Blue Teaming
KimCrawley,
Aug 16
2021
I’m very active in the #infosec community on Twitter. I am connected to some cybersecurity and hacker friends through Signal and LinkedIn. But Twitter is where I live when I’m not doing work for Hack The Box or having fun learning with our Hacking Labs, Pro Labs, and HTB Academy. (A lot of us who now work for Hack The Box got started as hackers in the HTB Community!)
One of my Twitter #infosec friends were really excited when they learned that I manage HTB’s new blog. I mentioned that I’m always open to blog post ideas from anyone. My vision for this blog is to celebrate what we’re doing at HTB and be a fun and informative online magazine for all hackers and cybersecurity professionals everywhere. I told my manager, “my dream is for people to bookmark our blog in their web browser.”
Some of the best content we’ve published on our blog so far has been written by people who do the everyday work in making sure Hack The Box remains the ultimate educational destination for hackers, by hackers. Also a few of the posts I’ve written are based on great ideas my coworkers have shared with me. But today I’m writing a post based on a great idea one of my Twitter friends shared with me. I really wanted to credit them, but they asked to remain anonymous. My friend is a sysadmin and they wanted endpoint security tips which are useful in that role. I aim to please! So here it is, anonymous friend!
Sysadmins, or systems administrators, operate and administrate information technology for the companies they work for. Sometimes these people are called network administrators, especially when administering the company’s network is the primary focus. In smaller companies, sysadmins and network administrators may be responsible for all of their company’s cybersecurity!
Hack The Box is now world famous for teaching people the skills they need to be effective pentesters, people who simulate cyber attacks in order to find vulnerabilities (with full legal consent). What you may not know is that some of our Academy content is also very useful for cyber defense. HTB Academy has been teaching people both offensive and defensive knowledge since we launched it in November 2020. And now we also have HTB Academy for Business, which offers great gamified training for your employees.
In my career, I have researched a wide range of cybersecurity topics. The everyday work of keeping a company’s network secure is one of my major interests. So in that spirit, here are my endpoint security tips.
Network administrators need to keep both servers and endpoints secure. But a sysadmin might be working in a company that only has endpoints on their premises. In 2021, an endpoint can be anything from a traditional PC to a smart refrigerator in the employee cafeteria. But for the purposes of being concise, I will focus on PCs, phones, and tablets.
Think carefully about whether or not your company needs to permit “Bring Your Own Device.” And if you do decide to permit it, what your BYOD policies should be. In a smaller company, the sysadmin may be the main decision maker about this. Your company doesn’t have to have a network larger than a LAN in order for this to be an issue. An employee’s own phone connected to a company-owned PC via USB or Bluetooth could introduce malware to it. And that malware could be ransomware or breach sensitive company data. How should your company mitigate that risk if you permit BYOD? Maybe all employee-owned devices should be scanned for malware before they’re allowed to be mounted to a company-owned computer. Or better yet, buy an antivirus software license from your vendor that also has client applications for employee-owned devices. And integrate your antivirus completely, company-owned devices and employee-owned devices alike. BYOD policies cover a lot more than that. But that’s an example of a way to address BYOD.
On that note, if you don’t have a Data Loss Prevention (DLP) solution in your company already, buy one! When configured properly, DLP can prevent sensitive company data from being breached through BYOD and through other means as well.
All user accounts on company-owned computers should have the minimum privileges required in order for people to do their jobs. Yes, the principle of least privilege has been taught to IT professionals for decades. But sometimes people forget the basics. Limited privileges limit what cybercriminals can do if they take control of a user account in your company. If they want root, they’d better damn well fight to the death to privilege escalate! But they won’t succeed, because people trained through HTB know all about privilege escalation techniques.
As a related point, you will probably want to make sure only administrators have the right to install applications. Applications are very important, but they shouldn’t be introduced to your computers without examination and permission. Also, cyber attackers exploit application installation privileges in order to install malicious software. Limiting installation to administrators reduces the attack surface for that sort of exploit.
Implement 2FA anywhere and everywhere you can within the technologies your company uses. We must use passwords, but we know they’re a very flawed method of authentication. Even the most complex passwords are often data breached and sold on Dark Web markets. A second factor of authentication means that a cyber attacker has to work harder to infiltrate a user account. Many online services have the option to implement 2FA. Often, you can also implement 2FA within the applications your company uses internally. The most secure ways to implement 2FA are through dedicated apps such as Google Authenticator or through dedicated devices such as those produced by Yubikey and Duo. It’s easier for cyber attackers to perform man-in-the-middle attacks on 2FA via SMS and email. But 2FA via SMS and email is better than no 2FA at all.
Be mindful of patch management! All software has vulnerabilities, some of which haven’t yet been discovered. But proper patch management assures that when an application developer deploys a security patch or update, your endpoints will have them ASAP. This is also important for your operating systems and firmware. Patching known vulnerabilities will still improve the security of your endpoint devices, even in a world where there are many zero days everyday. Sometimes improper application configuration, poor network connectivity, a lack of necessary application dependencies, or other problems can interfere with patch management. Stay on top of things!
Prevent “Shadow IT” as much as possible. What’s Shadow IT? Shadow IT happens when employees use alternative applications and technologies to do their work. Yes, a lot of the alternatives to the applications your company provides may work very well from a functionality standpoint. The problem is that you, as the sysadmin, can’t control them. And you can’t secure what you can’t control. Shadow IT usually happens because employees are frustrated with the applications your company provides. Shadow IT can be prevented by listening to your employees and addressing their needs. “You’re using this email client because our email client isn’t very user friendly? Let’s consider using the other email client instead, but this time under the administration of our IT department.”
If possible, your company should look into deploying your own VPN. If your company is relatively small, this can be done pretty easily and inexpensively. If you have remote workers in your company, a VPN is really a must. But even if all of your workers are on your premises, an added level of network encryption can prevent man-in-the-middle attacks which can threaten your company’s sensitive data.
Firewalls are an absolute must when it comes to controlling network traffic within your company, and to your endpoints. You can have multiple firewalls, and even multiple types of firewalls. Some are software, some are dedicated hardware. Some block and filter TCP/IP ports, others block and filter specific applications and services, others block and filter according to network behavior patterns or other metrics. Set up firewalls wherever you can and make sure they’re carefully configured!
Teach your employees (and yourself!) how to avoid social engineering attacks. The primary means of social engineering in the workplace are phishing emails, phishing websites, phishing texts, phishing social media messages, and vishing over the phone. Quite often, really expensive cyber attacks have entered company networks through phishing! Sometimes these attacks have cost small and large businesses millions of dollars in a single attack. On the Dark Web, phishing kits can be easily purchased that can perfectly replicate the emails and webpages of major banks, telecommunications companies, government agencies, you-name-it. And punicode attacks use Unicode characters in place of ASCII characters to make domain names look exactly like the domain names used by legitimate companies and utilities. Cybersecurity professionals are often the target of spear phishing campaigns these days. We’re lucrative targets because we often have a lot of network access and we foolishly think we’re too clever to be fooled. Only fools think they’re immune from being fooled.
Since we’ve launched HTB Academy for Business in June, companies in a variety of industries have benefited from our interactive courses that teach employees about a wide variety of cybersecurity topics, for all skill levels.
Some of my favorite HTB Academy for Business courses for beginners include Introduction to Bash Scripting, Introduction to Web Applications, and Login Brute Forcing. And we’re always adding new courses to address the cybersecurity needs of businesses of all kinds!