Enterprise Technology Generalisations

I’ve waked around one of two organisations, across a load of verticals and well I see people post things online about common technology generalisations and frankly it sometimes leaves me wondering what networks they have been in, but also am I just on another planet? So, I thought I would jot down some notes on common tech I see in orgs during my business travels but also on in the ciberz! It’s not a list of everything I see, it’s just what appears in my head as quite bloody common.

Active Directory Domain Services (ADDS)
Azure AD Connect
Azure Active Directory

I rarely see orgs without an active directory environment (usually they have multiple forests and multiple domains)

Firewalls & VPNs

CISCO ASA
Palo Altos
Sophos UTMs
Checkpoint Firewalls
Juniper
Fortinet Firewalls
Pulse VPN
Windows Server RRAS
SONICWALL
Unifi
Draytek
Watchguard

Switches

CISCO
HP
DELL
NETGEAR

Out of Band Management

HP ILO
DELL DRAC
Intel VPRO

Servers

Web Services

Apache
NGINX
IIS

Database Services

MSSQL
MYSQL/MARIADB

Back Office Applications

SharePoint
.NET apps on IIS
Java apps on Apache/Tomcat

Internet Facing Remote Desktop

Citrix
Remote Desktop Services Web Services
VMware View (VDI)

PC Devices

Mainly Windows PCs
Linux PCs in Development Departments
Some MAC OSX

Mobile Devices

IOS
Android

Cloud Services

Azure
AWS
Office 365
Salesforce
Service Now
Various SMTP Mail Tools

Public Facing Web Services

WordPress
UMRACO

Reverse Proxies and Load Balancers

F5 BIG IP
KEMP
Netscaler
NGINX
Imperva

Backup

ArcSight
Veeam
Datto
Acronis

SAN

DELL EMC
NETAPP
HP

Hypervisors

VMWare vSphere/ESXi
Hyper-V/SCVMM
Nutanix

Instant Messaging and Video Conference

Teams
Slack
Zoom
Webex

AV/EDR

Defender
Defender for Endpoint (MDE)
Sentinel One
Sophos
McAfee
WebRoot
Crowdstrike
CISCO AMP

Telephony

MITEL
AVIA

WAF / CDN

Cloudflare
Amazon Cloudfront
Azure Front Door
Akamai
Imperva
netscaler
F5
KEMP

Proxies

Zedscaler
Squid

Config Management

SCCM/SYSTEMCENTER
WSUS
GPO
Intune

Monitoring

SolarWinds
SCOM/Operations Manager
PRTG

Logging

SPLUNK
Azure Seninel
ARCSIGHT
Event Viewer

Protective DNS

NCSC PDNS
CISCO Umbrella

WIFI

HP Aruba
CISCO Meraki
Unifi Wifi

MDM

Airwatch
Mobile Iron
Intune

Service Management

SYSAID
WhatsUpGold
Manage Engine
Service Now
Remedy
JIRA

Document Management

File Servers
SharePoint
Confluence
WIKI

Business Applications

Sage
Oracle
SAP
Microsoft Dynamics

CCTV

HKVISION
Dahua

FTP

PureFTP
ProFTPD
Filezilla
Solarwinds Serv-U

NAS Storage

QNAP
NetAppFiler
Windows Storage Server

Summary

There we go, a long old list of “common stuff” I see in the networks I’ve been in. will this be the same as your experience? maybe, maybe not. But hopefully it will give people an idea of what is in the world from my perspective (100-10K+ staff orgs largely UK based/global)

Leadership

How to not lose your job as a CISO

A mRr3b00t Adventure

Join me on an adventure of rambling and exploring the idea that you can in fact not lose the security leadership game! This blog is WIP, it’s just my brain wondering around the question of: can we win the in the face of a seemingly insurmountable force? What do we do as a security leader to protect ourselves and the organisation? How do we start?

