Ricardo,
These may be in your 'ideas' list somewhere, but how about:
Monitor Account passwords changes (from Domain Controller Active Directory or
local computer)
Monitor installed windows patches and provide a listing
Regards,
Tony Stankiewicz
-----Original Message-----
From: foxboro-bounce@xxxxxxxxxxxxx <foxboro-bounce@xxxxxxxxxxxxx> On Behalf Of
Ricardo Abech
Sent: Tuesday, November 24, 2020 4:28 PM
To: foxboro@xxxxxxxxxxxxx
Subject: [foxboro] Cybersecurity Tools
EXTERNAL MAIL: Caution Opening Links or Files
________________________________
Hi Folks,
Has been a while since I posted here. Not sure if this is the best place for
this, but Duc will let me know pretty soon I am sure ;-)
I am looking for some feedback on a new idea for an application for the DCS
environment (not limited to Foxboro). Many of you know me from Limeware/Foxray
times when I created the Foxray/System Advisor tool, many many years ago. After
working with Schneider for the past 5 years, I decided to move on and I am on a
quest for the next challenge.
Some clients reached me with some great ideas, but one in particular has been
my focus for the past couple of months: Cybersecurity.
Most of the solutions in the market that provide Cybersecurity Information and
Event Management (ex: Solarwinds Orion, Splunk, etc) are either too expensive
(when you add all the modules), too complex to maintain and setup, or not very
OT friendly (requiring installing SNMP on DCS machines, being on the domain or
open remote access ports to allow the system to work properly).
So the idea would be to provide an user friendly tool, which would be able to
function in the OT/DCS side (few minutes to set up) with no changes or incoming
ports to be open that would provide all the tracing and cybersecurity analysis
and reporting for compliance needs (Focused on the OT and not on the IT seide).
I compiled few ideas below:
- Monitoring Computer Logins, Failed Logins (Multiple Attempts), Logouts,
Current Logged users (and how long they were logged), Disable/Locked Users, etc
- New user creation, Modification (changed user roles) and deletion as well. It
will monitor both Local Machines as well as Active Directory
- Check (offline) what Available Windows Security Updates are available and
what Vulnerabilities they are susceptible to
- Monitor CPU Load and Frequency, Memory (Virtual/Swap), Internal Temperatures,
Power (voltages), Hard Disk space and IO utilization
- Antivirus Definition and Updates Monitoring
- Monitor files changes in real time, specially executables, DLLs, scripts and
sensible DCS files (creation deletion and modifications).
- Monitor USB devices connected and disconnected in real time from the
computers monitored
- Check all open ports (Listening and Established Connections), Close Waits,
Time Waits (detect insecure opened (listening and established) connections like
SMB, FTP, Telnet, etc)
- All Services and processes running and their status (as well under what user
the services are running and if they get changed to run on different
credentials)
- Monitor GPO configuration, changes and policies alterations to specific
machines and users. Make sure the policies are applied to all machines
correctly.
- Monitor Hardware Changes - including DCS (Part Numbers, Serial Numbers,
Models, etc) and Windows configurations (Timezones, Product Keys, Licenses,
Boot times, etc)
- Firewall Monitoring and Tracking (Status and Rules)
- Shared Folders Tracking (Status, Location, Added/ Removed)
- Monitor Windows Services and Scheduled Tasks for changes/additions and
deletions.
- Monitor Installed Apps and check if they are running or not (last time they
ran and how often they are used). Look for specific OT apps (like Foxview, FCS,
SQL server, etc) to detect correct DCS operation
- Monitor Network traffic and status of switch ports
- Alert System to create intrusion detection rules (ex: Specific files changed,
USB inserted, New users created with special permission)
- Reporting and Dashboard capabilities
In the end the application should be such that it should answer a simple
question (by compiling all features above): Are my Systems under or prone to a
cyber attack?
So at this point, I would like to know from the users here if such a tool would
be of interest or most of you do not need/require such a tool for your everyday
need. Or if you feel there are other functionalities that are missing. Trying
to find out what level of interest a tool like this would have to see if this
is worth spending time to pursue further and make into a product.
Feel free to provide me any feedback (on or off list).
Thank you
Ricardo Abech
_________________________________________________________________________
This mailing list is neither sponsored nor endorsed by Schneider Electric
(formerly The Foxboro Company). Use the info you obtain here at your own
risks. See the disclaimer at
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.thecassandraproject.org_disclaimer.html&d=DwIDAg&c=AgWC6Nl7Slwpc9jE7UoQH1_Cvyci3SsTNfdLP4V1RCg&r=JLvVFUtR2GVf4nldLBjwX6He_7ZkRP-esYv50YY3HqA&m=Mpps9L2liiCwAamjgdNIxn2MHe7UV-rEs5u-Ftdcwc4&s=bqmcjvYRudDyChKtF_ioIBvuyhg2z4pOATxeIMDVl2o&e=
foxboro mailing list:
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.freelists.org_list_foxboro&d=DwIDAg&c=AgWC6Nl7Slwpc9jE7UoQH1_Cvyci3SsTNfdLP4V1RCg&r=JLvVFUtR2GVf4nldLBjwX6He_7ZkRP-esYv50YY3HqA&m=Mpps9L2liiCwAamjgdNIxn2MHe7UV-rEs5u-Ftdcwc4&s=o-Xs6KX2S_fJcHGKr2WtDbHfKhVx5dDI6hTcKx_uyMQ&e=
to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
_________________________________________________________________________
This mailing list is neither sponsored nor endorsed by Schneider Electric
(formerly The Foxboro Company). Use the info you obtain here at your own
risks. See the disclaimer at www.thecassandraproject.org/disclaimer.html
foxboro mailing list: //www.freelists.org/list/foxboro
to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave