Pratum Blog

I started my career in the network engineering and network administration field.  I held lots of those technical certifications from the likes of Microsoft, Novell and Cisco.  I thought I was pretty smart.  And in truth, I was.  I knew how to build a stable and reliable network that could support thousands of users across large geographic regions.  I could implement access control lists on firewalls, routers and switches.  I could provide access to resources with Active Directory or Novell Directory Services and restrict access like nobody’s business.

Problem was, I was too close to it.  I missed some of the security details because I had the same view every day.  Once I started to focus on security, I quickly realized that I was missing some design principles that could enhance the security of the system.  That’s when I decided to focus on just security.

While the infrastructure side was my specialty, I couldn’t even play an application developer on TV.  We’ll ok…maybe I could.  But still, I wasn’t going to win any awards for my application development skills.  The thing is though, I could still review code and test applications for security.  Because I was looking at it with a different perspective I could see things that developers couldn’t.

If you’re an application developer or network admin don’t look at the security team with contempt.  They may not have your skills with C#, Java, BGP, VLANs or other specialized technology. (Although many of them do, so don’t underestimate them). They do commonly however have a perspective that you do not.  I’ve found that if pride can be put aside for a moment and people can understand that unique perspectives can help, we solve a lot of problems.  IT professionals are typically a prideful bunch.  And they should be.  They are some of the smartest, hardest working professionals you’ll come across.  We can’t let this pride get in the way of progress in security though.  Oh…and for you security nuts who think you’re all that and a bag of chips…tone it down…everybody has something they’re good at.  Recognize the strengths of individuals on the team and work with them to find solutions to allow your business to keep the lights on.

Over the past several weeks, the team at Pratum has been called upon to investigate multiple data breaches.  During our investigation in the hacked organizations, these data breaches had the following item in common.  Each had firewall rules that were far too liberal and allowed attackers to easily access systems.  Each organization was hacked because a basic information security best practice was not followed.

If you have the responsibility for firewall administration, follow these simple rules:

  1. Never allow a connection from an untrusted network like the internet into your protected LAN.  I know there are lots of reasons people do this.  None of them are good enough reasons to take that level of risk.  I guarantee this is a data breach waiting to happen.

  2. Implement egress filtering.  I’ve talked about this before.  If you get malware on your internal network, egress filtering can prevent a lot of the bad activity.  You also get alerts on your firewall about denied outbound traffic which is a key indicator that you’ve been hacked and should begin a data breach investigation.

  3. Actually turn on firewall logging and save the logs somewhere.  Don’t rely on some monthly report about highest utilization ports, services or hosts.  That will not tell you anything about the data breach or how you were hacked.  Turn on sufficient logging and then send the logs to a SIEM device to monitor and alert.

These simple rules will help prevent you from getting hacked. If you do however still get hacked from one of the many other methods the bad guys have, at least you’ll be able to slow it down and detect it.

By this time you all know that Home Depot was hacked. Many of you may be asking why I didn’t cover this in an earlier post. The primary reason is that I didn’t want to add a bunch of fuel to a fire that was already burning hot. I’ve read some posts from people hitting Home Depot for not giving any real details and not confirming there was a breach right away. How could they leave us hanging?

I give them credit for how they handled the data breach notification and I actually liked their approach. When they knew something was wrong, they came out and said so. They said they needed more time to determine what happened and who was affected. When you’re hacked, it’s not always obvious how deep and wide the data breach is. It takes time. As a result, they can narrow it to stores in the U.S. and Canada and eliminated HomeDepot.com and stores in Mexico.

Taking your time during a data breach investigation is the prudent move. I know it upsets those who want immediate results, but I’d rather get it right than get it fast. But that’s just me.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.