Infosec work at a small school: Vuln scanning - Risk Management - Detection

jamesleecolemanjamesleecoleman Member Posts: 1,899 ■■■■■□□□□□
Hey there,

So I'm the only IT Specialist at the school that I'm working at. They also call me the "IT Manager" but I wouldn't call myself that.

I've been wanting to get Nessus to do vulnerability scans along with implementing an IDS. I would also like to do some Risk Management work as well. We don't have these types of options (I guess???) right now and we don't really have an anti-virus solution but what came with Windows. So I'm looking at AVG at the moment.

We have webfilters and firewalls at both the Elementary school and Middle school.

Does anyone here have any advice on where to start? I don't want to just start doing things and then get lost. I need a place to start so I can form a plan since I don't really have anyone to help me at my job and I'm busy doing other things. I know that we have NIST documents out there and I'm looking at them to try to help me out with what I want to do.


*Really wanna get into InfoSec*
Booya!!
WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
*****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****

Comments

  • dmoore44dmoore44 Member Posts: 646
    [Edit]
    Wow, it only took me a week to get back around to editing this post.

    So, to start from the top...

    Start thinking of every log or event generating device on your network as a sensor. Windows or *nix server logs, firewall logs, A/V logs, IIS/Apache logs, etc... they're all sensors, which is to say that they all produce messages that will help alert you to some adverse condition.

    1. Identify and catalog all of your current sensors, and what sort of visibility they provide. Sensors will provide different data regarding the same event - it's up to you to piece the event back together. In essence, you have three broad categories of sensors - network based sensors, host based sensors, and service based sensors. Network based sensors will obviously provide information regarding network traffic and will include firewall logs, netflow data, VPN logs, NIDS/NIPS logs, etc... Host based sensors will provide information about a host and will include A/V logs, local authentication logs, object access logs, and whatever other information the sysadmin has set to log. Service based logs will provide logs from services (i.e. applications) offered by a node and will include mail logs, web logs, database logs, etc...

    2. Stand up a log aggregation platform (Splunk, ELK, GrayLog) or a SIEM (ArcSight, QRadar, SumoLogic) and start sending those logs to the platform.

    3. Do you have any visibility gaps? Missing an endpoint defense solution? Get it. Missing proxies? Get them. Missing NIDS/NIPS? Get those too. Start working at plugging your gaps.

    4. If you don't already have any, adopt a set of standard security configurations. Check out the CIS website for security configuration guides. Also, make sure to get the person that writes the IT policies to get the mandatory use of the CIS Benchmarks written in to policy. For the Windows side of things, the MS Security Compliance Manager tool is awesome. You can create a set of Group Policies based on the CIS Benchmarks and hand them over to your domain admin for immediate implementation.

    5. Once you get the CIS Benchmarks implemented, you'll need to find some way of assessing and enforcing those configurations... You can do that via a custom written script, or you can purchase a tool. If you're going to purchase a tool, and you're working in a MS environment, I'd recommend SCCM - not only because it fulfills this recommendation, but also the next one, as well as enables you to do this.

    6. Make sure you've got a good patch management tool.

    7. Make sure you've got a good vulnerability detection/management tool.

    8. Make sure all of your tools are properly tuned for your environment. There's nothing worse than have a million alerts for some Novell technology pop up, and there not be any Novell stuff in the environment!

    9. Make sure you've got a good ticketing system. You might consider requesting one specifically used for the InfoSec team (such that it is) - you don't really want to cross pollinate security incidents with standard IT tickets.

    10. Document everything. A wiki usually helps with this. Or you can use OneNote. Or something else that allows you to capture, store, and search lots of data.
    Graduated Carnegie Mellon University MSIT: Information Security & Assurance Currently Reading Books on TensorFlow
  • 636-555-3226636-555-3226 Member Posts: 975 ■■■■■□□□□□
    If you need a roadmap, do the Center for Internet Security Top 20 Critical Security Controls. The first five controls are integral - work on those.

    Nessus is a great tool and, last I checked, free for schools. Tenable's manual for it is actually half decent, too, last I looked.
  • SoCalGuy858SoCalGuy858 Member Posts: 150 ■■■□□□□□□□
    I definitely second the recommendation of the 20 CSCs. These are a great starting point for most organizations because they are vendor and platform neutral. Resources such an SANS Institute have roadmaps you can follow and suggestions for implementing each step based on your budget requirements.
    LinkedIn - Just mention you're from TE!
  • kiki162kiki162 Member Posts: 635 ■■■■■□□□□□
    There's plenty of webfilters and firewall programs that are open source. Take a look at snort and squid.
  • Th3Ph3n0mTh3Ph3n0m Member Posts: 6 ■□□□□□□□□□
    Hi guys...i am new member...joined now....gimme a hell...a... ya.....
  • LonerVampLonerVamp Member Posts: 518 ■■■■■■■■□□
    I applaud the IDS/IPS idea, but I think you have bigger and easier things to tackle first. Keep IDS in mind for a future project or if you find you've got some time. If you do put one in, stick to watching on either side of your firewall to start, and tone things down from there. It's easy to drown in the firehose of an IDS watching too much at the beginning, and the worst thing to do is half implement something overwhelming and not give it the attention it needs.

