engage on a never-ending journey to be one, two, three steps ahead of the nefarious underbelly of the Internet and hope that by closing loopholes and patching security holes, you will become more of a nuisance to a hacker than is worth his time, and he will move on to easier, less time intensive targets.
Penetration testing with Metasploit
Metasploit is a piece of software that is used to perform penetration testing, which attempts to attack your own systems in order to identify weak spots that the bad guys could use. With Metasploit, you can take advantage of a giant database of known security vulnerabilities to programmatically attack your network and servers using confirmed security holes in operating systems, line of business applications, utilities, and more.
Once you have "opened a hole," so to speak, in the network, you can then inject payload -- the software that will carry out the bad deeds -- using Metasploit to take control of target systems. Metasploit has Meterpreter, which basically is a nice remote administration console for bad guys -- it lets you take screenshots, upload and download files, edit the registry, grab the password database, use a webcam attached to a machine, and more. You can also use your own payload to perform a custom test on your systems.
It is free to get started with Metasploit, and the company offers a Pro version that has additional functionality. If Metasploit does not toot your horn, then Netcat is also powerful software that many professional penetration testers use to carry out their white hat attacks. In either case, get started learning about performing penetration testing on your own network and I suspect you will discover how not resilient your current security posture is.
Security hardening tactics
Aside from penetration testing, here are some of the dials and knobs to twist when looking at your Windows servers in particular.
- Is an audit policy enabled and configured?
- Is a password policy in place, including length and complexity requirements?
- Is Remote Desktop Protocol encryption set too high?
- Have you removed the ability for anyone to connect directly to machines behind your network, both by using a proxy and also by turning off port access to these machines from outside of the edge of your security boundary?
- Has the Microsoft Baseline Security Analyzer been run on this server? If so, have the results and action items it returned been noted and applied?
- Have you disabled members of the local guests group from accessing the application, security, and system log?
- Have you increased the maximum size of the security log to 100 MB?
- Have you extended the retention time for events in the security log to at least two weeks, to give you a chance to deconstruct an attack before its evidence is overwritten?
- Have you installed and configured intrusion detection systems like Tripwire?
- Do your servers encrypt their main drives and data drivers using Bitlocker or another whole disk encryption product to ensure their contents cannot be read by unauthorized people?
Think beyond the machines
There is more to cybersecurity and resiliency than patching and firewalls. There is a security mindset required in all departments and all employees that touch the network.
Resiliency requires your organization to:
- Have a considered security policy that is frequently updated in order to account for new applications, new businesses, a change in your environments, and more. This security policy should always speak to the primary objective of protecting your five to ten most important business assets.
- Continually perform testing, both from a security point of view and also from a disaster recovery perspective.
- Manage breach expectations and response, acknowledging that you probably will be hacked at some point -- so how will you respond to such a breach and manage its fallout. Have these discussions ahead of time.