Security Basics mailing list archives
Re: NASA Security Audit
From: "Roger A. Grimes" <rogerg () cox net>
Date: Wed, 8 Oct 2003 19:36:01 -0400
Gregory, Assume the worst and prepare for the worst. Assume he will get to your MS boxes, past your firewalls and past your IDS. I'm not sure what type of testing he will be doing, but if you're worried about your MS boxes, go back to the basics. Get the NSA and Microsoft security configuration guides, learn about security templates, MBSA, etc. Are you fully patched, have you applied basic security recommendations? How is your AV coverage? Are people trained against social engineering attacks? It's usually the basics that will fail you, not the odd reg hack that stops some strange attack. People are so busy preparing for the really new hi-tech attack, that the pen tester sneaks in on a poorly password protected share. Turn off anonymous enumeration while your at it (after testing consequences, of course). Good luck. Remember, unless your employer hates you, it should be a learning experience that benefits everyone. But don't let the basics (weak passwords, unprotected shares, poor security permissions, etc.) make you look new. Roger **************************************************************************** **** *Roger A. Grimes, Computer Security Consultant *CPA, MCSE (NT/2000), CNE (3/4), A+ *email: rogerg () cox net *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode *Author of upcoming Honeypots for Windows (Apress) **************************************************************************** ***** ----- Original Message ----- From: "Gregory M. Brown" <gbrown () alvalearning com> To: <SECURITY-BASICS () SECURITYFOCUS COM> Sent: Wednesday, October 08, 2003 12:48 PM Subject: NASA Security Audit Well it looks as though I am finally going to be tested by the Feds. According to my CTO, a guy named Jay Diceman will be the point man. Anyone ever hear of him? I hear he is a well known security expert (ex-hacker?)for the federal government. I have downloaded the Evaluated Security Configuration document created for Microsoft by Science Applications International Corporation. There are actually 2 of these. I think those .pdf's cover the Microsoft component. I don't even want him to get as far as any MS box. I am fairly new to security (2years) and my final exam is going to be a "Black Box" test and a "Crystal" test from some heinously gifted hacker from NASA... 1. What exactly will these 2 forms of intrusion concentrate on? 2. Is my hardware up to the task? I currently have a Fortigate Fortinet 50 configured for intrusion detection and prevention. I am currently blocking 1300+ known attacks. My FW is a CheckPoint Celestix with a physical DMZ path. The only questionable services allowed through are FTP (requirement) and Terminal Services (requirement). 3. What can I expect? Any input is GREATLY appreciated. Thanks. Man I hope I still have a job in 2 weeks! gb --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- NASA Security Audit Gregory M. Brown (Oct 08)
- Re: NASA Security Audit Roger A. Grimes (Oct 09)
- PIX introduction Daniel Cid (Oct 09)
- RE: NASA Security Audit Byron Copeland (Oct 09)
- Re: NASA Security Audit Eric (Oct 09)
- Re: NASA Security Audit Steve (Oct 09)
- Re: NASA Security Audit Marcos E. Rodriguez (Oct 10)
- <Possible follow-ups>
- Re: NASA Security Audit KoRe MeLtDoWn (Oct 09)
- Re: NASA Security Audit Anders Reed-Mohn (Oct 10)
- RE: NASA Security Audit Simons, Rick (Oct 09)
- RE: NASA Security Audit Raymer, Dan (Oct 09)
- RE: NASA Security Audit Johnson, Kevin (Oct 09)
(Thread continues...)
- Re: NASA Security Audit Roger A. Grimes (Oct 09)