issue143:mon_opinion
Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédente | ||
issue143:mon_opinion [2019/04/15 11:52] – d52fr | issue143:mon_opinion [2019/04/17 13:39] (Version actuelle) – andre_domenech | ||
---|---|---|---|
Ligne 3: | Ligne 3: | ||
GDPR is supposed to be about consumer trust. How can your customers - and I use the word customers in a very broad sense - trust you, if you can not even secure your network? The company behind knuddels.de, | GDPR is supposed to be about consumer trust. How can your customers - and I use the word customers in a very broad sense - trust you, if you can not even secure your network? The company behind knuddels.de, | ||
- | Bon. La dernière fois, j' | + | Bon. La dernière fois, j' |
- | Le RGPD est supposé donner confiance aux clients. Comment vos clients - et j' | + | Le RGPD est supposé donner confiance aux clients. Comment vos clients - et j' |
**Network services are usually running all the time, so you do not see anything really, but you do have logs to refer to. Check your logs, be proactive rather than reactive. Knuddels.de did not even know until all their data showed up on pastebin! When discussing networks and network services, I include both outward facing servers and internal networks. It is a good idea to treat them both as insecure, even if your internal network does not connect anywhere outside the company. Check it regularly. Internet capable and internet connected devices are more prolific than you think. | **Network services are usually running all the time, so you do not see anything really, but you do have logs to refer to. Check your logs, be proactive rather than reactive. Knuddels.de did not even know until all their data showed up on pastebin! When discussing networks and network services, I include both outward facing servers and internal networks. It is a good idea to treat them both as insecure, even if your internal network does not connect anywhere outside the company. Check it regularly. Internet capable and internet connected devices are more prolific than you think. | ||
It is a good idea to have a user for each of your network services. The reasoning behind this is that if that particular service gets exploited, it does not open your entire network. One has but to look on services such as metasploit to see the number of exploits for things such as SQL databases. Thus, if your database uses a root password, you will be owned. This is why you do not want your services or applications advertising themselves.** | It is a good idea to have a user for each of your network services. The reasoning behind this is that if that particular service gets exploited, it does not open your entire network. One has but to look on services such as metasploit to see the number of exploits for things such as SQL databases. Thus, if your database uses a root password, you will be owned. This is why you do not want your services or applications advertising themselves.** | ||
+ | |||
+ | Les services de réseau tournent en général en permanence ; aussi, vous ne voyez pas grand chose, mais vous pouvez vous référer à des logs (enregistrements d' | ||
+ | |||
+ | C'est une bonne idée d' | ||
**Software versions are the best giveaway to an attacker to now go look up exploits against your servers. I want to say, the same applies to networks as user accounts, least privilege. If you do not need a service, uninstall it, and if it only gets used sometimes, stop it when not in use. These days, systemd is replacing the old scripts, so if you are not familiar with it, now is the time to read up on how to use systemctl. Systemctl makes it easy to stop or disable a service, with just those words as commands. | **Software versions are the best giveaway to an attacker to now go look up exploits against your servers. I want to say, the same applies to networks as user accounts, least privilege. If you do not need a service, uninstall it, and if it only gets used sometimes, stop it when not in use. These days, systemd is replacing the old scripts, so if you are not familiar with it, now is the time to read up on how to use systemctl. Systemctl makes it easy to stop or disable a service, with just those words as commands. | ||
For any business, you do not want any unsecured services. This goes for manually installed services too. Any service you install manually, *you* are responsible for the updates and patches. As always, you want the smallest attack surface, should your server get targeted. By that statement, I mean bind your services to only the needed interfaces and addresses. Should your service not need external communication, | For any business, you do not want any unsecured services. This goes for manually installed services too. Any service you install manually, *you* are responsible for the updates and patches. As always, you want the smallest attack surface, should your server get targeted. By that statement, I mean bind your services to only the needed interfaces and addresses. Should your service not need external communication, | ||
+ | |||
+ | Les versions des logiciels sont le meilleur vecteur pour qu'un attaquant puissent chercher des exploits à l' | ||
+ | |||
+ | Quelle que soit l' | ||
**Also, if you have a standalone firewall, do not rely on it exclusively. Still use local firewall rules, even if they are a pain to set up. This will add another layer of protection. We cannot say we will not get hacked, but you want to be the most difficult target to start with, and be able to prove that you did everything in your power to prevent getting hacked. I do not only include servers here, but your local offices too. Your server may be in the cloud, but it takes only one person to copy the database or make a spreadsheet with passwords, and the game is lost. Also let's be realistic; the production database may be on a secured server, but an old copy is probably floating about which the web developers play with that may have real data, and accounting prints out customer lists / payments to spreadsheets for control purposes. | **Also, if you have a standalone firewall, do not rely on it exclusively. Still use local firewall rules, even if they are a pain to set up. This will add another layer of protection. We cannot say we will not get hacked, but you want to be the most difficult target to start with, and be able to prove that you did everything in your power to prevent getting hacked. I do not only include servers here, but your local offices too. Your server may be in the cloud, but it takes only one person to copy the database or make a spreadsheet with passwords, and the game is lost. Also let's be realistic; the production database may be on a secured server, but an old copy is probably floating about which the web developers play with that may have real data, and accounting prints out customer lists / payments to spreadsheets for control purposes. | ||
Best practice suggests having your network 'pen tested' | Best practice suggests having your network 'pen tested' | ||
