Re: [fw-wiz] Security Audit and Priorities

From: Paul Ammann (pammann_at_execomm.net)
Date: 07/14/03

  • Next message: Frank Knobbe: "Re: [fw-wiz] Security Audit and Priorities" 
    To: <firewall-wizards@honor.icsalabs.com>, <lists@notatla.org.uk>
Date: Sun, 13 Jul 2003 17:29:07 -0700

    > Get yourself on the list of the people notified when new boxes are
    > built and old ones are retired. Make yourself helpful enough that
    > people come to you rather than avoid you.

    That's the blessing and curse of the company. The IT dept is 15 people. I
    would be reporting to the Director and CIO. They both know security is need,
    but they aren't sure where. For example, I know that the company doesn't
    collect logs from its UNIX servers, routers, or firewalls. Servers need to
    be hardened, but they lack knowledge and skills. Doing a traceroute to their
    web site, I can see the firewall and router.

    ----- Original Message -----
    From: <lists@notatla.org.uk>
    To: <firewall-wizards@honor.icsalabs.com>
    Sent: Sunday, July 13, 2003 1:21 AM
    Subject: Re: [fw-wiz] Security Audit and Priorities

    > From: Paul Robertson <proberts@patriot.net>
    >
    > > Obscurity won't help you much, keep your servers up to date,
    > > especially if they're facing the real world, turn off all
    > > the stuff that's not strictly necessary, and then you won't
    >
    > And organise routine ongoing monitoring with record-keeping.
    > Get yourself on the list of the people notified when new boxes are
    > built and old ones are retired. Make yourself helpful enough that
    > people come to you rather than avoid you.
    >
    > Managers may leave various jobs unassigned - perhaps because they don't
    > realise they need doing - and then they get done badly at last minute.
    > That's when you get to hear about them and poeple whinge that they
    > can't be reworked correctly because it's due right now. I haven't
    > yet mastered this problem in my workplace. I've a suspicion some
    > of these rush jobs may be deliberately so - but I border on paranoia.
    >
    > People need training - not everybody is a natural learner and those that
    > are need time for that. I'm constantly amazed by the inability of staff
    > to apply sensible filemodes on their work (typically with 1000 accounts
    > per host). Some people seem to have a "I'm not a techy - I can't be
    > bothered to do any of that" attitude that covers literally everything to
    > do with computers. (I say that if this attitude persists they should get
    > other jobs - but who listens to me ?) Proactive password checking has a
    > high ROI.
    >
    > > > 2. The company has acknowledged they are lacking in security. What
    > > > is the best method for doing a security audit?
    >
    > > Figure out what's exposed, make sure it's not anything that
    > > shouldn't be, and make sure it's up to date, then ensure
    > > that the security policy matches the needs and wishes of
    > > the organization and make sure that it's being correctly
    > > implemented.
    >
    > What's he going to do in the second week there ?
    > Depending on size and culture most of the above steps could take
    > forever. Keeping up to date is certain to remain unfinished.
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Frank Knobbe: "Re: [fw-wiz] Security Audit and Priorities"