CSO Online.
2019年11月20日
你好,每个人。我是CSO在线的苏珊·布拉德利。在周末,我处理了一个行为不端的服务器,它提醒我无论您是多小或多大,您都需要一个安全灾难工具包或检查表,以备任何事件发生时使用。但是随着我们从本地服务器转移到云服务器,也许您需要重新检查该清单,看看是否需要做任何更改。
至少,您需要每年至少审核您的安全检查表,如果不是更常见,特别是如果您在作品中有任何重大迁移或大型变更或计划。
现在开始NIST,美国国家标准和技术研究所在线有几个文件,就灾难计划和清单在线,并且是一种开始的方法。因此,如果您没有自己的清单,请在这里开始。此外,SANS组织还有灾难恢复计划政策以及您可以在其网站上签出的许多其他政策资源。现在,多年来,要处理设备的标准运营程序,尤其是您认为将被攻击或接管的标准操作程序,是您关闭了设备并隔离了它们,以确保您维护日志文件和证据。嗯,现在标准设备可以是它取决于设备所在的位置,究竟是什么。而不是将设备脱节,而是将该设备翻转到孤立的网络以供将来调查。所以不要只是膝盖挺举关闭装置。考虑它是什么以及您必须访问的方式。当您调查工作站和服务器时,您希望确保您的进程包括备份。使设备确保系统处于受影响状态。 Before you restore something and before you put something back online, make sure you have a capture of it in its impacted state. You want those actual log files. You want those evidence. And especially in case there's some sort of FBI investigation you'll need later on. Often in recovery, in the zeal of trying to get back online, you don't think of maintaining evidence and you forget what to do. So relax. I know that's hard, but slow down. Make sure you have a checklist and do the processes.
现在,即使在发生事件之前,您可能希望在工具包中拥有某些事情。例如,对于高风险区域的服务器,您可能需要安装或您确实希望从SYSINTERNALS安装SYSMON。一旦安装在系统上,遍历系统重新启动的谐振仍然是为了监视和记录Windows日志文件的系统活动。安全性的网站GitHub Swift有一个您要退房的Sysmon配置。当然,由于攻击者这些天想在组织内做横向运动。您要安装并使用本地管理员密码解决方案工具包。攻击者通过使用目标网络钓鱼攻击来获得网络访问。从那里,他们将使用各种手段来收获哈里斯。他们的目标是获得本地管理员密码。现在,在旧的日子里,我们选择一个本地掌握密码并在整个网络中使用它。 These days, that's not a good idea, because once an attacker pops one password, they can't get access to the entire network. So again, looking to the local administrator password solution toolkit to solve that issue. The next tool you want to bookmark but not download is something called the Microsoft safety scanner. It's a tool that scans and is triggered and is only available for use 10 days after being downloaded. Because obviously you want the latest signature files included. You'll download it, you'll accept the terms, and you want to install an honor system in order to do a scan to see what's up.
您将确定计算机上是否存在任何恶意文件。
下一件事你想要确保你有什么所谓的跳袋,这些东西可能是个人物品,也可以有工具。例如,如果您将在某个地方旅行或进入某些位置,您可能需要有一袋个人物品牙刷,牙膏,衣服。如今,使用云计算,您将需要确保已添加书签Azure Portal Links许可证。操作系统的ISOS,能够访问所需操作系统能够从备份启动和还原的能力是快速恢复的键。因此,在线文档以及以各种纸张格式偏离线路。是的,旧式纸张,并确保您有意思是访问此类商品作为您公司的Azure门户,卷许可证门户或其他访问ISOS和产品的访问。您可能希望访问公司信用卡或其他一些采购授权,以便购买资源和访问服务。根据您正常通信渠道的替代方案思考。记得在灾难,电子邮件或其他意味着您通常相互联系可能是偏远的。因此,具有那个跳法袋,联系信息和替代方式从关键播放器联系键,您应该定期查看此信息。 So here's some things you might want for an on premise situation in a jump bag network cables, USB, cables, hard drives, SSD, external USP drives, flash drives, device interface adapters, a handheld label printer in order to label drives and things that you're taking out for incident handling hub devices, digital cameras, cable ties and cable snips. Screws. Notebooks. Chain of custody forms. So you document and have a witness of how items were obtained. Incident handling procedures and finally, business cards for all members of the team. So that when you go in a situation, you could hand out authoritative information about who's on that team. As we go to cloud, we move from to a different set of proper steps in order to do deal with compromised accounts. For example, in Office 365, you'll want to follow the Microsoft recommendations and how to secure and restore e-mail function. You want to reset passwords. You want to make sure you have multi factor enabled. You want to block the user account from signing in again, follow the steps here. Then you'll want to go and review the Microsoft security score and what to do if you haven't already. Take a look at the security roadmap. Look at the 30 day out steps, the 90 day out steps, the beyond reviewing, constantly reviewing what threats and risks are coming to cloud security. And finally, you want to review the Microsoft secure score here in my sample tenant. I have a lousy score. You want to get that total score higher. You want to be where the attackers go to somebody else. It's easier to attack, not you. So take the time now when you're not in the middle of a disaster to plan on having one. Make sure you're ready. Ready for when the event occurs. Not if. And of course, last but not least. Join us on Tech Talk from IDG, the new YouTube channel for the tech news of the day. Until next time. This is Susan Bradley for CSO Online. See you next time.
