Security Basics mailing list archives
RE: Security Policy-Please help
From: "Kenneth W. Kubiak" <kkubiak () bflohearspeech org>
Date: Wed, 6 Aug 2003 12:45:35 -0400
Hey John, First of all, you're right, it's a daunting task to start a project like this - I know, I'm there right now myself. Now, I see you're finishing your Masters in Systems & Network Security (Congratulations), so please forgive me if anything I recommend/suggest is stuff you already know. Before you begin writing policies, you deffinetly want to make sure you've got the buy-in from senior management. If you don't, you'll never get them to approve your policies, and policies that aren't approved and put in place, are just a lot of paper with useless words written on them. Next, realize that policies alone won't change end-user behaviors, so with policies and hardware/software controls, along comes user education. Finally, you need to understand that policies tell people they're supposed to do something, while procedures tell them how to do it, so, if you're going to write security policies, you must be ready to write detailed and understandable procedures on how to do what you're telling the users they have to do. Having said all that, a quick answer to your question is to checkout the SANS Security Policy Project at http://www.sans.org/resources/policies/. They breakdown this whole area there, and offer some very good sample policies that you can download to get started. In more detail, I'd suggest beginning with a general IT Acceptable Use Policy. This will give users the foundation of the IT security program, and help them understand what generally is, and is not, accepted on your systems. Then I'd move on to an account password policy, and then to anti-virus. I'd also be very careful attempting to crack passwords. Unless you've got written approval from upper management, you could land yourself in a lot of trouble, both within the organization and even legally. What password cracking testing amounts to is using hacker tools to test the strength of user passwords. If you haven't received approval to do this, you're basically hacking into someones account, which puts you on the other side of the fence as it were. I'd also have a policy in place on this activity before you do it, and make sure all players involved (i.e., management, users, administrators, etc.) know you will be running these activities to test password strength only, and not to obtain private information from their user accounts. Oh, and on a Windows system, L0phtcrack is one of the better tools for testing password strength. As for pen testing, I haven't delved into that yet myself, however, I'd suggest the same precautions as for testing passwords. Always get approval in writing from managment for such activities, and document everything you do and when you do it, so if there's ever the slightest suggestion by someone you were doing something wrong or illegal, you can prove otherwise. Good-luck, and happy writing, Ken -----Original Message----- From: Kampanellis Ioannis [mailto:kampanellisI () antenna gr] Sent: Wednesday, August 06, 2003 4:08 AM To: security-basics () securityfocus com Subject: Security Policy-Please help Hi! I pursue an MSc in System and Network Security and I am currently doing my internship in a media group (ieTV, Radio, WebSites etc).My "mission" is to write down a security policy for their network. Basically I know where to start,meaning things such as Anti-Virus etc. The problem is that their network is not totally new. They have PIX, Packet Shapers, Anti Virus installed etc. That means that my "job" is getting even more difficult cause I have to dig and find the details, which is not so easy for a newbie in security :-( Another problem is that their systems are based on Windows :-( Any advices? Where could I start? Having several thoughts, test the password cracking of the users could be a good step(I assume). Is there any such tool?or does anyone know where Win2k stores the password and how it is hashed? Finally, I am trying to find a tool (freeware) to help me do the auditing (eg run penetration tests etc) If anyone knows such tool, it woud be great? Thnx in advance John -------------------------------------------------------------------------- - -------------------------------------------------------------------------- --
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Security Policy-Please help Kampanellis Ioannis (Aug 06)
- RE: Security Policy-Please help Kenneth W. Kubiak (Aug 06)
- Re: Security Policy-Please help Bennett Todd (Aug 06)
- Re: Security Policy-Please help J. Lambrecht (Aug 07)
- <Possible follow-ups>
- RE: Security Policy-Please help Jason Armstrong (Aug 06)
- RE: Security Policy-Please help Jaymz Ringler (Aug 06)
- RE: Security Policy-Please help kevin (Aug 12)
- RE: Security Policy-Please help dmwidger (Aug 06)
- RE: Security Policy-Please help Jaymz Ringler (Aug 06)