Export thread

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

Overwhelmed

#1

S

sd2000

Hello @Steve and Everyone,

I am a listener of Security Now since EP.1 and the thing is I am not clueless on security. Recently I am feeling overwhelmed with all of the security problems like PrintNightmare. Turn off spooler turn on spooler and so on and on. I just need to find a solition to secure all of my devices with a least a small level of automation. Does anyone have some ideas?


#2

S

SeanBZA

Other than suggest using firewalls on the connections, both for the Internet side, and for the user side, preferably using another machine each side, with 2 NIC's in the unit, so you can have full control of traffic going through. That way you can run some transparent proxy on them, and filter out all connections that are not needed, and even filter on the ones going through to handle known issues.

Does mean you now have to have 2 extra, not so powerful machines, which you also have to keep updated, but if you run Centos on both, and set it to auto update, you will have relatively little extra maintenance overhead. Also have the passwords to the other machines be really long, really random, and to have fail to ban enabled as well, on all connections.


#3

P

PHolder

A networked device is a bit like adopting a pet. There is a commitment attached... you need to feed and care for it. In the case of network devices and IoT devices, that means segmenting your network so the IoT devices have no access to your primary devices (or maybe more generally that no device has access to any other unless necessary... the least privilege principle.) It also means making sure you do your updates so that hopefully any problems that could have affected you get patched before any risk develops. Additionally, as already suggested, a good firewall is a great suggestion, and the cheapest ones, like the ERX that @Steve has recommended in the past can be helpful, as they allow for network segmentation. The downside of all of this, is that it's tedious and not really fun unless you are the nerdy type who really wants to dig into all the details.


#4

rfrazier

rfrazier

That's not a small request. And, you're right, it is overwhelming. And depressing. Here are some random thoughts.

* Automation across devices outside of a corporate environment is hard.
* List all your devices that you're willing to spend time updating. That can get out of hand quickly.
* Turn on auto updates IF the device supports it and IF you trust the source of the updates. You can set auto updates at an app level too. Do I trust MS to update Windows? I did with Windows 7, which I still have. Would I with Windows 10. I'm not so sure. They keep breaking people's systems. Do I trust Google to update my Android tablet. Well, no. At this point, I think Google is one of the MOST evil companies. So, I have Android set to not auto update apps. I manually update the ones that I think might relate to a security risk, including the AV, various web browsers, VPN, email sometimes, etc. Most other apps, I don't update unless they stop working. The other reason I don't always auto update is updates break things and change user interfaces that I'm used to. Do I allow the tablet to auto update the system itself? Again, usually no. If I do, I have to spend hours going through all the settings and checking them to make sure something wasn't changed that wasn't in my best interest. In terms of my Windows PC's apps, browsers are set to auto update, email is, I update the VPN as needed, AV is on auto update. Most other things, I don't update unless I need to. Everybody will have different answers to these things.
* Do I auto update IOT things. NO, I don't own IOT things. If I did, my answer would depend on how much I trust the company not to snoop on me, lose my data, or break my device.
* Do I auto update routers? NO. But, I'm running DD-WRT and I have ALL external features turned off. If you update a router, at least in the past, you have to reset all your settings. So I leave it be and let it run.
* Having said all that, routinely patch or autopatch all the things you're comfortable with.
* Don't expose ANYTHING you don't need outside your firewall.
* Segment your LAN to separate your IOT if you have IOT.
* Reduce or eliminate things that use firmware AND are connected to the internet.
* Listen to Steve and Leo every week.
* Evaluate your risk exposure to new threats and determine if they need action AND, if you're willing to spend the time on it based on your analysis, KEEPING in mind the philosophy of not exposing anything outside the firewall.
* Periodically run @Steve 's Shields Up against your external IP address.
* Be aware that things like cable modems / routers can be remotely reset and programmed by the cable company and can change their settings. I recommend running your own router that you control behind theirs toward the inside of your network.
* Explaining this to your parents or grandparents or even probably your kids is difficult or impossible.
A networked device is a bit like adopting a pet.
@PHolder is right. There's a lot involved. At this point, your eyes may be crossed and you may be throwing your PC across the room. That usually doesn't help. This may help psychologically. I don't think anyone who isn't willing to spend many hours per month on device maintenance can keep up on all this, especially if you have a few PC's, a few tablets, and a few phones.
* Try to pick and choose the most dangerous threats and evaluate your attack surface. Focus your time on the few critical things. Some things you can ignore for a while before they get to be a problem.
* Separate topic, but don't drive an internet connected car. If you do, try to disconnect it.
* Take some time away from worrying about all of it periodically and let off some mental steam, peacefully.

