Re: Secure host newbie - fun

From: Alvin Oga (alvin.sec_at_Virtual.Linux-Consulting.com)
Date: 04/01/04

  • Next message: Alvey Robert W KPWA: "PKI Problem... again" 
    To: sjackson@horizonusa.com (Shawn Jackson)
Date: Wed, 31 Mar 2004 20:38:14 -0800 (PST)

    hi ya shawn

    >
    > There are some extremely educated guys on this list, even though it is a
    >
    > "security basics" list. I'm not one of them, but they are here. If you

    ditto

    > do
    > have any security questions I'm sure someone on the list can help you
    > out no
    > problem, but I wouldn't count on becoming an expert by reading or
    > studying
    > which is about 1/4 of a security-pro's diet. I'd say another 2/4'ths are
    >
    > experience and another 1/4'th is skill.

    i'd venture to say ... 95% of security is just people management ...
    and 5% is implementing a techie solution

    reading is good ..but should be 5% of your time ...
    and even better, go to informal security meetings ( user group meetings )

    - you cannot make it too strict to restrict productivity
    - you cannot leave it wide open so tom-***-n-harry can see break into
      hr's salary PC and repost everybody's salary and benefits

    - who is gonna get fired when a security breach occurs ???

    - 90% of all security issues is internal ... not from outside the internet

    .. on and on .. fun stuff

    knowing what is important and what is NOT is something that will be different
    for each environment you're trying to secure

    - i start from ..
            i assume a [cr/h]acker has root access in your firewall ... now protect your
            network and machines or whatever your "job" is

            - if you're comfortable .. than you're reasonably confident of what you're
            doing and what the [cr/h]acker can do to your other boxes and data

            i disallow laptops, i disallow dhcp, i disallow wireless, ...
            in addition to disallowing ftp/telnet/ppp/vpn/...

            - and others disallow cell phones ( with or without pic sending capabilities )

            - and at a minimum... have 3 different backup servers of your important data

    c ya
    alvin

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

  • Next message: Alvey Robert W KPWA: "PKI Problem... again"
    • Quantcast