Chapter 8: Troubleshooting Common Security Issues
Unencrypted Credentials
FTP (20,21) –> FTPS (SSL/TLS) or SFTP (SSH, 22)
HTTP (80) –> SHTTP or HTTPS (443)
Telnet (23) –> SSH
SNMPv1 –> SNMPv3
SNMP Proxy Agents:
https://www.dpstele.com/snmp/8things-you-need-to-know.php
Logs / Event Anomalies
Things that shouldn’t be happening.
Permission Issues
Failed logins!
Access Violations
Certificate Issues
Broken Chain of Trust
Data Exfiltration
Misconfigured Devices
Weak Security Configs
Consider the case of web servers, which have many, many configuration settings often scattered through many config files. One critical piece of configuration is SSL/TLS negotiation. Your site must use TLS 1.2 or later (if TLS 1.3 is more widely deployed by the time you read this). Anything less opens your site to a POODLE attack (Google this, I’m serious).
Here’s a link to a sweet Docker container that runs a POODLE-type attack against web servers you are well permissioned to test. Read the text of this page:
KBID XXX – TLS Downgrade: https://github.com/blabla1337/skf-labs/blob/master/kbid-xxx-tls-downgrade.md
Personnel
Acceptable Use Policy
Policy violations
Insider Threat
Social Engineering
Social Media
Only be designated users
Property of company
Personal Email
MDM
Unauthorized Software / License Compliance
Asset Management
Authentication Issues