Hello and welcome to another Community Wisdom !
We took our community’s questions and asked our most experienced readers to offer up their pearls of wisom. SecPro Community Wisdom will arrive in your inbox every first and third Thursday to help our community grow, share ideas, and help everyone step up their cybersec game. When we do that as a community, we can stop the adversary in their tracks.
We had 43 experienced security professionals sharing their experiences this week, so SecPro wants to offer a huge thank you to all our readers for helping out our newer readers.
Top Questions This Week
Q: Can you really prepare for zero-day vulnerabilities?
I think so, by having in place an Information Security Management System (ISMS) in which the organization’s information assets have been reliably identified and the relevant security controls for such incidents have been implemented.
Remember that, at all times, we must address the mitigation of vulnerabilities of this type of incident.
– Antonio, Operations Manager
It’s very hard to to prevent for zero day vulnerabilities but preparing to reduce the attack surface might lead you readiness to zero-day vulnerabilities. If is not discover, does not mean it is not vulnerable.
However, we can use threat hunting to proactively improve security defenses.
– Maher, First Responder in an MSS
Yes, you prepare for anything by knowing everything. If you know what components are required by your architecture, and if your architecture is properly designed, you can turn off minimal functions while waiting for the permanent fix.
– John, CTO
I don’t think you really can but that’s one of the things I look to the newsletters for! I keep things as patched as I can and work to keep unused ports inaccessible but what do you do if a software flaw uses a commonly used port? I think you can only try and minimize what risks you can and monitor news of patches. I try to keep our products as patched as possible.
– Meir, Network Administrator
Q: How can system administrators reduce the risk of an attack? What is the best way for them to support the cybersecurity team?
System administrators can help the cybersecurity team applying the hardening guidelines that we have provided to them and correctly configure any device in order to not generate error events that can mess-up our incident detection system (other than reduce the possible attack surface). The system administrators must follow our patch procedure applying and checking all the patches provided by vendors.
– Danilo, CISO
Tighten your current security system. Your system and all the software your organization uses offer guidelines for maximizing security controls that you should follow. Some are as simple as turning off unnecessary services or using the lowest privileges settings. Use patches. All it takes is a tiny hole in your system for hackers to poke their way in.
It’s critical to run regular scans of your security system and all software to keep them updated with patches. Protect outbound data. Just as you protect your system from incoming malware and bots with a firewall, you need to make sure certain data never leaves your system. It’s important to focus on egress filtering to prevent rogue employees or employees making honest mistakes from releasing sensitive data or malicious software from your network.
– Alain, Cloud Architect
What can a systems administrator do to protect against them? Defending systems against unauthorized access. Performing vulnerability and penetration tests. Monitoring traffic for suspicious activity. Configuring and supporting security tools like firewalls, antivirus, and IDS/IPS software.
For reducing the risk, a Sys Admin can also assess and manage risks, establish extensive cyber security policies, set strict password management rules, secure access to critical systems, separate duties, secure hardware & deploy reliable monitoring solution. However, the best way depends on a case to case basis.
– Avishek, Data Science
System administrator can help cyber security team by working as team during pre/post deployment. I believe the new concept of purple teaming whereby each department sit down together as one to discuss, elaborate, and share experience regarding the impact of having infrastructure without cybersecurity in their mind – not to blame them because they were not cybersecurity aware!
– Maher, First Responder at MSS
Q: Is machine learning a truly applicable solution to modern cybersecurity issues?
Not sure. The term ‘machine learning’ covers many activities. It may detect anomalous activity, but it most likely will not detect heuristic anomalies well. It could be a valuable tool, but only when used alongside capable system administrators and well-trained and well-motivated colleagues.
– Lars, Director
Yes, but within a specific context. The data gathering and data combing (i.e., search through logs for exceptions and anomalies) is best done by a machine that doesn’t get tired. However, that means the organization must first define what parameters must be watched, and what decisions are to be supported. Buying an appliance with ML included doesn’t accomplish what the organization has to do for itself in advance of buying the technology.
– John, Chief Scientist for Cybersecurity
I think it definitely will be as time goes on. Machine learning can run 24/7 and after it truly nails down the patterns of attack can be set to hunt for and install patches and run playbook-like protection measures. It would need the guidance of cybersecurity professionals but would make a great asset.
– Meir, Network Administrator
We are currently levering manual check or chain the findings to different scanner for cross validation. In the future, we can consider feinged the false positive or false negative findings to machine learning models to filter out low risk ones and reduce the load of manual checking or different scanner cross validation.
– Alex Wang, Security Operations
In my experience, that will depend on the maturity level of the organization. The more training you have, the easier it is to identify false positives. It requires the team to be constantly learning and as much as possible with access to state-of-the-art tools for this purpose.
– Antonio, Operations Manager
The business data was covered by another device, and this was attacked (an OpenBSD server) with no success, it was a just a proxy. However since that day everything is logged and if an anomaly is found is considered a possible attack.
My answer is surely incomplete, however, we are a small team, since is a local consultant group, but I am trying to step up my game since there is little to no interest on my state (Mexico) to do something to keep data safe, passwords hashed, software updated, etc.
– Francisco, Business Consultant and Software Developer