Firstly, I want to revisit my recent post on the issues with SSL and the trust model currently in use.
The ‘ComodoHacker’ has struck again this week, compromising DigiNotar and possibly GlobalSign. The Certificate Authority trust model is beyond broken and something has to change.
ThreatPost has a great summary of the problems.
Completely separate topic, but I want to talk about the importance of baselining systems.
When you have your production system running exactly the way want it to, take a quick baseline.
In Windows, run “tasklist /svc” from the command line. This will give you all running processes and any services that are associated under them. To be useful as a baseline this should be output into a file. For example:
C:\baseline\tasklist /svc /fo csv > baseline.csv
Now we have the list as a csv file in the C:\baseline folder. This can be simply opened in Excel or imported into a database.
Weeks or months down the line, when your system starts acting strangely, run “tasklist /svc” again, and compare to your baseline.
Are there any new processes or services running? What are they, and why are they on there now?
A good baseline will help identify when your system has been compromised (either by malicious attackers, or an internal user who didn’t mean to cause any issues).
In order to maintain the integrity of your original baseline, it would ideally be stored on a flash drive and kept in a locked drawer. If someone had gained access to your system and noticed your baseline file, they might try to change it to mask their presence. Storing a hash of the baseline file will allow you to verify that it hasn’t been altered.
Alternatively, the baseline could be kept in a database as mentioned above. There are a number of benefits to this, including versioning (to keep records of all approved changes to the baseline) and better security (provided you secure the database properly). However, if your systems have been breached, the possibility exists that the database could also be altered.
- To get a Linux baseline the most basic command that should work for all distros is “ps -aux”.
- This is about getting a very quick and easy baseline. For very important systems, you would want do a more in-depth look at the system.