Re: NASA Security Audit

["Roger A. Grimes" <rogerg () cox net>]

Gregory,

Assume the worst and prepare for the worst.  Assume he will get to your MS
boxes, past your firewalls and past your IDS.

I'm not sure what type of testing he will be doing, but if you're worried
about your MS boxes, go back to the basics.  Get the NSA and Microsoft
security configuration guides, learn about security templates, MBSA, etc.
Are you fully patched, have you applied basic security recommendations?  How
is your AV coverage?  Are people trained against social engineering attacks?

It's usually the basics that will fail you, not the odd reg hack that stops
some strange attack.  People are so busy preparing for the really new
hi-tech attack, that the pen tester sneaks in on a poorly password protected
share.  Turn off anonymous enumeration while your at it (after testing
consequences, of course).

Good luck.

Remember, unless your employer hates you, it should be a learning experience
that benefits everyone.  But don't let the basics (weak passwords,
unprotected shares, poor security permissions, etc.) make you look new.

Roger

****************************************************************************
****
*Roger A. Grimes, Computer Security Consultant
*CPA, MCSE (NT/2000), CNE (3/4), A+
*email: rogerg () cox net
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of upcoming Honeypots for Windows (Apress)
****************************************************************************
*****

----- Original Message ----- 
From: "Gregory M. Brown" <gbrown () alvalearning com>
To: <SECURITY-BASICS () SECURITYFOCUS COM>
Sent: Wednesday, October 08, 2003 12:48 PM
Subject: NASA Security Audit


Well it looks as though I am finally going to be tested by the Feds.
According to my CTO, a guy named Jay Diceman will be the point man.
Anyone ever hear of him?  I hear he is a well known security expert
(ex-hacker?)for the federal government.  I have downloaded the Evaluated
Security Configuration document created for Microsoft by Science
Applications International Corporation.  There are actually 2 of these.
I think those .pdf's cover the Microsoft component.  I don't even want
him to get as far as any MS box.  I am fairly new to security (2years)
and my final exam is going to be a "Black Box" test and a "Crystal" test
from some heinously gifted hacker from NASA...

1.  What exactly will these 2 forms of intrusion concentrate on?

2.  Is my hardware up to the task?  I currently have a Fortigate
Fortinet 50 configured for intrusion detection and prevention.  I am
currently blocking 1300+ known attacks.  My FW is a CheckPoint Celestix
with a physical DMZ path.  The only questionable services allowed
through are FTP (requirement) and Terminal Services (requirement).

3.  What can I expect?  Any input is GREATLY appreciated.

Thanks.  Man I hope I still have a job in 2 weeks!
gb









---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------