Security Basics mailing list archives
RE: Oh Dear, Where to start?!
From: "Mitchell Rowton" <mitchell () attackprevention com>
Date: Thu, 26 Jun 2003 10:05:22 -0600
Most organizations have many security policies (User ID and Password, Extranet, Firewall) But there should be one high level policy that basically states that information security is important to the company and assigns responsibility of security to certain group(s). This high level policy may mention basic ideas like "Principle of Least Access" or "Separation of Roles and Responsibilities" but nothing more particular than those types of ideas. This policy may even assign responsibility to a group for developing more detailed security policies. While I agree that a risk assessment is always the first step in securing anything you should also beginning this high level policy discussion as early as possible with management. Its easier to do a risk assessment (and hopefully suggest mitigation) if you have policy to back you up that says you are responsible for doing this. You could then take the information from the risk assessment and use it as a roadmap for developing more detailed policy in addition to mitigating the risk. For example you may find in this assessment that having now patching documentation or commitment is the largest risk. so you your first detailed policy may cover "who is responsible for applying patches" "how often they be applied" and most importantly "what happens if they dont do it" You could go down the different risks and associate each one with a policy as you address the issues. Mitchell
Why not start with a risk analysis and find out what are business
critical
devices, applications and servers. Assign each identified device a
priority
number. This should become your roadmap. This is obviously a very
high level
approach. But it's a start in the right direction. -Sanjay -----Original Message----- From: Steve Frank [mailto:stevefrankrit () yahoo com] Sent: Wednesday, June 25, 2003 7:56 AM To: security-basics () securityfocus com Subject: Oh Dear, Where to start?! Hey everyone, Ok... I am in a bit of a jam here and I was hoping to get some feedback from some of you with appropriate experience in the field of network security and policy development. I am an senior at RIT studying (essentially) systems administration. My main focus and priority has been computer security and policy development. I recently took a internship with a small government office helping out with computer administration tasks. Upon arrival, I decided it would be fun to do a windows update to see what sort of things would come up for my PC. Low and behold, there were over 40 critical updates, driver updates, and recommended updates. Right off the bat this triggered the feeling that there was absolutely no security or update plans in place at this particular organization. I quickly addressed the issue, and have been working to draft a comprehensive security policy and implement technical controls. What I need advice on is the following: If you were introduced to a mixed network (literally all versions of windows since 3.1 and mac systems) that have no updates, backups, or patches installed... connected to a network with only a basic NAT table and no other security... with not even anti-virus software enabled... with no user policies or disaster plans in place... with unprotected netbios shares everywhere... where would you start the process of building some sort of security solution? I mean, I've seen passwords on monitors, shared accounts, open public ports (even the wiring cabinet was unlocked in plain view of passbys to the building). I've been tasked with creating the security policies relating to internet use, network and phone use, passwords, physical security, backup/disaster plans, antivirus, incident response, email use/protection, and whatever else needs done. This wouldnt be so bad normally I guess, but there is virtually no budget allocated to help for this project and I have approximately 3 months to do it. To make matters worse, I am also responsible for systems admin, network admin, tech support, programming, and whatever other tasks may need to be done in the meantime. So basically, if you had to start from nothing, where would you start first? What would you consider to be the most important things to be implemented? I am literally working from ground zero here... heh! Thank so much in advance ;-) Steve Frank ---------------- President SPARSA Security Practices and Research Student Association Rochester Institute of Technology __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com ----------------------------------------------------------------------
-----
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote
access in
about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------
------
----------------------------------------------------------------------
-----
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote
access in
about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------
------
--------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- Re: Oh Dear, Where to start?!, (continued)
- Re: Oh Dear, Where to start?! jon rodman (Jun 27)
- RE: Oh Dear, Where to start?! Benz Jessica-p53552 (Jun 26)
- RE: Oh Dear, Where to start?! altug (Jun 27)
- Re: Oh Dear, Where to start?! chayden (Jun 26)
- Re: Oh Dear, Where to start?! Nicholas Diotte (Jun 26)
- RE: Oh Dear, Where to start?! sharon_joyner (Jun 26)
- RE: Oh Dear, Where to start?! Drew Hunt (Jun 26)
- Re: Oh Dear, Where to start?! Chris Berry (Jun 26)
- RE: Oh Dear, Where to start?! AKaasjager (Jun 26)
- RE: Oh Dear, Where to start?! tony tony (Jun 27)
- RE: Oh Dear, Where to start?! Mitchell Rowton (Jun 26)
- Fwd: Oh Dear, Where to start?! Rick Jones (Jun 26)
- Re: Oh Dear, Where to start?! Bill Hardstone (Jun 26)
- RE: Oh Dear, Where to start?! AKaasjager (Jun 27)
- Re: Oh Dear, Where to start?! Paul Hawkinson (Jun 27)
- RE: Oh Dear, Where to start?! alex.mole@realtimeworlds (Jun 30)
- Re: Oh Dear, Where to start?! Chris Berry (Jun 30)
- RE: Oh Dear, Where to start?! James Baumgardner (Jun 30)
- RE: Oh Dear, Where to start?! Brad Griffin (Jun 30)