Security Basics mailing list archives
RE: Security Basics Exercise - How do you know?
From: Mattias Baecklund <mattias.baecklund () ifsworld com>
Date: Fri, 24 Oct 2008 11:18:59 +0200
White listing (I have fallen for SE46 (www.se46.se)) your server program park can always be a good way of getting your CTO of your back. Sorry for the late reply. Mattias Baecklund Software Security Engineer | R&D | Foundation1 IFS World Operations AB
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ryan Greenier Sent: den 11 september 2008 20:15 To: security-basics () securityfocus com Subject: Security Basics Exercise - How do you know? Here's the what-if scenario: Your CTO calls your various IT groups together and poses the following question: "Do we know, as of right now, whether or not one of our public-facing systems has been compromised?" The fact is, and there is no way to answer this question with 100% certainty (at least I don't believe so). However, we should be able to answer this way: "We have as high a confidence-level as we can that no system has been breached because when we look at the various systems, we: - do not see any unauthorized user IDs (or, no unauthorized ID's have been created within the last x hours/days/weeks) - do not see any unexpected services running - show the systems are fully patched - show the systems are 100% compliant with our standard build - show that there are no known vulnerabilities presently unaddressed - have not seen any unauthorized root user activity - do not see any unusual activity in our host-based IPS - have not received any alerts from the network-based IPS - see that disk space usage has not changed significantly - so not see any unusual traffic on the firewall (such as denies, numerous abnormal connection-types, etc) - checked the system with AV and anti-spyware and it came back clean ....." From a high-level, what else would you have in place to prove that your public systems are/were not breached? - Ryan
------------------------------------------------------------------------------ CONFIDENTIALITY AND DISCLAIMER NOTICE This e-mail, including any attachments, is confidential and intended only for the addressee. If you are not the intended recipient, please notify us immediately and delete this e-mail from your system. Any use or disclosure of the information contained herein is strictly prohibited.
Current thread:
- RE: Security Basics Exercise - How do you know? Mattias Baecklund (Oct 24)