Infosec work at a small school: Vuln scanning - Risk Management - Detection

jamesleecoleman

Hey there,

So I'm the only IT Specialist at the school that I'm working at. They also call me the "IT Manager" but I wouldn't call myself that.

I've been wanting to get Nessus to do vulnerability scans along with implementing an IDS. I would also like to do some Risk Management work as well. We don't have these types of options (I guess???) right now and we don't really have an anti-virus solution but what came with Windows. So I'm looking at AVG at the moment.

We have webfilters and firewalls at both the Elementary school and Middle school.

Does anyone here have any advice on where to start? I don't want to just start doing things and then get lost. I need a place to start so I can form a plan since I don't really have anyone to help me at my job and I'm busy doing other things. I know that we have NIST documents out there and I'm looking at them to try to help me out with what I want to do.


*Really wanna get into InfoSec*

dmoore44

[Edit]
Wow, it only took me a week to get back around to editing this post.

So, to start from the top...

Start thinking of every log or event generating device on your network as a sensor. Windows or *nix server logs, firewall logs, A/V logs, IIS/Apache logs, etc... they're all sensors, which is to say that they all produce messages that will help alert you to some adverse condition.

1. Identify and catalog all of your current sensors, and what sort of visibility they provide. Sensors will provide different data regarding the same event - it's up to you to piece the event back together. In essence, you have three broad categories of sensors - network based sensors, host based sensors, and service based sensors. Network based sensors will obviously provide information regarding network traffic and will include firewall logs, netflow data, VPN logs, NIDS/NIPS logs, etc... Host based sensors will provide information about a host and will include A/V logs, local authentication logs, object access logs, and whatever other information the sysadmin has set to log. Service based logs will provide logs from services (i.e. applications) offered by a node and will include mail logs, web logs, database logs, etc...

2. Stand up a log aggregation platform (Splunk, ELK, GrayLog) or a SIEM (ArcSight, QRadar, SumoLogic) and start sending those logs to the platform.

3. Do you have any visibility gaps? Missing an endpoint defense solution? Get it. Missing proxies? Get them. Missing NIDS/NIPS? Get those too. Start working at plugging your gaps.

4. If you don't already have any, adopt a set of standard security configurations. Check out the CIS website for security configuration guides. Also, make sure to get the person that writes the IT policies to get the mandatory use of the CIS Benchmarks written in to policy. For the Windows side of things, the MS Security Compliance Manager tool is awesome. You can create a set of Group Policies based on the CIS Benchmarks and hand them over to your domain admin for immediate implementation.

5. Once you get the CIS Benchmarks implemented, you'll need to find some way of assessing and enforcing those configurations... You can do that via a custom written script, or you can purchase a tool. If you're going to purchase a tool, and you're working in a MS environment, I'd recommend SCCM - not only because it fulfills this recommendation, but also the next one, as well as enables you to do this.

6. Make sure you've got a good patch management tool.

7. Make sure you've got a good vulnerability detection/management tool.

8. Make sure all of your tools are properly tuned for your environment. There's nothing worse than have a million alerts for some Novell technology pop up, and there not be any Novell stuff in the environment!

9. Make sure you've got a good ticketing system. You might consider requesting one specifically used for the InfoSec team (such that it is) - you don't really want to cross pollinate security incidents with standard IT tickets.

10. Document everything. A wiki usually helps with this. Or you can use OneNote. Or something else that allows you to capture, store, and search lots of data.

636-555-3226

If you need a roadmap, do the Center for Internet Security Top 20 Critical Security Controls. The first five controls are integral - work on those.

Nessus is a great tool and, last I checked, free for schools. Tenable's manual for it is actually half decent, too, last I looked.

SoCalGuy858

I definitely second the recommendation of the 20 CSCs. These are a great starting point for most organizations because they are vendor and platform neutral. Resources such an SANS Institute have roadmaps you can follow and suggestions for implementing each step based on your budget requirements.

kiki162

There's plenty of webfilters and firewall programs that are open source. Take a look at snort and squid.

Th3Ph3n0m

Hi guys...i am new member...joined now....gimme a hell...a... ya.....