What did the last person do? (WDTLPD)
Where are all the bodies? (ICDP)
Cover your ass (CYA)
1. Find the really bad gaps, advise the business in writing ensure if they accept the risk this is in a signed document
Understand the constraints
Understand the GAPS
Realise you can’t win everywhere
Don’t f*ck about, your job isn’t to be liked it’s to protect the organisation
The devil is in the detail
Focus on actual likely cyber threats before weird nerd edge cases
There are never only 10 steps (but the NCSC 10 steps aren’t a bad starting point!)
See point 10
If someone is doing an audit/assessment (especially if its regulated) do not obstruct them (thanks @cybersyrupblog for the nudge!)

Getting Started (The first 100 days)

Identify key stakeholders
Understand the business
Understand the money
Understand the current state
Understand the requirements (that’s all of this but it’s important to keep focus)
Work out how to demonstrate and communicate value
Get working on discovery ASAP – you can’t defend what you don’t know about, and you can’t make choices if you don’t know what the options are
Understand the risk appetite and tolerances
Understand the key assets and revenue streams
Understand the laws
Do something useful/valuable
- That means probably both doing lots of discovery and reducing risk somewhere
- No one likes just bad news, find some good news, even if you have to create the good news scenario (you will need friends in the org to achieve this)
Don’t forget to tell people

Initial Discovery

Read all the docs you can
Business Annual Report
Audit reports
Previous pentests (remember the scope was probably gamed!)
Get discovery wheels running
- Technical Discovery
- Maturity Assessments
- Don’t worry if you can’t find everything all at once, look at Zachman and how artists paint pictures, start with a sketch, don’t let perfect be the enemy of better
- Keep adding layers
Talk to people, make friends. HUMINT is key
SIGINT – all orgs have signals they might just not be leveraging them well
Gain access to intel
- Threat intel
- HUMINT
- OSINT
Talk to your team
Talk to your colleagues
Use your network

How you do these types of activities will vary between org and with your own style. You might have a large team, you might not. You might have lots of budget available, you might not. Don’t try and decide there is only one way to lead, this is not true. You need to work the way you need to achieve the mission. This isn’t a textbook, some shit will work in some orgs and won’t in others. Adapt, improvise, and overcome.

Painting a Picture

Where do I start? What model do I use? Is NIST CSF better than CMMC? What about CIS TOP 18/20? What about NCSC CAF? What about one of the other options?

Calm down, it doesn’t really matter which one you pick, they are all a much of a muchness. What matters is that you learn, understand, and communicate.

Some of the key areas to consider

Requirements
Strategy & Architecture
Governance
Portfolio
Operating Model
People and Skills
Finance
Resources
Projects and Change
Communications
Risk Management
Asset & Configuration Management
Vulnerability Management
Patching and Remediation Management
Network Defence
Security Operations
Security Monitoring
Detection
Incident Response
Backup and Recovery
Continual Improvement

Preparing for a really bad day

Your job is to defend against threats and help the organisation manage risk. That means you need to be planning for a really bad day, and helping the organisation realise that with cyber, even the best laid defences can sometimes be pwn3d! So, I’m not going to go into every area of technology and cybersecurity but perhaps consider these areas as a priority!

Backup and Recovery

Are all my business-critical services backed up?
Can the backups be affected if someone r00ts my entire network?
In the event of total loss of network how long will it take me to recover?
Have we implemented the 3-2-1 rule?
Have we tested this?
Have we conducted security assurance?

Incident Response

Have I setup an incident response team?
Have I retained incident response expertise?
- Have I made sure this will be effective?
Have I prepared for major incidents?
Have I prepared for minor incidents?
Have we established “safe” out of band comms? E.g., signal group with key personnel?
Have we prepared an operating base for when a day that is bad?
Do I know what the orgs legal reporting requirements are?
Do I know what the orgs contractual reporting requirements are?

How do orgs usually get pwn3d?

Use threat intelligence and incident knowledge to identify, protect, detect and respond to cyber threats. Make sure you are using intelligence based decisions. You do not want to invest a ton of money on a “magic box” and then have your pants pulled down because RDP was exposed or someone was phished and in an hour someone has gone from initial access to domain admin and has encrypted your backups and your network!