Sorry, but I don't think there is a simple easy cheap fast automated solution. But, then again, you probably don't spend too much time worrying if an asteroid will hit your house. It's catastrophic but unlikely, and you can't control it. So, pick your battles. Most people don't worry about any of it. They just use their devices and defaults and hope nothing happens. I don't advocate that. I don't think most here would. But, you still have to strike a balance that doesn't drive you insane. Also, understand that you can only do what you can do, and you can only control what you can control. Try not to fret too much about the impossible or improbable. And, I have to take my own advice.

See, I was able to ignore at least 10 other things while typing this. :cool:

Hope this helps.

May your bits be stable and your interfaces be fast. :cool: Ron


#5

Dave

Dave

1631647809588.png


#6

rfrazier

rfrazier

Or as C3PO on Star Wars would say ... DOOOOMED ... with very sad vocal inflection.

Ron


#7

Lob

Lob

Consider this; you're with a group of people and suddenly you're being chased by a zombie. You only need to outrun the slowest person.....

That said, disable uPnP on your perimeter, enable client isolation on your network wherever possible and update whatever you can as soon as you can. Always change default settings such as username (if possible) and password. Have a separate network where you have IoT devices, especially cheap ones. If you don't know how they will be updated or if they will, segregate them and plan for a failure in that network.

There might be more than one zombie, of course, but if you're blocking the zombie from getting to you, it will move to an easier target.

You also want to have a zombie apocalypse like The Walking Dead and not one like the ones in Black Summer, World War Z or 28 Days Later......


#8

rfrazier

rfrazier

AND make sure that remote administration from the WAN side is disabled on all routers.

May your bits be stable and your interfaces be fast. :cool: Ron


#9

S

sd2000

Hi Everyone, Thank You all for your replies! Well I am sorta doing most of those things Many looking out for the big threats with Steves help on Security Now. Thank You Steve! I guess its Really that PrintNightmare vulnerability every time I turn around somebody says "I can't print Why can't I print" then I explain it again the roll there eyes. I turn print spooler on then I turn it off then start over. So all of that has made me question my entire security profile and the length and breadth of my attack surface and how can I monitor all of everything security wise and then I come to the conclusion I can't. I often think of switching to Linux but I support a lot fo friends and family and they would never be able to switch.


#10

MichaelRSorg

MichaelRSorg

For routers and networks see RouterSecurity.org. There are two lists of config changes on the home page, a short list for non techies and a long list for us computer nerds.

For defense in general, see DefensiveComputingChecklist.com.

If you care about security, stop using Windows. Really. Leo has.


#11

MichaelRSorg

MichaelRSorg

* Do I auto update routers? NO. But, I'm running DD-WRT and I have ALL external features turned off. If you update a router, at least in the past, you have to reset all your settings. So I leave it be and let it run.

Auto updating is fine for non-techies. Us techies prefer to chose the time when we update. As for resetting all settings that is not true, in general. If its true for DD-WRT that is a reason to avoid DD-WRT. That is a miserable design. Any good router will let you backup all the current configuration settings.

Still, the concept is correct, updating a router means taking a risk that something will go wrong and knock you off-line. This is a big reason why I prefer Peplink/Pepwave routers. Like ChromeOS on a Chromebook, their routers have two copies of the firmware. You update the non-running copy and then reboot into it. If the new release causes a problem, just reboot back to the prior known-good firmware. No risk.


#12

S

sd2000

Auto updating is fine for non-techies. Us techies prefer to chose the time when we update. As for resetting all settings that is not true, in general. If its true for DD-WRT that is a reason to avoid DD-WRT. That is a miserable design. Any good router will let you backup all the current configuration settings.

Still, the concept is correct, updating a router means taking a risk that something will go wrong and knock you off-line. This is a big reason why I prefer Peplink/Pepwave routers. Like ChromeOS on a Chromebook, their routers have two copies of the firmware. You update the non-running copy and then reboot into it. If the new release causes a problem, just reboot back to the prior known-good firmware. No risk.
Well Your sites are what I was looking for, You are bringing together most if not all of the important actions that Steve has espoused over the years as far as I have read. Thank You! I have heard a lot of these things but was unable to keep track of them.