Security Basics mailing list archives
Information Security
From: "Geoff Choo" <geoff.choo () zonnet nl>
Date: Mon, 17 Dec 2007 00:59:24 +0100
Hi Charles, I agree with the previous advice already provided to you. Securing the IT environment will require a defense-in-depth approach that doesn't just depend on a software tool, but that applied appropriate people, process and technology controls to manage your information risks. I would propose the following highly-simplified steps to get you up and running in securing your IT environment: 1. If necessary, strengthen your IT security knowledge. I would recommend reading the 60 minute network security guide from the NSA (The 60 Minute Network Security Guide) as a start then I would recommend attending the SANS Security essentials workshop. 2. Understand your IT environment and key assets by performing a business impact assessment. (You can use the document 800-30 risk management guide from NIST csrc.nist.gov/publications/PubsSPs.html) 3. Identify the key threats to and vulnerabilities in your IT environment and key security issues by performing a risk assessment (You can use the document 800-30 risk management guide from NIST csrc.nist.gov/publications/PubsSPs.html) (e.g. using a vulnerability assessment tool such and GFI languard or Nessus can be useful, but please be careful when using these tools on a production environment!) 4. Once you have identified and prioritized your key risks, you figure out a strategy to address these risks by using a security control framework (You might want to check out ISO 27002 or the Standard of Good Practice from the Information Security Forum, or use the guides provided by NIST and the NSA) 5. Implement the necessary security controls identified in 4. (e.g. network security controls, protection against malicious code, access control, separation of duties, security awareness training, communications security, change management, and so on) 6. Monitor and audit your security posture 7. Repeat from 2. Geoff -----Original Message-----
From: Sent: Dec 13, 2007 8:03 PM To: security-basics () securityfocus com Cc: pen-test () securityfocus com, wifisec () securityfocus com Subject: Information Security
A few months ago I joined a medium sized company as a systems admin. The company's prior IT team did little in the forms of maintenance and nothing in the form of security. I come from an administration background but only common sense when it comes to decent security. There are shared domain admin passwords, shared user logons and many users have local admin on their pcs. I know best practice is to separate the admins from the security team but this company views IT as
a necessary evil, ie theres 4 IT techs for 7 sites and around 500 pc users spread across the sites, all techs being at corporate. These issues are being addressed but what I would like to know from the community is the following: Id like to assemble a toolkit both for gaining security control and then maintaining it. Also pointers as to best practices and the like would be most appreciated.
Current thread:
- Re: Policy enforcement- Admin accounts, (continued)
- Re: Policy enforcement- Admin accounts mgk.mailing (Dec 18)
- Re: Policy enforcement- Admin accounts mgk.mailing (Dec 18)
- Re: Policy enforcement- Admin accounts Micheal Espinola Jr (Dec 18)
- RE: Policy enforcement- Admin accounts Can Deger (Dec 18)
- RE: Policy enforcement- Admin accounts Jesse Eaton (Dec 18)
- RE: Policy enforcement- Admin accounts Scalcione.David (Dec 17)
- Re: Policy enforcement- Admin accounts mgk.mailing (Dec 17)
- Discussing Microsoft Forefront security attempt WALI (Dec 24)
- RE: Policy enforcement- Admin accounts Jesse Eaton (Dec 17)