Holistic Enterprise Security

I participated in a brief discussion on Twitter regarding the Podesta email breach. I blame the DNC for the reach.

Clinton and Podesta were functionally using shadow IT. There really isn’t any excuse for not detecting it. So then what? Do you declare it unsupported or assess the risk and implement compensating controls?

How expensive is monitoring for a few dozen extra email addresses on HaveIBeenPwned?

These folks already have administrative assistants and likely physical security details. If your organization is willing to spend those resources, why can’t you spend some resources assisting with the secure configuration of personal devices?

To take it a step further, give them a SOHO router IT remotely manages. You can decide how comfortable the VIP and the organization is with the relationship. Are you just doing secure configuration? You can throw OpenDNS on it for ‘blind’ basic security.

In a Cisco environment, you can hand out 881 devices that automatically VPN back. The VIP can take home a hardware VOIP  phone. You can provision dedicated wireless for the VIP devices. The person won’t even have to worry about VPN in their home office.

Updated Home Network

I’ve updated my home network security posture.  I’m pleased with it.  Prior to the update, I was monitoring my traffic using a span from my internal router to Security Onion.  My home network is an external router (from my ISP), my DMZ equipment (Set Top Box), an internal router (DD-WRT), and then my internal network.

The span was giving me performance issues on my router.  I disabled it.  I’m back to using a physical tap on the external interface of the DD-WRT interface.  I’m losing visibility due to the NAT, but my environment is limited enough that I should be able to infer who is doing what.

My sensor is now a CentOS box with Bro, Splunk, and Nessus.  Bro is monitoring the tap.  I’m in the process of configuring Nessus to scan my hosts.  Splunk is Splunk’ing all the data.  I decided to leave Security Onion since I found the full packet capture to be unnecessary for my environment and I strongly prefer Splunk over Elsa.