*** one more try:
Hi Tony,
Yes those 2 are already part of it. Thanks for the suggestion.
We can monitor password changes as well as expired, about to expire, locked
accounts, etc.
For patches we can list installed as well as pending updates. We can do
this all offline (which avoid issues as the recent Solarwinds Orion trojan
attack).
I started doing some demos for clients, so anyone interested in seeing a
demo, please contact me offlist
Thanks and happy holidays!
On Fri, Dec 18, 2020 at 10:54 AM Stankiewicz, Anthony P. <
X2STANKI@xxxxxxxxxxxxxx> wrote:
Ricardo,
These may be in your 'ideas' list somewhere, but how about:
Monitor Account passwords changes (from Domain Controller Active Directory
or local computer)
Monitor installed windows patches and provide a listing
Regards,
Tony Stankiewicz
-----Original Message-----
From: foxboro-bounce@xxxxxxxxxxxxx <foxboro-bounce@xxxxxxxxxxxxx> On
Behalf Of Ricardo Abech
Sent: Tuesday, November 24, 2020 4:28 PM
To: foxboro@xxxxxxxxxxxxx
Subject: [foxboro] Cybersecurity Tools
EXTERNAL MAIL: Caution Opening Links or Files
________________________________
Hi Folks,
Has been a while since I posted here. Not sure if this is the best place
for this, but Duc will let me know pretty soon I am sure ;-)
I am looking for some feedback on a new idea for an application for the
DCS environment (not limited to Foxboro). Many of you know me from
Limeware/Foxray times when I created the Foxray/System Advisor tool, many
many years ago. After working with Schneider for the past 5 years, I
decided to move on and I am on a quest for the next challenge.
Some clients reached me with some great ideas, but one in particular has
been my focus for the past couple of months: Cybersecurity.
Most of the solutions in the market that provide Cybersecurity Information
and Event Management (ex: Solarwinds Orion, Splunk, etc) are either too
expensive (when you add all the modules), too complex to maintain and
setup, or not very OT friendly (requiring installing SNMP on DCS machines,
being on the domain or open remote access ports to allow the system to work
properly).
So the idea would be to provide an user friendly tool, which would be able
to function in the OT/DCS side (few minutes to set up) with no changes or
incoming ports to be open that would provide all the tracing and
cybersecurity analysis and reporting for compliance needs (Focused on the
OT and not on the IT seide). I compiled few ideas below:
- Monitoring Computer Logins, Failed Logins (Multiple Attempts), Logouts,
Current Logged users (and how long they were logged), Disable/Locked Users,
etc
- New user creation, Modification (changed user roles) and deletion as
well. It will monitor both Local Machines as well as Active Directory
- Check (offline) what Available Windows Security Updates are available
and what Vulnerabilities they are susceptible to
- Monitor CPU Load and Frequency, Memory (Virtual/Swap), Internal
Temperatures, Power (voltages), Hard Disk space and IO utilization
- Antivirus Definition and Updates Monitoring
- Monitor files changes in real time, specially executables, DLLs, scripts
and sensible DCS files (creation deletion and modifications).
- Monitor USB devices connected and disconnected in real time from the
computers monitored
- Check all open ports (Listening and Established Connections), Close
Waits, Time Waits (detect insecure opened (listening and established)
connections like SMB, FTP, Telnet, etc)
- All Services and processes running and their status (as well under what
user the services are running and if they get changed to run on different
credentials)
- Monitor GPO configuration, changes and policies alterations to specific
machines and users. Make sure the policies are applied to all machines
correctly.
- Monitor Hardware Changes - including DCS (Part Numbers, Serial Numbers,
Models, etc) and Windows configurations (Timezones, Product Keys, Licenses,
Boot times, etc)
- Firewall Monitoring and Tracking (Status and Rules)
- Shared Folders Tracking (Status, Location, Added/ Removed)
- Monitor Windows Services and Scheduled Tasks for changes/additions and
deletions.
- Monitor Installed Apps and check if they are running or not (last time
they ran and how often they are used). Look for specific OT apps (like
Foxview, FCS, SQL server, etc) to detect correct DCS operation
- Monitor Network traffic and status of switch ports
- Alert System to create intrusion detection rules (ex: Specific files
changed, USB inserted, New users created with special permission)
- Reporting and Dashboard capabilities
In the end the application should be such that it should answer a simple
question (by compiling all features above): Are my Systems under or prone
to a cyber attack?
So at this point, I would like to know from the users here if such a tool
would be of interest or most of you do not need/require such a tool for
your everyday need. Or if you feel there are other functionalities that are
missing. Trying to find out what level of interest a tool like this would
have to see if this is worth spending time to pursue further and make into
a product.
Feel free to provide me any feedback (on or off list).
Thank you
Ricardo Abech
_________________________________________________________________________
This mailing list is neither sponsored nor endorsed by Schneider Electric
(formerly The Foxboro Company). Use the info you obtain here at your own
risks. See the disclaimer at
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.thecassandraproject.org_disclaimer.html&d=DwIDAg&c=AgWC6Nl7Slwpc9jE7UoQH1_Cvyci3SsTNfdLP4V1RCg&r=JLvVFUtR2GVf4nldLBjwX6He_7ZkRP-esYv50YY3HqA&m=Mpps9L2liiCwAamjgdNIxn2MHe7UV-rEs5u-Ftdcwc4&s=bqmcjvYRudDyChKtF_ioIBvuyhg2z4pOATxeIMDVl2o&e>
foxboro mailing list:
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.freelists.org_list_foxboro&d=DwIDAg&c=AgWC6Nl7Slwpc9jE7UoQH1_Cvyci3SsTNfdLP4V1RCg&r=JLvVFUtR2GVf4nldLBjwX6He_7ZkRP-esYv50YY3HqA&m=Mpps9L2liiCwAamjgdNIxn2MHe7UV-rEs5u-Ftdcwc4&s=o-Xs6KX2S_fJcHGKr2WtDbHfKhVx5dDI6hTcKx_uyMQ&e>
to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
_________________________________________________________________________
This mailing list is neither sponsored nor endorsed by Schneider Electric
(formerly The Foxboro Company). Use the info you obtain here at your own
risks. See the disclaimer at www.thecassandraproject.org/disclaimer.html
foxboro mailing list: //www.freelists.org/list/foxboro
to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