LonerVamp

I applaud the IDS/IPS idea, but I think you have bigger and easier things to tackle first. Keep IDS in mind for a future project or if you find you've got some time. If you do put one in, stick to watching on either side of your firewall to start, and tone things down from there. It's easy to drown in the firehose of an IDS watching too much at the beginning, and the worst thing to do is half implement something overwhelming and not give it the attention it needs.

For now, make sure you have an inventory of all the hardware and software that is to be expected, and somehow manage it.
Get AVG running. Bonus: Find a way to pull logs from AVG into a central place that you can monitor for issues.
Nessus is a good start, and be ready to follow that up with a patching and tracking solution. I.e. What are you doing to remediate the findings from Nessus?
Review those firewall rules and try to make a comment for each one, or keep a separate spreadsheet with reasons why each rule is in place.
Review and change passwords as needed from defaults or after a period of time. Review accounts like a hawk.
And get backups of anything you'd miss if it were corrupted tomorrow, including firewall and web filter configs if possible.

As another IDS-like project, you could look into pulling and aggregating logs for your systems into a log management system.

All of this sounds exciting and a good start!

BerkshireHerd

My advice is document everything you do, not only will you have documentation for the next guy, you'll have a mini portfolio to show your next employer when you move to a bigger school dept.

the_Grinch

I think the first thing you should do is inform your management of what your plans are. Mainly due to the fact that if issues arise from the work you will be doing you want them to be aware. With management approval, I would then move forward with log collection. Being a school (I've worked for small districts and a university) you could use some old equipment to load the ELK stack and collect the logs. Only being a one man shop you are going to have your work cut out for you and ELK can definitely ease your load quite a bit.

jamesleecoleman

Thanks everyone for the input! I really appreciate it.

I have told management and some other staff members what I'm planning on doing. I'm still for sure going to try and get Nessus.
This week was the week where I found out that I have more networking equipment in different places. So I have to try and figure out how all of that stuff works. On top of that, people don't know the passwords to certain network devices that are ours. We have Cisco switches and I have an ASA in my office that works but no one knows the password to.

alias454

I agree with those who said start with the top 20 security controls. You can download the latest list here https://www.cisecurity.org/critical-controls/. You have to realize, as a one man show you aren't going to have time to do it all, so start with the first couple. @LonerVamp is right, having an inventory is pretty important and will help you when working on other pieces of your puzzle. You have to know what you have to know what to protect.

I'm not hawking their product since I have not used it, but alien vault has a nice blog series discussing some tools that can be used when implementing the controls. https://www.alienvault.com/blogs/security-essentials/free-and-commercial-tools-to-implement-the-sans-top-20-security-controls-part-1. I have some differences of opinion on what should be added to their list but overall, it is a good start.

Moldygr33nb3an

Based on the limited resources, I would recommend looking into a UTM solution.

alias454

I don't know about your budget but this looks interesting https://opnsense.org/about/about-opnsense/. It is a fork of pfsense. You can run something like that using some basic server hardware. I have seen good options on ebay for some 1U Gen 6/7 HP's, you can buy new hardware from newegg for less than $700 bucks, or you can build it on hardware you have laying around. Options!

UnixGuy

First things first...how's your network looking? who looks after the border routers/switches?

Do you have a firewall? Start looking there!

Palo Alto next gen firewall have a lot of the functionality that you need (IPS/IDS, URL filtering, ..etc).

For anti malware... I like MalwareBytes, and it's free and very effective. I think for enterprise wide solution you can pay.

Document your network and start from there.

Deploy nessus and then create an enterprise wide vulnerability management where you periodically patch servers. Do you have SCCM for windows desktops? use it to patch.

mbarrett

Start with a good basic overall policy for the area you are trying to cover. Make sure your management has 100% buy-in and blessing, because you are going to need it. Also make sure your users understand what you're trying to do and accept it. Security is generally a human-intensive activity, and it sounds like you are focusing on the technology, which is fine, and it will help you develop technical skills but the first time you need to change something or fix something you are going to run into problems unless you have the people you work with buying into your plan.
Once you have that part covered, get a complete inventory of all the assets you want to protect - document everything if you can! (diagrams, hardware, logical topology, physical floor layouts, etc.) It will save headaches later on, and is the basis for a good Infosec program. If you're lucky you already have some of this, so you have less to create from scratch. Lastly, what are other schools/school districts doing? Is there some security framework you can model yourself after? If you search high enough (District, local/state government) you may find out more about what you should be doing...