Re: I wonder, how to test..

["Paul D. Robertson" <paul () compuwar net>]

On Thu, 29 Jul 2004, Meindert Uitman wrote:

> Hi list,
> As a regular reader of this list, and (amongst many other tasks)
> responsible for security at our company, I wonder. I've taken most
> measures to make our buisiness secure. It's all on a small scale,
> everything runs well, but every now and then the tiny hairs on the back
> of my head make me wonder how secure it all is. Yes, webservers are
> locked down, are in DMZ, only http permitted, SQL on inside via data
> layers, only nessesary ports between DMZ and inside; this production
> environment is colocated, office is connected via PIX to PIX vpn,
> restricted access to this vpn, etc.

Sounds pretty reasonable so far...

> Are there any low cost means / tools out there to verify that what i
> have done so far is reasonable proof?

"Proof" is a bad word, as it tends to draw absolute lines, and
unfortunately, security is really about probability.  You can do a lot,
but you could get one thing wrong, and it could sink you- the real
question is have you done all that's reasonably prudent?  Have you
mitigated the biggest risks you face in the most cost-effective manner.
For that, it takes a good understanding of threat rates, vulnerability
prevalence, and costs.  A "tool" can tell you how well you've implemented
your controls, and perhaps indicate where controls haven't been
implemented- so it can take the vulnerability portion of the equation, but
it really can't do the other two.

Testing with vulnerability scanners, port mappers, etc. will, as others
have pointed out, give you an idea of the common exposures, which
generally equate to the highest potential risks, but they certainly can't
tell you the entire picture.  That takes knowledge and information, and
will change over time.

Test what you can, monitor what you can, and validate/verify by looking at
common patterns and see how you've faired historically.  That won't give
you a huge relief gap you're looking for, but what you're looking for
really isn't cheap to do right.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards