Re: [fw-wiz] Security Audit and Priorities
To: email@example.com Date: Sun, 13 Jul 2003 09:21:19 +0100 (BST)
From: Paul Robertson <firstname.lastname@example.org>
> Obscurity won't help you much, keep your servers up to date,
> especially if they're facing the real world, turn off all
> the stuff that's not strictly necessary, and then you won't
And organise routine ongoing monitoring with record-keeping.
Get yourself on the list of the people notified when new boxes are
built and old ones are retired. Make yourself helpful enough that
people come to you rather than avoid you.
Managers may leave various jobs unassigned - perhaps because they don't
realise they need doing - and then they get done badly at last minute.
That's when you get to hear about them and poeple whinge that they
can't be reworked correctly because it's due right now. I haven't
yet mastered this problem in my workplace. I've a suspicion some
of these rush jobs may be deliberately so - but I border on paranoia.
People need training - not everybody is a natural learner and those that
are need time for that. I'm constantly amazed by the inability of staff
to apply sensible filemodes on their work (typically with 1000 accounts
per host). Some people seem to have a "I'm not a techy - I can't be
bothered to do any of that" attitude that covers literally everything to
do with computers. (I say that if this attitude persists they should get
other jobs - but who listens to me ?) Proactive password checking has a
> > 2. The company has acknowledged they are lacking in security. What
> > is the best method for doing a security audit?
> Figure out what's exposed, make sure it's not anything that
> shouldn't be, and make sure it's up to date, then ensure
> that the security policy matches the needs and wishes of
> the organization and make sure that it's being correctly
What's he going to do in the second week there ?
Depending on size and culture most of the above steps could take
forever. Keeping up to date is certain to remain unfinished.
firewall-wizards mailing list