The trial never ends

Today this ends the story… It’s Sunday I’m going to put the keyboard down, but hopefully this helps people think, it’s not a step by step guide (the don’t exist/work) as all things depend, but hopefully it gets people thinking a little.

Other ramblings of mine

mRr3b00t’s little blog about the Cyberz and getting into them! – PwnDefend

Board Level Security Metrics – PwnDefend

Cyber Leadership – PwnDefend

Cyber Security Assesments for Normal People – PwnDefend

Leadership

UK laws and cyber security considerations for business

I am not a legal export! Haha get used to saying that a lot if you work in cyber and are not in fact a legal expert! I wanted to put together a list of common laws that people should be aware of when doing business in the UK, it’s just a starter for 10 and there are likely others, but this should get people started for their security awareness and security policy documentation:

Data Protection Act 2018
Freedom of Information Act
Communications Act
Computer Misuse Act 1990
Investigatory Power Act 2016 (IPA)
Theft Act 1990
Terrorism Act 2000
The General Data Protection Regulation (GDPR)
The Privacy and Electronic Communications Regulations 2003 (PECR)
The Regulation of Investigatory privacy Act 2000 (RIPA)
Official Secrets Act 1989 (OSA)
Companies Act 2006
Copyright and Design patents Act 198
Trademarks Act 1994
The Malicious Communication Act 1988
Forgery and Counterfeiting Act 1981
Police and Criminal Evidence Act 1984
Contracts (Rights of Third Parties) Act 1999
Fraud Act 2006
Network and Information Systems Regulations 2018 (NIS)
Telecommunications (Security) Act 2021
The Bribery Act 2010
Freedom of Information Act 2000
Defence of the Realm Act 1914

can you think of any others that I should add?

Thanks Gary and Kevin and the other AVIS I can’t name for inputting!

Education

Information Security Risk Management

I wrote this in 2018 and don’t believe it ever made it to the interwebs, so I’m basically posting as is with an extra section for some useful links! Hopefully it still stands the test of time!

Risk Management doesn’t have to be risky!

Risk assessments are complex, they require cross domain knowledge and generally do not deal in absolutes. Threats, vulnerabilities and asset intelligence is combined, weighed and assessed, leading to the construct of a risk assessment document. It can be easy to overcomplicate this process, which in turn (in my experience) often leads to far wider reaching consequences (the business starts to bypass security management or take short cuts), so I thought I would write a short post to clarify what I’ve seen work out in the field. So, to start with let’s try and align on what exactly a risk is.

Defense

Broadband Routers

When it comes to digital technology, we have to consider many things.

Availability, Confidentiality, and Integrity are good building blocks for considerations. We can probably split this into two major views to start with:

What does a typical consumer care about?
What security and privacy considerations could be made?

A typical consumer may be about:

Availability
Cost
WIFI Coverage
Performance
Ease of Use
Ease of Support/Troubleshooting
Style/Looks
What happens if it breaks?
Can I stop my kids messing with it? (Probably not so why bother)

Leadership

Organisational Approach to Technology and Security

How an organization approaches the challenge of technology and security management, well that’s the difference between leveraging technology to deliver value efficiently and effectively vs technical debt and inefficient deployment of technology which may hinder the organisation in its pursuit of its mission.

When we consider how technology is managed, we need to look at it from multiple viewpoints with different views:

Read more Organisational Approach to Technology and Security” →

Vulnerabilities

Exchange Emergency Mitigation (EM) service

Yesterday I created a honeypot running Exchange 2019 in the lab. I configured very little and setup a test rule as per the MS blog to stop the SSRF from the “Autodiscover” endpoint to the Powershell function call. I put a custom response with some humour (coz why not!) but I disabled the rule:

This rule was placed in the Autodiscover virtual directory which in Exchange by default is here:

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\autodiscover\web.config

My custom rule:

<rules>

</conditions>

</rule>

</rules>

</rewrite>

This morning I checked the Honeypot, and I found the following:

Graphical user interface, text, application, email

Description automatically generated

This rule is hosted in:

C:\inetpub\wwwroot\web.config

<rules>

</conditions>

</rule>

</rules>

</rewrite>

As you can see this was modified at 03:21 01/10/2022

Graphical user interface, text, application

Description automatically generated

This comes from:

Exchange Emergency Mitigation Service (Exchange EM Service) | Microsoft Learn

“Exchange Emergency Mitigation (EM) service”

Text

Description automatically generated

You can check if this is enabled by running the following PowerShell:

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn; 

Get-OrganizationConfig | Select-Object MitigationsEnabled

So here we can see that with this enabled, the Exchange server will download and deploy the HTTP re-write rules automatically (if the server has the required version/config etc.)