+ | |||
+ | Et aussi, si vous avez pare-feu autonome, ne comptez pas exclusivement dessus. Là encore, utilisez des règles de pare-feu locales, même si elle sont pénibles à paramétrer. Ça ajoutera une autre couche de protection. Nous ne pouvons pas dire que nous ne serons pas piratés, mais vous voulez être une cible bien trop difficile pour commencer par elle, et être capable de prouver que vous avez tout fait qui était en votre pouvoir pour éviter d' | ||
+ | |||
+ | Les bonnes pratiques suggèrent de tester en vrai votre réseau régulièrement. C'est peut-être une option coûteuse, mais un mal nécessaire. Les testeurs de pénétration fournissent en général un compte rendu papier après le test ; stockez-le aussi longtemps que vous pouvez risquer un audit au cas où vous devriez prouver votre engagement dans la sécurité de votre réseau. Quand vous regardez quelqu' | ||
**Network security is not only about external networks. Make sure your office network is not only secured, but that your routers, switches and wireless access points are patched up-to-date with the latest firmware. (This goes for printers and other network attached devices too). Be aware of what is connected to your network. I cannot stress this enough. Rogue access points can be an ' | **Network security is not only about external networks. Make sure your office network is not only secured, but that your routers, switches and wireless access points are patched up-to-date with the latest firmware. (This goes for printers and other network attached devices too). Be aware of what is connected to your network. I cannot stress this enough. Rogue access points can be an ' | ||
I had a client who had SIP telephony installed, and, although the SIP router had no internet access via their connection, it was connected to the switch, and with an open WiFi. It took many calls to the supplier, who would not do anything about it as, according to them, nobody can get internet access via their equipment. Routers route, so anyone connecting to their WiFi would be routed directly to the next router, and, as it was internal, it got routed to the internet. The WiFi was not used and should have been turned off. When someone comes to work on your network, make sure they comply to *your* rules. This is why I am also not a big fan of bundling jobs together to save on salaries. When your systems administrator is also your network administrator is also your programmer, is also your project manager, is also your web developer, the important checks and balances get left in the dust. Even in very small organisations, | I had a client who had SIP telephony installed, and, although the SIP router had no internet access via their connection, it was connected to the switch, and with an open WiFi. It took many calls to the supplier, who would not do anything about it as, according to them, nobody can get internet access via their equipment. Routers route, so anyone connecting to their WiFi would be routed directly to the next router, and, as it was internal, it got routed to the internet. The WiFi was not used and should have been turned off. When someone comes to work on your network, make sure they comply to *your* rules. This is why I am also not a big fan of bundling jobs together to save on salaries. When your systems administrator is also your network administrator is also your programmer, is also your project manager, is also your web developer, the important checks and balances get left in the dust. Even in very small organisations, | ||
+ | |||
+ | La sécurité du réseau ne concerne pas que les réseaux externes. Assurez-vous que votre réseau d' | ||
+ | |||
+ | J' | ||
**The most successful hacks are those where the target is unaware that their networks have been compromised. | **The most successful hacks are those where the target is unaware that their networks have been compromised. | ||
Ligne 30: | Ligne 46: | ||
Lastly, if you do not do business with certain countries, block them, again reducing your attack surface. It's no use allowing say, Vietnam access if you are a local delivery fish-n-chips shop with info on all your customers for your local delivery routes in Lisbon. This is an example, and I am not picking on Vietnam in any way. I am purely trying to illustrate that local businesses – if you have a web server or not – that do not do business outside of their town or country, should reduce their risk level. This goes for emails too, drop emails from country prefixes you do not deal with, and the emails from Nigerian Princes should decrease accordingly. We may joke here, but phishing scams are still one of - if not the - most successful attacks today.** | Lastly, if you do not do business with certain countries, block them, again reducing your attack surface. It's no use allowing say, Vietnam access if you are a local delivery fish-n-chips shop with info on all your customers for your local delivery routes in Lisbon. This is an example, and I am not picking on Vietnam in any way. I am purely trying to illustrate that local businesses – if you have a web server or not – that do not do business outside of their town or country, should reduce their risk level. This goes for emails too, drop emails from country prefixes you do not deal with, and the emails from Nigerian Princes should decrease accordingly. We may joke here, but phishing scams are still one of - if not the - most successful attacks today.** | ||
+ | |||
+ | Les piratages les plus réussis sont ceux où la cible ne s' | ||
+ | |||
+ | Si vous avez des clients, vous avez des données personnelles et vous devez les protéger au mieux de vos possibilités. | ||
+ | |||
+ | Une dernière chose que je veux aborder à propos des services de réseau sont les « TCP wrappers » (emballeurs TCP). Le bon côté des TCP wrappers, c'est qu'ils fournissent un contrôle centralisé. Vous pouvez vérifier vos services pour voir s'ils sont « wrappés » avec la commande « ldd ». Cela vous listera leurs dépendances sur les objets partagés. Si au milieu de tout ça, vous voyez libwrap, vous savez que c'est un service « wrappé ». Les services wrappés n'ont pas besoin de redémarrage ; ils peuvent être modifiés à la volée. Gardez un œil sur les fichiers d' | ||
+ | |||
+ | Enfin, si vous ne faites pas d' | ||
issue143/mon_opinion.1555321973.txt.gz · Dernière modification : 2019/04/15 11:52 de d52fr