SSL revisted. (Bonus item: Baselining)

Firstly, I want to revisit my recent post on the issues with SSL and the trust model currently in use.

The ‘ComodoHacker’ has struck again this week, compromising DigiNotar and possibly GlobalSign.  The Certificate Authority trust model is beyond broken and something has to change.

ThreatPost has a great summary of the problems.

Completely separate topic, but I want to talk about the importance of baselining systems.

When you have your production system running exactly the way want it to, take a quick baseline.

In Windows, run “tasklist /svc” from the command line.  This will give you all running processes and any services that are associated under them.  To be useful as a baseline this should be output into a file.  For example:

C:\baseline\tasklist /svc /fo csv > baseline.csv

Now we have the list as a csv file in the C:\baseline folder.  This can be simply opened in Excel or imported into a database.

Weeks or months down the line, when your system starts acting strangely, run “tasklist /svc” again, and compare to your baseline.

Are there any new processes or services running?  What are they, and why are they on there now?

A good baseline will help identify when your system has been compromised (either by malicious attackers, or an internal user who didn’t mean to cause any issues).

In order to maintain the integrity of your original baseline, it would ideally be stored on a flash drive and kept in a locked drawer.  If someone had gained access to your system and noticed your baseline file, they might try to change it to mask their presence.   Storing a hash of the baseline file will allow you to verify that it hasn’t been altered.

Alternatively, the baseline could be kept in a database as mentioned above.  There are a number of benefits to this, including versioning (to keep records of all approved changes to the baseline) and better security (provided you secure the database properly).  However, if your systems have been breached, the possibility exists that the database could also be altered.

Notes:

  • To get a Linux baseline the most basic command that should work for all distros is  “ps -aux”.
  • This is about getting a very quick and easy baseline.  For very important systems, you would want do a more in-depth look at the system.
Advertisements

3 responses

    • I’m sure there are some pretty full-featured tools out there, but the great thing about using the command line operations is that they can be pretty easily scripted and automated however you need. I’m planning on implementing a script that will compare the current running processes to the last baseline on a weekly basis and email any differences to me.

  1. Pingback: Baseline comparison code | Arboreal Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s