What upcoming changes to security landscape should be taken into account?
With current global crisis spreading into multiple areas of information technologies, it is crucial to learn how are the security-related areas affected, and what it would mean for the entire IT industry.
Remote access to network resources results in both increased load on new and existing tools allowing performing most activity remotely (to grasp the possible scale of impact: read, for example, about recent Zoom service controversies).
Below are some pieces of advice on what to expect of appearing security challenges and what could that mean for network monitoring specifics.
Follow CVE registry entries
Common Vulnerabilities and Exposures database, CVE, is a good place to check for possible notices on the pieces of software in use. Try entering any term in search field (e.g., “miner”) to see how it works.
By using HTTP(S) or Web Transaction Monitors one can study the CVE search output for possible indication of vulnerability. If detailed report is necessary, “Script or Program” monitor can be used to detect an increase of reported issues related to piece of software.
Detect weak ciphers from pre-TLS v1.3 era
TLS v1.2 (the transport protocol used for more than 10 years, allowing to encrypt the data transmission en route – e.g. for HTTPS and other protocols) has certain inefficiencies and possible vulnerabilities, addressed in TLS v1.3, faster and more secure transport security implementation.
You can read the blog post describing how to detect TLS version for a given site. Basically, that can be used for any other TLS-using protocols, such as mail-related ones (SMTP, POP3, IMAP4). By analyzing TLS version and ciphers/related technologies in use, you can detect possible vulnerabilities in advance. Contact us if you would need assistance in building a monitor detecting weak ciphers.
Automate IDS report analysis
Watching for possible security issues manually is no longer possible; situation requires both quick detection and quick reaction to upcoming threats.
Thus, if either old-style (such as logwatch, AIDE) or advanced (such as Snort) intrusion detection systems (IDS) are in use, Syslog monitor can be used to generate an alert instantly, as soon as corresponding threat is detected by IDS.
Note that the same approach can be used to any security-related pieces of software, used to proactively prevent possible attacks (such as fail2ban and related scripts).
If you need assistance with setting up anything mentioned above, feel free to contact us and/or post to a comment form below.