RE: Security Policy-Please help

["Kenneth W. Kubiak" <kkubiak () bflohearspeech org>]

Hey John,

First of all, you're right, it's a daunting task to start a project like
this - I know, I'm there right now myself.  Now, I see you're finishing
your Masters in Systems & Network Security (Congratulations), so please
forgive me if anything I recommend/suggest is stuff you already know.

Before you begin writing policies, you deffinetly want to make sure you've
got the buy-in from senior management.  If you don't, you'll never get
them to approve your policies, and policies that aren't approved and put
in place, are just a lot of paper with useless words written on them.
Next, realize that policies alone won't change end-user behaviors, so with
policies and hardware/software controls, along comes user education.
Finally, you need to understand that policies tell people they're supposed
to do something, while procedures tell them how to do it, so, if you're
going to write security policies, you must be ready to write detailed and
understandable procedures on how to do what you're telling the users they
have to do.

Having said all that, a quick answer to your question is to checkout the
SANS Security Policy Project at http://www.sans.org/resources/policies/.
They breakdown this whole area there, and offer some very good sample
policies that you can download to get started.

In more detail, I'd suggest beginning with a general IT Acceptable Use
Policy.  This will give users the foundation of the IT security program,
and help them understand what generally is, and is not, accepted on your
systems.  Then I'd move on to an account password policy, and then to
anti-virus.  I'd also be very careful attempting to crack passwords.
Unless you've got written approval from upper management, you could land
yourself in a lot of trouble, both within the organization and even
legally.  What password cracking testing amounts to is using hacker tools
to test the strength of user passwords.  If you haven't received approval
to do this, you're basically hacking into someones account, which puts you
on the other side of the fence as it were.  I'd also have a policy in
place on this activity before you do it, and make sure all players
involved (i.e., management, users, administrators, etc.) know you will be
running these activities to test password strength only, and not to obtain
private information from their user accounts.  Oh, and on a Windows
system, L0phtcrack is one of the better tools for testing password
strength.

As for pen testing, I haven't delved into that yet myself, however, I'd
suggest the same precautions as for testing passwords.  Always get
approval in writing from managment for such activities, and document
everything you do and when you do it, so if there's ever the slightest
suggestion by someone you were doing something wrong or illegal, you can
prove otherwise.

Good-luck, and happy writing,

Ken

-----Original Message-----
From: Kampanellis Ioannis [mailto:kampanellisI () antenna gr]
Sent: Wednesday, August 06, 2003 4:08 AM
To: security-basics () securityfocus com
Subject: Security Policy-Please help


Hi!

I pursue an MSc in System and Network Security and I am currently doing my
internship in a 
media group (ieTV, Radio, WebSites etc).My "mission" is to write down a
security policy for 
their network.

Basically I know where to start,meaning things such as Anti-Virus etc. The
problem is that their network is not totally new. They have PIX, Packet
Shapers, Anti Virus installed etc. That means that my "job" is getting
even more difficult cause I have to dig and find the details, which is not
so easy for a newbie in security :-(
Another problem is that their systems are based on Windows :-(

Any advices? Where could I start?

Having several thoughts, test the password cracking of the users could be
a good step(I assume). Is there any such tool?or does anyone know where
Win2k stores the password and how it is hashed?

Finally, I am trying to find a tool (freeware) to help me do the auditing
(eg run penetration tests etc) If anyone knows such tool, it woud be
great?


Thnx in advance
John

--------------------------------------------------------------------------
-
--------------------------------------------------------------------------
--

---------------------------------------------------------------------------
----------------------------------------------------------------------------