RE: Oh Dear, Where to start?!

[altug () yavas net]

Hi steve and all,

Some kind of security countermeasures dont require any budget, for 
example saying people not to write down their passwords instead of their 
minds.

I think, you first have to develop a basic outline of a security policy. Set 
up a budget, and propose it to the management. Lots of products have 
very discount rates for academic institutions.

have a nice day.
Altug
Security consultant


Quoting Benz Jessica-p53552 <jess.benz () motorola com>:

> Steve,
> I would start with looking at ISO17799.
>
> Jessica
>
> -----Original Message-----
> From: Steve Frank [mailto:stevefrankrit () yahoo com] 
> Sent: Wednesday, June 25, 2003 4:56 AM
> To: security-basics () securityfocus com
> Subject: Oh Dear, Where to start?!
>
>
> Hey everyone,
>
> Ok... I am in a bit of a jam here and I was hoping to
> get some feedback from some of you with appropriate
> experience in the field of network security and policy development.
>
> I am an senior at RIT studying (essentially) systems administration. My 
main
> focus and priority has been computer security and policy development. I
> recently took a internship with a small government office helping out 
with
> computer administration tasks. Upon arrival, I decided it would be fun to 
do
> a windows update to see what sort of things would come up for my PC. 
Low and
> behold, there were over 40 critical updates, driver updates, and 
recommended
> updates. 
>
> Right off the bat this triggered the feeling that
> there was absolutely no security or update plans in
> place at this particular organization. I quickly
> addressed the issue, and have been working to draft a comprehensive 
security
> policy and implement technical controls.
>
> What I need advice on is the following: If you were
> introduced to a mixed network (literally all versions
> of windows since 3.1 and mac systems) that have no
> updates, backups, or patches installed... connected to
> a network with only a basic NAT table and no other
> security... with not even anti-virus software
> enabled... with no user policies or disaster plans in
> place... with unprotected netbios shares everywhere...
> where would you start the process of building some
> sort of security solution?
>
> I mean, I've seen passwords on monitors, shared
> accounts, open public ports (even the wiring cabinet
> was unlocked in plain view of passbys to the
> building). I've been tasked with creating the security
> policies relating to internet use, network and phone
> use, passwords, physical security, backup/disaster
> plans, antivirus, incident response, email
> use/protection, and whatever else needs done. This
> wouldnt be so bad normally I guess, but there is
> virtually no budget allocated to help for this project
> and I have approximately 3 months to do it. To make
> matters worse, I am also responsible for systems
> admin, network admin, tech support, programming, and
> whatever other tasks may need to be done in the
> meantime.
>
> So basically, if you had to start from nothing, where
> would you start first? What would you consider to be
> the most important things to be implemented? I am
> literally working from ground zero here... heh!
>
> Thank so much in advance ;-)
>
> Steve Frank
>
> ----------------
> President SPARSA
> Security Practices and Research Student Association
> Rochester Institute of Technology
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
>
> ---------------------------------------------------------------------------
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top 
analysts! The
> Gartner Group just put Neoteris in the top of its Magic Quadrant, while
> InStat has confirmed Neoteris as the leader in marketshare.
>      
> Find out why, and see how you can get plug-n-play secure remote 
access in
> about an hour, with no client, server changes, or ongoing maintenance.
>           
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> ----------------------------------------------------------------------------
>
> ---------------------------------------------------------------------------
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top 
analysts!
> The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in marketshare.
>      
> Find out why, and see how you can get plug-n-play secure remote 
access in
> about an hour, with no client, server changes, or ongoing maintenance.
>           
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> ----------------------------------------------------------------------------


=========================================================
========
Altug Yavas               email:altug () yavas net   icq: 15108188
Tel: +90 (312) 411 5658   http://www.yavas.net





---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------