Security Basics mailing list archives
RE: Information Security
From: "Sheldon Malm" <smalm () ncircle com>
Date: Fri, 14 Dec 2007 09:20:24 -0800
Totally agree with Matt on this one - configuration and change management is an important part of the overall security toolkit. I would suggest that 3 important "controls" are: - host configuration and change management - vulnerability and exposure management, with risk-based prioritization - identity and/or access management A good place to start is to go to mitre's "making security measurable" information online. There you will find information about various standards, including: - CPE: enumeration of "platforms" (operating systems, applications, services) with common, unique identification, syntax, and organization - CVE: enumeration of vulnerabilities (you're probably aware of this one) - CCE: similar to CVE's, but for configuration settings - CWE: common weaknesses - CVSS: vulnerability risk scoring methodology - OVAL: methodology for presenting detection - XCCDF: interoperability standards in representing these various standards Also, there is an emerging standard from the US Gov't called "SCAP" (as in: 'es_cap') that ties these together under a formal program. CIS Benchmarks (from the Center for Internet Security) are another good source of hardening guides, and are somewhat parallel to mitre's CCE's. DISA's STIG series is another good source of hardening guides, combining prescriptive text and configuration best practice checklists. Of course, nCircle has solutions available for vulnerability management (IP360) and configuration & change management (nCircle CCM). As for Identity Management, this can be as simple as tightening AD for Windows systems or as complex as a combination of provisioning, password management, authentication, and authorization tools from large vendors like Oracle, IBM, and Sun or from small vendors like M-Tech, Passlogix, etc. There is also an interesting small company that offers On Demand Identity services called sxip if you prefer to have things hosted for you. I hope this helps. Good luck with it. Sheldon Malm Director Security Research & Development nCircle Network Security Check out the VERT daily post http://blog.ncircle.com/vert -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Matthew Webster Sent: Thursday, December 13, 2007 10:49 PM To: security-basics () securityfocus com Cc: pen-test () securityfocus com; wifisec () securityfocus com Subject: Re: Information Security CHarles, Change Management is very important. The big news for hardening servers / workstations and soon network devices, databases etc. is the Federal Desktop Core Configuration (FDCC) being designed from NIST. Read up on that, but that is going to be the top dog for securing systems. There are a few products that offer configuration management out there for the FDCC. Good luck! Matt -----Original Message-----
From: Charles Hardin <fonestorm () gmail com> Sent: Dec 13, 2007 8:03 PM To: security-basics () securityfocus com Cc: pen-test () securityfocus com, wifisec () securityfocus com Subject: Information Security A few months ago I joined a medium sized company as a systems admin. The company's prior IT team did little in the forms of maintenance and nothing in the form of security. I come from an administration background but only common sense when it comes to decent security. There are shared domain admin passwords, shared user logons and many users have local admin on their pcs. I know best practice is to separate the admins from the security team but this company views IT as
a necessary evil, ie theres 4 IT techs for 7 sites and around 500 pc users spread across the sites, all techs being at corporate. These issues are being addressed but what I would like to know from the community is the following: Id like to assemble a toolkit both for gaining security control and then maintaining it. Also pointers as to best practices and the like would be most appreciated. ----------------------------------------------------------------------- - This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ----------------------------------------------------------------------- -
Current thread:
- Information Security Charles Hardin (Dec 14)
- Re: Information Security Jamie Riden (Dec 14)
- <Possible follow-ups>
- Re: Information Security Matthew Webster (Dec 14)
- RE: Information Security Sheldon Malm (Dec 14)
- Policy enforcement- Admin accounts WALI (Dec 17)
- Re: Policy enforcement- Admin accounts Charles Hardin (Dec 17)
- RE: Policy enforcement- Admin accounts Ricky Kerby (Dec 17)
- Re: Policy enforcement- Admin accounts Paul J. Brickett (Dec 17)
- Message not available
- Re: Policy enforcement- Admin accounts Can DEGER (Dec 17)
- Re: Policy enforcement- Admin accounts Paul J. Brickett (Dec 17)
- Re: Policy enforcement- Admin accounts mgk.mailing (Dec 18)
- Re: Policy enforcement- Admin accounts Raoul Armfield (Dec 18)
- Re: Policy enforcement- Admin accounts MaddHatter (Dec 18)
- Re: Policy enforcement- Admin accounts Micheal Espinola Jr (Dec 18)