RE: Security Basics Exercise - How do you know?



White listing (I have fallen for SE46 (www.se46.se)) your server program park can always be a good way of getting your CTO of your back.

Sorry for the late reply.

Mattias Baecklund
Software Security Engineer | R&D | Foundation1
IFS World Operations AB
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Ryan Greenier
Sent: den 11 september 2008 20:15
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Security Basics Exercise - How do you know?

Here's the what-if scenario:

Your CTO calls your various IT groups together and poses the following
question:

"Do we know, as of right now, whether or not one of our public-facing
systems has been compromised?"

The fact is, and there is no way to answer this question with 100%
certainty (at least I don't believe so). However, we should be able to
answer this way:

"We have as high a confidence-level as we can that no system has been
breached because when we look at the various systems, we:

- do not see any unauthorized user IDs (or, no unauthorized ID's
have
been created within the last x hours/days/weeks)
- do not see any unexpected services running
- show the systems are fully patched
- show the systems are 100% compliant with our standard build
- show that there are no known vulnerabilities presently
unaddressed
- have not seen any unauthorized root user activity
- do not see any unusual activity in our host-based IPS
- have not received any alerts from the network-based IPS
- see that disk space usage has not changed significantly
- so not see any unusual traffic on the firewall (such as denies,
numerous abnormal connection-types, etc)
- checked the system with AV and anti-spyware and it came back
clean

....."


From a high-level, what else would you have in place to prove that
your public systems are/were not breached?

- Ryan
------------------------------------------------------------------------------

CONFIDENTIALITY AND DISCLAIMER NOTICE

This e-mail, including any attachments, is confidential and intended only for
the addressee. If you are not the intended recipient, please notify us
immediately and delete this e-mail from your system. Any use or disclosure of
the information contained herein is strictly prohibited.