7MS #397: OPSEC Tips for Security Consultants
This podcast is sponsored by Arctic Wolf, whose Concierge Security teams Monitor, Detect and Respond to Cyber threats 24/7 for thousands of customers around the world. Arctic Wolf. Redefining cybersecurity. Visit Arcticwolf.com/7MS to learn more.
I'm working on a new security song called Don't Let the Internet Get You Down, and the chorus will go something like this:
Don't let the Internet get you down
It's full of trolls and 10 year olds and adolescent clowns
So let their words roll off of you, like water off a duck
To prove to them that you don't give a darn
On a more serious note, here are some opsec tips that hopefully will help you as a security consultant:
-
Good contracts - make sure your SOWs have lots of CYA verbiage to protect you in case something breaks, your assessment schedule needs to be adjusted, etc. Also, consider verbiage that says you'll only retain client testing artifacts (hashes, vuln scans, etc.) for a finite amount of time.
-
Scope - make sure you talk about scope, both in written and verbal form, often! Also, a Nessus scanning tip: use the nessusd.rules file to not scan any IPs the client doesn't want touched. That way Nessus won't scan those IPs even if you try to force it to!
-
Send information to/from clients safely - consider forcing MFA on your file-sharing portals, as well as a retention policy so that files "self destruct" after X days.
-
Secure hardware config - this includes things like encrypted drives, unique passwords for each and every service you use, turning up MFA wherever available, etc. For Macs, consider enabling your firmware password even though some sites think you shouldn't.
-
Housekeeping - make sure to regularly clean out all the places you may store sensitive client artifacts (i.e. OneNote, OneDrive, Evernote, Google Docs, etc.)
Has 7MS helped you in your IT and security career? Please consider buying me a coffee!