Security Basics Exercise - How do you know?

["Ryan Greenier" <rgreenier () gmail com>]

Here's the what-if scenario:

Your CTO calls your various IT groups together and poses the following question:

"Do we know, as of right now, whether or not one of our public-facing
systems has been compromised?"

The fact is, and there is no way to answer this question with 100%
certainty (at least I don't believe so). However, we should be able to
answer this way:

"We have as high a confidence-level as we can that no system has been
breached because when we look at the various systems, we:

        - do not see any unauthorized user IDs (or, no unauthorized ID's have
been created within the last x hours/days/weeks)
        - do not see any unexpected services running
        - show the systems are fully patched
        - show the systems are 100% compliant with our standard build
        - show that there are no known vulnerabilities presently unaddressed
        - have not seen any unauthorized root user activity
        - do not see any unusual activity in our host-based IPS
        - have not received any alerts from the network-based IPS
        - see that disk space usage has not changed significantly
        - so not see any unusual traffic on the firewall (such as denies,
numerous abnormal connection-types, etc)
        - checked the system with AV and anti-spyware and it came back clean

....."


> From a high-level, what else would you have in place to prove that
your public systems are/were not breached?

- Ryan