I just recently joined a startup and have been a part of their InfoSec team. Recently this thought popped up in my mind that I should document the work that I have been doing and how things change when you are independent security personnel to when you start working for an organisation.
Here it goes…
I used to be the guy who was solely focused on the attack vectors and defence was one of those part which I rarely focused on as a independent security researcher, but things totally turned around when I joined the startup and my work totally focuses on the defence aspect of things and how I can contribute to that. Enhancing the security of the company, understanding what policies need to implemented, how to roll out those security policies, documenting steps for insider threats and many more like the same.
Work work work!
So, to deploy all these security policies first I had to develop my skills in the field of cyber security defence. First complete week I devoted to research on these subjects trying to gather as much as information on these as possible. Documenting is extremely important as you might encounter really amazing ideas, regarding how you can enhance your chances to spot a insider threat or how a simple policy change in your web application firewall can prevent against 70% - 80% of generic attacks. I kept on making notes, on each and every topic I researched upon and kept saving the url links next to those notes so that I can refer them later on if I need to.
Once, I had a list of policies that we could deploy, the problem then comes to how should we go ahead with the deployment. The one thing that we most of the time underestimate while working alone is how drastically we have to scale up while working for a company. While working alone we end up manually making changes in the .config files and automation never gets due attention. Instead of making the whole thing a single step process we think it is totally fine to make it a several step process. This is something that hits you hard when you start to work as these policies we prepared are worthless if we can’t deploy them with a click of a single button or in a similar fashion.
After the policies were ready, then we started looking into the process of white-listing the applications that are installed in the system of the employees and which one of them could be used to break or bypass the security policy we had in place. So then we need to view at each applications and carried out tests, to see whether these applications comply with the policies. We found various apps that helped user to bypass the security measures and few of them which were not necessary in the first place and just consumed space.
Writing the list of applications and dependencies that are required by the other employees and the configuration files that were needed to be modified so that we can enforce these rules we need a way to deploy them. I decided to write a bash script for carrying out the whole deal in on click. So we had nearly 25 - 30 dependencies and few configuration files that needed to be changed. I then setup a virtual machine where I installed each and every one of the dependencies one by one trying to figure out what are problems pop up so that when I write the whole bash script it does not pose a problem there.
Installed all the dependencies and made the other required changes in the virtual machine, then I went on to write a script that will automate the entire process and all the person needs to do is to just press a enter key and every single file that is required will be installed, updated and upgraded.
This seemed like a win for me, to carry out this whole thing in the first two week of my internship, but then arises the next hurdle. This still isn’t a corporate level solution as the security admin still has to manually run the scripts on each and every machine, it might be a single click solution but when you need to carry that out on 50 - 60 machines or even more that becomes a hard task as well.
If you enjoyed it please do clap & let’s collaborate. Get, Set, Hack!
Telegram : https://t.me/aditya12anand
Twitter : twitter.com/aditya12anand
LinkedIn : linkedin.com/in/aditya12anand/
E-mail : email@example.com
P.S. In my next article I will explain how we dealt with the above problem as well in more than one way actually.