I have been thinking about the PaulDotCom argument that good security is hard. Obviously it is. Application Whitelisting is way harder than AntiVirus from a deployment perspective. I’m going to try some compromises that are medium difficulty. My goal is for these to be a stepping stone towards the hard changes.
My first change is implementing honey IP ranges and honey DNS entries as a stepping stone towards full honeypots. I’ve already got the easy monitors for network scanning. They are pretty worthless. I entered requests to get a couple blocks of IP ranges reserved across the network. I asked for ranges mixed in to various user environments, server evironments, etc. I’ve also got DNS entries reserved. Some are straight from the dnsrecon list, others are custom based on the business as well as key employees. I don’t have honeypots yet, but this seems like a decent start.
My second change is that I’m investigating web filter whitelisting for non-standard domains. I’ve already got the dynamic services (no-IP, dyndns) blocked with a few exceptions. My next step is going to be to do the same for the under-used TLDs. If it isn’t com, net, edu, gov, or mil, I am considering a whitelisting approach. So for instance, we have no business in Libya. Ly will be blocked with the exception of bit.ly.