One last favor, I've dropped a couple of files on the dump under the CIO- June2015 folder, these will be used during the presentation to the CIOs on Friday. If you have a moment, please take a look and fact and sanity check me.
Thanks, Andrew
On 06/23/2015 09:23 AM, Jon Barclay wrote:
I second everything that's been said. Doing an assessment in August sounds great, and I'm up for a couple of tooling/prep days.
I like the idea of being able to do recon work prior to being on campus. If we are allowed to begin things like phishing and recon earlier it would be important to have a scope then as well.
The things we all seem to be weak at are detection of abuse of privileged accounts. We are not quiet on these assessments, but most of the time the scans are what get detected, not user accounts logging into hundreds of systems. Alerting on abnormal use of accounts would go a long way. It seems like PowerShell is the next frontier for attackers, and we've started to use it as well. Being able to detect abnormal PowerShell activity would also be a huge win.
Thanks,
Jon
-----Original Message----- From: ushe-assess-bounces@lists.dixie.edu [mailto:ushe-assess-bounces@lists.dixie.edu] On Behalf Of Jake Johansen Sent: Tuesday, June 23, 2015 9:06 AM To: Andrew Goble; Chuck Kimber; ushe-assess@lists.dixie.edu Subject: Re: [USHE-assess] CIO Presentation
Sounds good to me, on both suggestions
Thanks Jake
On 6/22/15, 4:57 PM, "Andrew Goble" goble@dixie.edu wrote:
Also, this will come up Friday as well... scheduling:
First off, how does everyone feel about a 1.5 - 2 day team meeting in July somewhere centralish (UofU or UVU)? Be an opportunity to distribute new hardware and work on tools without the distraction of actually being on an assessment.
Second, I'd like to stick as best as possible to the order we established this last round:
FY 2016 Weber - Dixie - SLCC - Utah State
FY 2017 UofU - Snow - UVU - SUU
I'd like to see if we can get to Weber in early August, with mid-to-late September as a backup. That would put Dixie October / Novemberish (with the contingency of a new arrival in my family due in late November that might influence timing for me/Dixie.) Worst case scenario we'd be looking at Weber in the fall sometime and Dixie in January. I just want to avoid a situation where we go 5 or 6 months with no assessment. We get rusty and have to cram them into the Spring.
Thoughts?
Thanks, Andrew
On 06/22/2015 12:07 PM, Chuck Kimber wrote:
On Mon, Jun 22, 2015 at 11:45 AM, Andrew Goble <goble@dixie.edu mailto:goble@dixie.edu> wrote:
From your point of view, what are the pervasively good, and pervasively bad things we've found across the institutions? (wifi evil twin, etc) What could we be spending money or effort on as a system to help fix some of these issues (system-license of Duo, Cloudpath, etcThings I think everyone is struggling to do or affording where USHE bulk purchasing may help.
IPS, IDS Logging Alerting, where logs do exist Detecting out of norm behaviours. Softwares like Rapid7 UserInsight. The Responder, broadcast stuff Jon has alerted us to and that we've massively exploited already and I can see is going to be trouble for everyone. This is a config and mentality change, not necessarily something to spend money on as a body.
Will also bring up the idea of increasing the time we have available to poke at stuff before we come on-siteI still like this idea, if we can devote any time to it, as APT is such an issue these days. It helps us give a sense of how an APT might play out, albeit on a shorter time period.
USHE-assess mailing list USHE-assess@lists.dixie.edu http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-assess
USHE-assess mailing list USHE-assess@lists.dixie.edu http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-assess _______________________________________________ USHE-assess mailing list USHE-assess@lists.dixie.edu http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-assess