Re: Oh Dear, Where to start?!

• Previous message: Jonathan (Listserv): "Re: Moderator's note: limit your bulky disclaimers"
• In reply to: Steve Frank: "Oh Dear, Where to start?!"
• Next in thread: AKaasjager_at_enertel.nl: "RE: Oh Dear, Where to start?!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 27 Jun 2003 07:45:59 -0700 (PDT)
To: Steve Frank <stevefrankrit@yahoo.com>, security-basics@securityfocus.com

I would have to bring up the point that depending on
what type of Government office your working for they
are probably governed the Department of Commerce. The
Department of Commerce created NIST, for the purpose
of dealing with IT and IT security, as well as other
matters. You will find approved software as well as
FAM's, FIPS, and OMB's, which are requirements for IT
systems, things like minimum password lengths, how
often you have to change passwords, the sharing of
accounts, and may other things. That way you can
create a policy based upon the already written and
approved requirements that this Government office HAS
to follow, which will stand a better chance of being
approved by the upper management when you mention the
fact that they are required by law to follow them.

http://csrc.nist.gov/
http://www.nist.gov/

--- Steve Frank <stevefrankrit@yahoo.com> wrote:
> Hey everyone,
>
> Ok... I am in a bit of a jam here and I was hoping
> to
> get some feedback from some of you with appropriate
> experience in the field of network security and
> policy
> development.
>
> I am an senior at RIT studying (essentially) systems
> administration. My main focus and priority has been
> computer security and policy development. I recently
> took a internship with a small government office
> helping out with computer administration tasks. Upon
> arrival, I decided it would be fun to do a windows
> update to see what sort of things would come up for
> my
> PC. Low and behold, there were over 40 critical
> updates, driver updates, and recommended updates.
>
> Right off the bat this triggered the feeling that
> there was absolutely no security or update plans in
> place at this particular organization. I quickly
> addressed the issue, and have been working to draft
> a
> comprehensive security policy and implement
> technical
> controls.
>
> What I need advice on is the following: If you were
> introduced to a mixed network (literally all
> versions
> of windows since 3.1 and mac systems) that have no
> updates, backups, or patches installed... connected
> to
> a network with only a basic NAT table and no other
> security... with not even anti-virus software
> enabled... with no user policies or disaster plans
> in
> place... with unprotected netbios shares
> everywhere...
> where would you start the process of building some
> sort of security solution?
>
> I mean, I've seen passwords on monitors, shared
> accounts, open public ports (even the wiring cabinet
> was unlocked in plain view of passbys to the
> building). I've been tasked with creating the
> security
> policies relating to internet use, network and phone
> use, passwords, physical security, backup/disaster
> plans, antivirus, incident response, email
> use/protection, and whatever else needs done. This
> wouldnt be so bad normally I guess, but there is
> virtually no budget allocated to help for this
> project
> and I have approximately 3 months to do it. To make
> matters worse, I am also responsible for systems
> admin, network admin, tech support, programming, and
> whatever other tasks may need to be done in the
> meantime.
>
> So basically, if you had to start from nothing,
> where
> would you start first? What would you consider to be
> the most important things to be implemented? I am
> literally working from ground zero here... heh!
>
> Thank so much in advance ;-)
>
> Steve Frank
>
> ----------------
> President SPARSA
> Security Practices and Research Student Association
> Rochester Institute of Technology
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
>
>
---------------------------------------------------------------------------
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as
> leader by top analysts!
> The Gartner Group just put Neoteris in the top of
> its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in
> marketshare.
>
> Find out why, and see how you can get plug-n-play
> secure remote access in
> about an hour, with no client, server changes, or
> ongoing maintenance.
>
> Visit us at:
> http://www.neoteris.com/promos/sf-6-9.htm
>
----------------------------------------------------------------------------
>

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

• Previous message: Jonathan (Listserv): "Re: Moderator's note: limit your bulky disclaimers"
• In reply to: Steve Frank: "Oh Dear, Where to start?!"
• Next in thread: AKaasjager_at_enertel.nl: "RE: Oh Dear, Where to start?!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]