Blog

Archive for May 4th, 2020

Cloud Security Features Don't Replace the Need for Personnel Security Capabilities, (Tue, May 5th)

We received excellent comments and a question regarding cloud security features from an ISC reader today that we thought was important to share broadly. We’d certainly like to open this up to reader comments, insights, and feedback. 

“With Azure adding to their security offerings, is the trend for more companies to start offloading their security needs to Microsoft?  With Microsoft security & compliance, companies would rely more on Microsoft recommendations and alerting. Why even go through security learning when Microsoft would be handling the entire stack?”

My response to this follows, please note that I work at Microsoft, and that our replies are not exclusive to the Azure cloud:

“The continued growth of security features in Azure are intended to be of increased benefit to customers and their protection, but not supplant or replace their ongoing need to understand and apply security practices and learning. Organizations utilizing Azure are able to leverage these tools to greater affect but can’t do so in the absence of understanding the same security principles that apply to on-premises computing. Yes, the technology and landscape are evolving but the core tenets of asset management, vulnerability management, secure configuration, security assessment, monitoring, analysis, and incident response all remain valid and true. Just because the likes of Microsoft Defender Advanced Threat Protection or Azure Sentinel exist for Azure resources and Microsoft customers doesn’t mean you don’t have to know how to utilize them effectively. Different tech, different landscape, same principles.”

Another handler replied as well:

“My organisation does a lot of work within the various Microsoft stacks and unfortunately the assumption is often that Microsoft is taking care of it all, which unfortunately is not the case.  The tools that people are being provided with are improving. What is available at your particular license level is different to what it was a few years ago, even a few months ago. However the same security principles people were applying previously still apply. If you had an on-prem SIEM that nobody looked at, having Sentinel and nobody looking at it will have the same end result. The tools are available, but they can still be implemented insecurely.”

Key Takeaways

  1. Yes, cloud security features are constantly being added and improved.
  2. No, they do not replace your need for understanding and continued learning of security best practices, configuration, implementation, and analysis.
  3. Yes, these insights apply to all cloud providers with security features offered as part of their platforms.
  4. No, you should not assume that your cloud provider is “taking care of it for you.”

Again, cloud security features !=≠ personnel security capabilities, those are still up to you and your teams.

Cheers…until next time.

Russ McRee | @holisticinfosec

 

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Sysmon and File Deletion, (Mon, May 4th)

A new version of Sysmon was released, with a new major feature: detection of file deletion (with deleted file preservation).

Mark Russinovich explains this in detail in the following video:

So a new event is recorded (ID 23: FileDelete) whenever a file is deleted, and a copy of the deleted file can be preserved inside an archive directory (per volume).

Sysmon will also detect file shredding. I wanted to test this, and of course, I used Sysinternals’ own sdelete.

I used the following basic configuration (don’t use this on production systems, this will archive all deleted files):

 
   
   
 

With this command: Sysmon.exe -i config.xml -a sysmondelete

Here is the event for the deletion of file.txt (a copy of notepad.exe):

So the file shredding and deletion was detected and reported, but unfortunately, Sysmon did not detect the shredding early enough to be able to preserve the original file. The shredded file contains only 0x00 bytes, and was therefor not archived.

As Mark mentioned in his video, there might be circumstances where deleted files can not be archived. He used a custom tool to show this, so I also made my custom tool do reproduce his examples.

When my custom tool shredded a file byte per byte, Sysmon could not preserve the file prior to shredding. But when my tool shredded file.txt (e.g. notepad.exe) in blocks of 1MB (or smaller if the file itself is smaller than 1MB), then it worked:

The file shredding was detected, and a copy of the intact file was made:

The file deletion was also detected, but since this is now a file filled solely with 0x00 bytes, an archival copy was not made:

 

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Cyber Security Tips for Working Remotely

One of the primary methods for reducing the spread of the novel Coronavirus, COVID-19, is social distancing.  For many people that means working from home instead of going into the office.  As the Nevada stay-at-home order extends into May, it’s important to continue to keep cybersecurity in mind.  Malicious actors are still trying to take advantage of the fear and uncertainty surrounding this pandemic.  Here are a few tips to help you stay cybersafe while working from home:

  • First and foremost, ensure your operating system (Windows, MacOS, Linux, etc.) is up to date
  • Make sure your anti-virus/anti-malware application is installed and up to date.
  • Ensure your Wi-Fi connection is secure.  For tips on how to do that, check out this article from Wired magazine: https://www.wired.com/story/secure-your-wi-fi-router/.
  • As always, remember to stop and think before you click a link, or provide confidential data over the phone.  Malicious actors are building websites about COVID-19 to manipulate people into clicking on malicious links or giving up personal information.

For more on staying #CyberSafe when working remotely, check out the Internet Security When You Work From Home course from KnowBe4.com.  Be #CyberSafeNV and we’ll get through this together!

Posted in: Individuals, Securing the Human

Leave a Comment (0) →