Sunday, February 18, 2018

Infosec quotes - office as admin

You're flirting with disaster if you allow your users to check email and open office attachments with a local admin account.

“... Unfortunately a very high proportion of users do run office as an admin user...”


https://twitter.com/dvk01uk/status/965441413814145029 

Infosec quotes - ir playbook

“... Your IR playbook needs to be more than rebuilding machines ...”


https://twitter.com/vysecurity/status/965376791249604608 

Infosec quotes - re-image doesn’t solve

Re-image doesn't always solve your problems.

Incident responder: "The machine was infected with crimeware. We just had IT rebuild the system. End of story." Nation-state attacker: "We got our foothold and only lost a single host in the process."


https://twitter.com/mattifestation/status/965248744810676224 

Infosec quotes - HTA files are a risk

“... HTA's continue to be a vector for entry. 
Consider these mitigations.
1. Blocking application/hta at Proxy
2. Default file handler for .hta == notepad.exe 
...”


https://twitter.com/subtee/status/963529741834727424 

Saturday, February 17, 2018

Infosec quotes - antivirus alerts do not mean problem solved

Realize Antivirus alerts don't mean the problem solved. The Antivirus usually just detects a single remnant linked to a bigger problem.

@jepayneMSFT says “... WMI persistence often needs a post detection remediation step ... like rebuilding the WMI database. For attackers this is a great advantage, especially in less informed IT organizations who might think an AV pop up means 'problem solved.'..”


https://twitter.com/jepaynemsft/status/964572908973572096 

Infosec quotes - SAN traffic

“... Run iSCSI on an entirely segregated network ... This is best practice for any form of SAN traffic .... Segregate management and non-essentials services from end-user desktop networks ...”


https://www.pentestpartners.com/security-blog/an-interesting-route-to-domain-admin-iscsi/ 

Infosec quotes - container credentials

“... The private data was stored in containers provided by cloud provider Rackspace. The hacker found the key and credentials to those containers inside the Android app ... stored in plaintext, meaning the hacker could take them and gain access to the server...”