jowj
/
jowj.github.io
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e4ed316ad2'
${ noResults }
jowj.github.io/_site/security/2019/06/24/new_company_tvm.html

112 lines
7.0 KiB
Raw Blame History Escape

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<!DOCTYPE html>
<html lang="en-US">
<head>
<meta charset='utf-8'>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<link rel="stylesheet" href="/assets/css/style.css?v=96e407dbfef5e6ab83daa6dca716c304bdc64c14">
<link rel="stylesheet" type="text/css" href="/assets/css/print.css" media="print">
<link rel='shortcut icon' type='image/x-icon' href='favicon.ico' />
<!--[if lt IE 9]>
<script src="//html5shiv.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
<!-- Begin Jekyll SEO tag v2.5.0 -->
<title>tvm at a new company | josiah ledbetter</title>
<meta name="generator" content="Jekyll v3.7.4" />
<meta property="og:title" content="tvm at a new company" />
<meta property="og:locale" content="en_US" />
<meta name="description" content="no new problems i recently started a new job and am faced with the usual: “please set up our scanners and Make Us Secure”, “What Do These Alerts Mean”, etc etc. i keep thinking about the scanning / threat and vulnerability management (TVM) aspect, so i want to write about that. here are a list of questions that ive been asking myself, along with some possible answers." />
<meta property="og:description" content="no new problems i recently started a new job and am faced with the usual: “please set up our scanners and Make Us Secure”, “What Do These Alerts Mean”, etc etc. i keep thinking about the scanning / threat and vulnerability management (TVM) aspect, so i want to write about that. here are a list of questions that ive been asking myself, along with some possible answers." />
<link rel="canonical" href="http://localhost:4000/security/2019/06/24/new_company_tvm.html" />
<meta property="og:url" content="http://localhost:4000/security/2019/06/24/new_company_tvm.html" />
<meta property="og:site_name" content="josiah ledbetter" />
<meta property="og:type" content="article" />
<meta property="article:published_time" content="2019-06-24T00:00:00-05:00" />
<script type="application/ld+json">
{"description":"no new problems i recently started a new job and am faced with the usual: “please set up our scanners and Make Us Secure”, “What Do These Alerts Mean”, etc etc. i keep thinking about the scanning / threat and vulnerability management (TVM) aspect, so i want to write about that. here are a list of questions that ive been asking myself, along with some possible answers.","@type":"BlogPosting","url":"http://localhost:4000/security/2019/06/24/new_company_tvm.html","headline":"tvm at a new company","dateModified":"2019-06-24T00:00:00-05:00","datePublished":"2019-06-24T00:00:00-05:00","mainEntityOfPage":{"@type":"WebPage","@id":"http://localhost:4000/security/2019/06/24/new_company_tvm.html"},"@context":"http://schema.org"}</script>
<!-- End Jekyll SEO tag -->
</head>
<body>
<div id="container">
<div class="inner">
<header>
<h1>josiah ledbetter</h1>
</header>
<section id="downloads" class="clearfix">
</section>
<hr>
<section id="main_content">
<h1 id="no-new-problems">no new problems</h1>
<p>i recently started a new job and am faced with the usual: “please set up our scanners and Make Us Secure”, “What Do These Alerts Mean”, etc etc. i keep thinking about the scanning / threat and vulnerability management (TVM) aspect, so i want to write about that. here are a list of questions that ive been asking myself, along with some possible answers.</p>
<h2 id="using-an-existing-scanning-install-or-starting-over">using an existing scanning install or starting over</h2>
<p>it may be reasonable to nuke an install if:</p>
<ul>
<li>data existing in the install is massively out of date / bad / for some reason is fucked up data</li>
<li>data existing in the install doesnt tell you anything useful; these ips are alive isnt useful.</li>
</ul>
<p>times when you definitely should not nuke an install:</p>
<ul>
<li>if the install is tied to existing agents; losing those agent connections would be a mistake</li>
</ul>
<p>those are really the only hard constraints i can think of. everything else seems pretty grey</p>
<h2 id="are-naming-schemes-important-enough-to-spend-time-on">are naming schemes important enough to spend time on</h2>
<p>hard yes. some of the names in use at my new place are frankly /hilarious/. and bad. “aaah, a scan template called corp users, what do you suppo - oh, its for scanning production? of course.”</p>
<p>i picked a rough naming scheme template for all objects, and then tweaked it on a per-object-type basis, i.e.:</p>
<p>ProductName - Environment - Geolocation - Data</p>
<p>“search - prod - aus” is pretty straight forward, and then the data field can be where you really express differences between the object classes. if it ends up looking a bit different between object classes, thats ok. the most important thing for naming schemes is consistency to the rules you set. everything else, while still important, is secondary.</p>
<h2 id="a-note-on-scan-schedules">a note on scan schedules</h2>
<p>think about what a particular scan is trying to accomplish. if the goal of a scan is to get data from /corporate servers/ then a typical overnight maintenance window makes sense.</p>
<p>if the goal is to get data from /the entire corporate netblock/ then scanning over night is probably really stupid, unless the entire company works during that time. after all, most companies are deploying large laptop fleets that all get taken home at the end of the day! instead, you can tackle this by doing one of these:</p>
<ul>
<li>scan midday, during the work hours, at several different times to catch differently shifted people</li>
<li>install agents on all laptop / movable devices</li>
</ul>
<p>ok, apparently the title should be “two notes on sacns”. if your goal is to scan sensitive production servers make sure you reach out to the ops team that manages those servers. they should know, you should have a paper trail proving you at least made best efforts to communicate, etc.</p>
<h2 id="what-other-things-should-i-check-on">what other things should I check on</h2>
<ul>
<li>is the OS backing the scanning app still getting updates? a lot of people fire and forget scan setups so make sure youre not running shit off some idiots ubuntu 12 install.</li>
<li>how much of the infrastructure are we actually scanning? do have blind spots?
<ul>
<li>if there isnt an ipam then this will be reaaaaal hard to figure out, but its very important.</li>
</ul>
</li>
<li>is your license sufficient or will you have to get more approved before you can actually achieve good coverage?</li>
<li>are there any non-expiring exceptions?
<ul>
<li>if so, i recommend nuking them and rebuilding them with at the most a 1 year expiration date; force the company to re-eval once a year if they really want these risks.</li>
</ul>
</li>
</ul>
</section>
<footer>
</footer>
</div>
</div>
</body>
</html>
Reference in new issue View Git Blame Copy Permalink