Category: Best Practices

Creating a Report for Senior Managers
Introduction

Any employee could be called upon to write a report for senior staff. Senior managers are focused on profit and want a very brief overview of systems, people, projects under their responsibility. I recommend the report should be no more than two pages long and contain items of interest that can be shown as a percent or objects that are actionable.

Suggested Items to Report

For an enterprise security report, here is a list of potential or suggested items.
- Vulnerability data
  - Discovered vulnerabilities by scanning. (critical or exploitable).
  - Total company vulnerability risk score.
  - Company risk score trends chart.
  - Company external third-party vulnerability risk score. (BitSight or UpSight Score).
- Threat Intelligence
  - Third Party data breach disclosures. Any venders that you use on a regular basis were hit?
  - Emerging vulnerability threats from threat intel sources.
  - Vendor external third-party vulnerability risk score. (BitSight or UpSight Score).
- SIEM data
  - Count of events, alerts, or incidents. List types and severity.
  - Avg time to close an event.
  - Count of total number of assets.
- Firewall Stats
  - Count of foreign country blocks.
  - Count of weekly VPN connections (are WFH employees able to make successful connections?)
  - Count of number of files that were Ftp’d to the company.
- Email stats
  - Count of Inbound blocks from email filters. (block by sender, domain, body, subject, etc).
  - Count of Outbound mail flow stats, how many were sent, etc.
  - Count of phishing emails were reported and that were blocked, allowed or spam, clean, threat.
  - Phishing trends chart.
- User Behavior
  - Who are the risky users (clicked on a URL link, downloaded software, etc.)
  - List any discovered passwords.
  - Vulnerable service accounts, (outdated passwords, etc).
  - PIM activations ? Sensitive group changes?
- Future Initiatives
  - Hardening initiatives
    
    How many hosts have local admin rights still?
    
    Workstation / server hardening scan results. Percent of assets that meet PCI CIS Cisco DISA FDCC HIPPA standards.
    
    How many Firewall rules are not being used. Have a 0-hit count.
  - BYOD devices.
    
    Count of users accessing company resources using BYOD (i.e. email, teams, or SharePoint)
    
    Are there BYOD assets patched, meet a minimum OS version?
April 25, 2024
Generic Outline for Writing a Policy or Procedure
Initial Thoughts

Polices are global in nature. All company employee’s are expect to follow the guidelines. Examples of polices include: the Acceptable Use Policy (AUP), Memorandum of Understanding (MOU), or Bring Your Own Device (BYOD) to work. These a often generic guidelines that all employees must adhere to. On the other hand, procedures are typically at the department or team level. They are a step-by-step guide book. Many departments will have multiple Standard Operating Procedure (SOP) for a wide variety of topics.

When writing either, they follow a general outline. Here is some generic language to get you started.

General Outline

1. Purpose – Define the purpose of the policy.

“The purpose of this procedure is to set forth the process for investigating, evaluating, and recovery from a security Breach to comp[any information assets, data, or other resources.”

2. Requirements – Why is this required? What standards are to be followed? PCI data security standard (PCI DSS)? What other Legal or regulatory rules apply?

“Payment Card Industry Data Security Standards (PCI DSS) were developed specifically to provide a baseline of technical and operational requirements designed to protect account data, to protect against threats, and secure elements in the payment ecosystem. The company adheres to all PCI DSS standards.”

“Standards & Organizational Controls (SOC 2) was developed to audit internal controls. Compliance helps provide information and assurances to customers of how you process users’ data and keep it private. The company will conduct a SOC2 audit bi-annually based on the published schedule.

“The company adheres to all PCI DSS standards. HIPPA standards, CISA hardening requirements, and SOC2 audit requirements. Specifically, this procedure is mandated by PCI Standard 12.10.1, 10.10.3, 12.10.5, 12.10.06. See the PCI standards listed in the Appendix.”

3. Definitions – Define any terms or definitions used in the document.

4. Process & Procedure – Typically a flow chart. Also, what data is to be evaluated (input), what results are expected (output). Are any records created ? Any reports generated?

5. Role Responsibilities – Who is to do what? Who is to use this procedure?
- Computer end user will notify security in the event of a suspected event.
- Security analyst will gather the PC and any data necessary for an analyst.
- Forensic analysts will analyze the collected data and conduct the investigation.
- Any communication to the executive committee will be conducted by the CISO.
- A member of the executive committee will be responsible for speaking on the company’s behalf to law enforcement, legal, and the public.
7. Communication, Exceptions, & Sanctions – Who is this procedure to be communicated to? All employees? Who is exempt from following the policy? Who should they contact to get an exemption? What is the penalty if it is not followed?

“Any training about this procedure will be provided by the security team. Any modifications to this procedure is the responsibility of the oversight committee. If a user needs to request an exemption to this policy, or the policy needs to be updated, please contact the HR department.”

“Any employee, contractor, or user who willfully violates this procedure is subject to disciplinary action up to and including termination. Company reserves the right to pursue legally permissible action it deems necessary to protect its interest and the interests of its customers. Further information, see Employee Handbook”.

8. Document Control – Who is the owner of the document, how often is it reviewed (annually?), Revision history chart is needed.

“This document is maintained by the Human Resources Department. Content owner is responsibly for identifying circumstances that might warrant out-of-cycle reviews (such as process changes, regulatory changes, etc.). A review should be initiated no more than 12 months after the last review.

“This document is maintained by the Human Resources Department. This document is available online in the SharePoint Library and it published for viewing by all employees. Version 1.6 is the current approved version of this document.”