    For now, make sure you have an inventory of all the hardware and software that is to be expected, and somehow manage it.
    Get AVG running. Bonus: Find a way to pull logs from AVG into a central place that you can monitor for issues.
    Nessus is a good start, and be ready to follow that up with a patching and tracking solution. I.e. What are you doing to remediate the findings from Nessus?
    Review those firewall rules and try to make a comment for each one, or keep a separate spreadsheet with reasons why each rule is in place.
    Review and change passwords as needed from defaults or after a period of time. Review accounts like a hawk.
    And get backups of anything you'd miss if it were corrupted tomorrow, including firewall and web filter configs if possible.

    As another IDS-like project, you could look into pulling and aggregating logs for your systems into a log management system.

    All of this sounds exciting and a good start!

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
  • BerkshireHerdBerkshireHerd Member Posts: 185
    My advice is document everything you do, not only will you have documentation for the next guy, you'll have a mini portfolio to show your next employer when you move to a bigger school dept.
    Identity & Access Manager // B.A - Marshall University 2005
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    I think the first thing you should do is inform your management of what your plans are. Mainly due to the fact that if issues arise from the work you will be doing you want them to be aware. With management approval, I would then move forward with log collection. Being a school (I've worked for small districts and a university) you could use some old equipment to load the ELK stack and collect the logs. Only being a one man shop you are going to have your work cut out for you and ELK can definitely ease your load quite a bit.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • jamesleecolemanjamesleecoleman Member Posts: 1,899 ■■■■■□□□□□
    Thanks everyone for the input! I really appreciate it.

    I have told management and some other staff members what I'm planning on doing. I'm still for sure going to try and get Nessus.
    This week was the week where I found out that I have more networking equipment in different places. So I have to try and figure out how all of that stuff works. On top of that, people don't know the passwords to certain network devices that are ours. We have Cisco switches and I have an ASA in my office that works but no one knows the password to.
    Booya!!
    WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
    *****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****
  • alias454alias454 Member Posts: 648 ■■■■□□□□□□
    I agree with those who said start with the top 20 security controls. You can download the latest list here https://www.cisecurity.org/critical-controls/. You have to realize, as a one man show you aren't going to have time to do it all, so start with the first couple. @LonerVamp is right, having an inventory is pretty important and will help you when working on other pieces of your puzzle. You have to know what you have to know what to protect.

    I'm not hawking their product since I have not used it, but alien vault has a nice blog series discussing some tools that can be used when implementing the controls. https://www.alienvault.com/blogs/security-essentials/free-and-commercial-tools-to-implement-the-sans-top-20-security-controls-part-1. I have some differences of opinion on what should be added to their list but overall, it is a good start.
    “I do not seek answers, but rather to understand the question.”
  • Moldygr33nb3anMoldygr33nb3an Member Posts: 241
    Based on the limited resources, I would recommend looking into a UTM solution.
    Current: OSCP

    Next: CCNP (R&S and Sec)

    Follow my OSCP Thread!
  • alias454alias454 Member Posts: 648 ■■■■□□□□□□
    I don't know about your budget but this looks interesting https://opnsense.org/about/about-opnsense/. It is a fork of pfsense. You can run something like that using some basic server hardware. I have seen good options on ebay for some 1U Gen 6/7 HP's, you can buy new hardware from newegg for less than $700 bucks, or you can build it on hardware you have laying around. Options!
    “I do not seek answers, but rather to understand the question.”
  • UnixGuyUnixGuy Mod Posts: 4,570 Mod
    First things first...how's your network looking? who looks after the border routers/switches?

    Do you have a firewall? Start looking there!

    Palo Alto next gen firewall have a lot of the functionality that you need (IPS/IDS, URL filtering, ..etc).

    For anti malware... I like MalwareBytes, and it's free and very effective. I think for enterprise wide solution you can pay.

    Document your network and start from there.

    Deploy nessus and then create an enterprise wide vulnerability management where you periodically patch servers. Do you have SCCM for windows desktops? use it to patch.
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • mbarrettmbarrett Member Posts: 397 ■■■□□□□□□□
    Start with a good basic overall policy for the area you are trying to cover. Make sure your management has 100% buy-in and blessing, because you are going to need it. Also make sure your users understand what you're trying to do and accept it. Security is generally a human-intensive activity, and it sounds like you are focusing on the technology, which is fine, and it will help you develop technical skills but the first time you need to change something or fix something you are going to run into problems unless you have the people you work with buying into your plan.
    Once you have that part covered, get a complete inventory of all the assets you want to protect - document everything if you can! (diagrams, hardware, logical topology, physical floor layouts, etc.) It will save headaches later on, and is the basis for a good Infosec program. If you're lucky you already have some of this, so you have less to create from scratch. Lastly, what are other schools/school districts doing? Is there some security framework you can model yourself after? If you search high enough (District, local/state government) you may find out more about what you should be doing...
Sign In or Register to comment.