至少,您需要每年至少审核您的安全检查表,如果不是更常见,特别是如果您在作品中有任何重大迁移或大型变更或计划。
现在开始NIST,美国国家标准和技术研究所在线有几个文件,就灾难计划和清单在线,并且是一种开始的方法。因此,如果您没有自己的清单,请在这里开始。此外,SANS组织还有灾难恢复计划政策以及您可以在其网站上签出的许多其他政策资源。现在,多年来,要处理设备的标准运营程序,尤其是您认为将被攻击或接管的标准操作程序,是您关闭了设备并隔离了它们,以确保您维护日志文件和证据。嗯,现在标准设备可以是它取决于设备所在的位置,究竟是什么。而不是将设备脱节,而是将该设备翻转到孤立的网络以供将来调查。所以不要只是膝盖挺举关闭装置。考虑它是什么以及您必须访问的方式。当您调查工作站和服务器时,您希望确保您的进程包括备份。使设备确保系统处于受影响状态。 Before you restore something and before you put something back online, make sure you have a capture of it in its impacted state. You want those actual log files. You want those evidence. And especially in case there's some sort of FBI investigation you'll need later on. Often in recovery, in the zeal of trying to get back online, you don't think of maintaining evidence and you forget what to do. So relax. I know that's hard, but slow down. Make sure you have a checklist and do the processes.
现在,即使在发生事件之前,您可能希望在工具包中拥有某些事情。例如,对于高风险区域的服务器,您可能需要安装或您确实希望从SYSINTERNALS安装SYSMON。一旦安装在系统上,遍历系统重新启动的谐振仍然是为了监视和记录Windows日志文件的系统活动。安全性的网站GitHub Swift有一个您要退房的Sysmon配置。当然,由于攻击者这些天想在组织内做横向运动。您要安装并使用本地管理员密码解决方案工具包。攻击者通过使用目标网络钓鱼攻击来获得网络访问。从那里,他们将使用各种手段来收获哈里斯。他们的目标是获得本地管理员密码。现在,在旧的日子里,我们选择一个本地掌握密码并在整个网络中使用它。 These days, that's not a good idea, because once an attacker pops one password, they can't get access to the entire network. So again, looking to the local administrator password solution toolkit to solve that issue. The next tool you want to bookmark but not download is something called the Microsoft safety scanner. It's a tool that scans and is triggered and is only available for use 10 days after being downloaded. Because obviously you want the latest signature files included. You'll download it, you'll accept the terms, and you want to install an honor system in order to do a scan to see what's up.
您将确定计算机上是否存在任何恶意文件。
下一件事你想要确保你有什么所谓的跳袋,这些东西可能是个人物品,也可以有工具。例如,如果您将在某个地方旅行或进入某些位置,您可能需要有一袋个人物品牙刷,牙膏,衣服。如今,使用云计算,您将需要确保已添加书签Azure Portal Links许可证。操作系统的ISOS,能够访问所需操作系统能够从备份启动和还原的能力是快速恢复的键。因此,在线文档以及以各种纸张格式偏离线路。是的,旧式纸张,并确保您有意思是访问此类商品作为您公司的Azure门户,卷许可证门户或其他访问ISOS和产品的访问。您可能希望访问公司信用卡或其他一些采购授权,以便购买资源和访问服务。根据您正常通信渠道的替代方案思考。记得在灾难,电子邮件或其他意味着您通常相互联系可能是偏远的。因此,具有那个跳法袋,联系信息和替代方式从关键播放器联系键,您应该定期查看此信息。 So here's some things you might want for an on premise situation in a jump bag network cables, USB, cables, hard drives, SSD, external USP drives, flash drives, device interface adapters, a handheld label printer in order to label drives and things that you're taking out for incident handling hub devices, digital cameras, cable ties and cable snips. Screws. Notebooks. Chain of custody forms. So you document and have a witness of how items were obtained. Incident handling procedures and finally, business cards for all members of the team. So that when you go in a situation, you could hand out authoritative information about who's on that team. As we go to cloud, we move from to a different set of proper steps in order to do deal with compromised accounts. For example, in Office 365, you'll want to follow the Microsoft recommendations and how to secure and restore e-mail function. You want to reset passwords. You want to make sure you have multi factor enabled. You want to block the user account from signing in again, follow the steps here. Then you'll want to go and review the Microsoft security score and what to do if you haven't already. Take a look at the security roadmap. Look at the 30 day out steps, the 90 day out steps, the beyond reviewing, constantly reviewing what threats and risks are coming to cloud security. And finally, you want to review the Microsoft secure score here in my sample tenant. I have a lousy score. You want to get that total score higher. You want to be where the attackers go to somebody else. It's easier to attack, not you. So take the time now when you're not in the middle of a disaster to plan on having one. Make sure you're ready. Ready for when the event occurs. Not if. And of course, last but not least. Join us on Tech Talk from IDG, the new YouTube channel for the tech news of the day. Until next time. This is Susan Bradley for CSO Online. See you next time.
受欢迎的
IDG.tv精选视频