Create a Bordered Table with the following columns: Revision date, description, approved by, version #

9. Appendix – A written copy of the PCI standards that the document references. A URL or other notes or documents.
April 21, 2024

Test your DNS Proxy using a PowerShell Script

Introduction

Most company’s have a policy to block dangerous websites for employees. Pornography, hate, gambling, social media are all categories that should be blocked. Either, they are big time wasters, or may be required by law to be blocked.

Although you may have your proxy turned on correctly, that does not mean the bill got paid. Usually, a proxy will default to open for all users. You may be asked by outside 3rd party auditor’s or a senior manager to provide proof that the DNS proxy is actually working and blocking non-approved content.

The script

This PowerShell script will run as the current logged on user and send an email with the results. It will print the email in HTML format and each URL that it tests will be color coded. Red means site was blocked, green for site was successfully accessed, and gray for error.

You will need to provide a list of websites in text document with one URL per line. I have included one below, as an example.

# test-web-proxy.ps1
# Set location of the URL text file
$URLListFile = "C:\users\user1\Desktop\websitelist.txt"
$URLList = Get-Content $URLListFile -ErrorAction SilentlyContinue
$Result = @()
$LocalProxy = "Web Proxy: WebSense"
$date = Get-Date -Format "yyyy-MM-dd"
$user = $env:USERNAME

# Loop through each URL and gather needed info
foreach ($Uri in $URLList) {
    try {
        # Setting TLS version for compatibility
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -bor [Net.SecurityProtocolType]::Tls11 -bor [Net.SecurityProtocolType]::Tls
        $request = Invoke-WebRequest -Uri $Uri -UseDefaultCredentials
        $time = (Measure-Command { $request }).TotalMilliseconds
    }
    catch {
        $request = $_.Exception.Response
        $time = -1
    }

    # Create Results
    $Result += [PSCustomObject] @{
        Time = Get-Date
        Uri = $Uri
        StatusCode = [int]$request.StatusCode
        StatusDescription = $request.StatusDescription
        TimeTakenMilliseconds = $time
    }
}
# Create Report
if ($null -ne $Result) {
    $Outputreport = @"
    <HTML>
    <TITLE>Web Access Audit</TITLE>
    <BODY style="background-color:peachpuff;">
    <font color ="#0000ff" face="Microsoft Tai le">
    <H2>Web Access DNS Policy Audit</H2></font>
    <ul>
    <li><font color = black><B>Date: $date</B></li>
    <li><font color = black><B>$LocalProxy</B></li>
    <li><font color = black><B>Access Policy: General user.  Access to the identified sites is restricted.</B></li>
	<li><font color = black><B>Account Tested: <font color="red">$user</font></B></li>
    </ul>
    <ul>
    <li><font color = green><B>Green = Blocked!</B></li>
    <li><font color = red><B>Red = NOT Blocked!</B></li>
    <li><font color = gray><B>Gray = Header or NOT Found!</B></li>
    </ul>
    <Table border=1 cellpadding=0 cellspacing=0>
    <TR bgcolor="#787878" align=center><TD><B>URL</B></TD><TD><B>StatusCode</B></TD><TD><B>StatusDescription</B></TD></TR>
"@
    foreach ($Entry in $Result) {
        $bgColor = switch ($Entry.StatusCode) {
            200 { "#F68B8B" }
            403 { "#93F072" }
            default { "#787878" }
        }
        $Outputreport += "<TR bgcolor='$bgColor'><TD>$($Entry.Uri)</TD><TD align=center>$($Entry.StatusCode)</TD><TD align=center>$($Entry.StatusDescription)</TD></TR>"
    }
    $Outputreport += "</Table>"
    $Outputreport += "</BODY>"
    $Outputreport += "</HTML>"
}

# send email with results
$smtpServer = "exchange.company.com"
$smtpFrom = "hostname@company.com"
$smtpTo = "user@company.com"
$subject = "Web-Access-Audit - $date"
$body = $Outputreport

Send-MailMessage -SmtpServer $smtpServer -From $smtpFrom -To $smtpTo -Subject $subject -Body $body -BodyAsHtml

Save this file as a ‘websitelist.txt’ file.

*Chat & Instant Messaging*
https://messenger.yahoo.com/
https://www.aim.com/
https://web.whatsapp.com
*Web-Based Email*
https://gmail.com/
https://hotmail.com/
https://mail.yahoo.com/
*Gambling*
https://onlinegambling.com/
https://www.draftkings.com/
https://www.fanduel.com/
*Photo Search & Images*
https://www.shutterfly.com/
https://photoshack.com/
https://www.smugmug.com/
*Peer File Transfer (P2P)*
https://utorrent.com/
https://www.vuze.com/
*Online Storage and Backup*
https://carbonite.com/
https://drive.google.com/
https://www.dropbox.com/login
*Filter Avoidance (Proxy Avoidance)*
https://torproject.org/
https://xroxy.com/
https://ultrasurf.us/
*Personal VPN*
https://surfshark.com/
https://www.hotspotshield.com/
https://expressvpn.com
*Social Networking*
https://www.facebook.com/
https://tiktok.com/
https://www.instagram.com/
*Illegal Activities*
http://www.ekran.no
http://pyrobin.com
*Illegal Downloads*
http://www.keygenninja.com
http://www.rootscrack.com
*On-Line Document Sharing*
https://pastebin.com 
https://docs.google.com
*DNS over HTTPS* 
https://cloudflare-dns.com
https://dns.google.com
*File Transfer Services*
https://filetransfer.io
https://www.sharefile.com
http://www.wetransfer.com

April 17, 2024

Category: Best Practices

Creating a Report for Senior Managers

Introduction

Suggested Items to Report

Generic Outline for Writing a Policy or Procedure

Initial Thoughts

General Outline

Test your DNS Proxy using a PowerShell Script

Introduction

The script