You can enable or disable it with the following:

Set-OrganizationConfig -MitigationsEnabled $true
Set-OrganizationConfig -MitigationsEnabled $false

You can check this feature works using the following (modify path as required for relevent exchange version)

. "C:\Program Files\Microsoft\Exchange Server\V15\Scripts\Test-MitigationServiceConnectivity.ps1"

Check the MS docs and check your Exchange Server version to see if you have this feature etc.

GCM exsetup |%{$_.Fileversioninfo}

You learn something new everyday!

Leadership

mRr3b00t’s little blog about the Cyberz and getting into…

Where to start!

Everyone loves talking about how to get into Cyber! It’s like the cliché thing to talk about! Hell, there’s people who have been in jobs for minutes writing guides, It’s odd… my advice, gardening! Seriously you will see the outside, will learn skills that are useful and keep physically fit! Wait you still want to cyber? You sure? Ok there’s some super awesome fun parts of cyber, not going to lie, it sounds super cool! What do you do? I’m a CYBER! See cool AF!

Breach

NHS 111 Supply Chain Cyber Attack Summary – events…

NHS Supplier Cyber Incident 4^th August 2022

Cyber incidents are never nice, I wasn’t exactly overcome with joy when I say there was a cyber attack on an NHS supplier on the 4^{th of} August 2022. There’s still lots of unknowns with the scenario, it’s impacts and how this will play out. I’m always cautious to speculate too much however cyber incidents aren’t magic, they are usually bound to certain patterns. A week ago this was reported as likely being restored by Tueday, since then there’s been another press release and now even more articles in the maintream media. I am however not convinced with the press release contents, I’m also unsure as to why there isn’t a more concise view… something doesn’t seem to add up, my spider sense is tingling. So, here’s my star gazing (experienced based) view so far.

Guides

Enable Number Matching in Azure MFA

Introduction

MFA was the “silver bullet” but friction and security kind of go hand in hand, the idea of a push notification and simple “authorise” is great in theory, but in practise it is vulnerable to brute force and human error. In this post we are going to check out enabling number matching authentication in Azure.

This is just one configuration option, as you can see there are loads of options for methods and specific configurations. Bear in mind the pros and cons for each one, for example SMS based 2FA can be vulnerability to SIM swapping attacks. I’m going to focus on Number Matching in Authenticator for this post: Read more “Enable Number Matching in Azure MFA” →

Identity management

Firewalls & VPNs

Switches

Out of Band Management

Servers

Web Services

Database Services

Back Office Applications

Internet Facing Remote Desktop

PC Devices

Mobile Devices

Cloud Services

Public Facing Web Services

Reverse Proxies and Load Balancers

Backup

SAN

Hypervisors

Instant Messaging and Video Conference

AV/EDR

Telephony

WAF / CDN

Proxies

Config Management

Monitoring

Logging

Protective DNS

WIFI

MDM

Service Management

Document Management

Business Applications

CCTV

FTP

NAS Storage

Summary

The 10 Steps (why ten? Who knows)

Getting Started (The first 100 days)

Initial Discovery

Painting a Picture

Some of the key areas to consider

Preparing for a really bad day

Backup and Recovery

Incident Response

How do orgs usually get pwn3d?

The trial never ends

Other ramblings of mine

Risk Management doesn’t have to be risky!

When it comes to digital technology, we have to consider many things.

Where to start!

NHS Supplier Cyber Incident 4th August 2022

Introduction

NHS Supplier Cyber Incident 4^th August 2022