Re: [fw-wiz] Security Audit and Priorities

lists_at_notatla.org.uk
Date: 07/13/03

  • Next message: Yannick Van Osselaer: "Re: [fw-wiz] Security Audit and Priorities"
    To: firewall-wizards@honor.icsalabs.com
    Date: Sun, 13 Jul 2003 09:21:19 +0100 (BST)
    
    

    From: Paul Robertson <proberts@patriot.net>

    > Obscurity won't help you much, keep your servers up to date,
    > especially if they're facing the real world, turn off all
    > the stuff that's not strictly necessary, and then you won't

    And organise routine ongoing monitoring with record-keeping.
    Get yourself on the list of the people notified when new boxes are
    built and old ones are retired. Make yourself helpful enough that
    people come to you rather than avoid you.

    Managers may leave various jobs unassigned - perhaps because they don't
    realise they need doing - and then they get done badly at last minute.
    That's when you get to hear about them and poeple whinge that they
    can't be reworked correctly because it's due right now. I haven't
    yet mastered this problem in my workplace. I've a suspicion some
    of these rush jobs may be deliberately so - but I border on paranoia.

    People need training - not everybody is a natural learner and those that
    are need time for that. I'm constantly amazed by the inability of staff
    to apply sensible filemodes on their work (typically with 1000 accounts
    per host). Some people seem to have a "I'm not a techy - I can't be
    bothered to do any of that" attitude that covers literally everything to
    do with computers. (I say that if this attitude persists they should get
    other jobs - but who listens to me ?) Proactive password checking has a
    high ROI.

    > > 2. The company has acknowledged they are lacking in security. What
    > > is the best method for doing a security audit?

    > Figure out what's exposed, make sure it's not anything that
    > shouldn't be, and make sure it's up to date, then ensure
    > that the security policy matches the needs and wishes of
    > the organization and make sure that it's being correctly
    > implemented.

    What's he going to do in the second week there ?
    Depending on size and culture most of the above steps could take
    forever. Keeping up to date is certain to remain unfinished.
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Yannick Van Osselaer: "Re: [fw-wiz] Security Audit and Priorities"