RE: Security Basics Exercise - How do you know?

[Mattias Baecklund <mattias.baecklund () ifsworld com>]

White listing (I have fallen for SE46 (www.se46.se)) your server program park can always be a good way of getting your 
CTO of your back.

Sorry for the late reply.

Mattias Baecklund
Software Security Engineer | R&D | Foundation1
IFS World Operations AB
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Ryan Greenier
> Sent: den 11 september 2008 20:15
> To: security-basics () securityfocus com
> Subject: Security Basics Exercise - How do you know?
>
> Here's the what-if scenario:
>
> Your CTO calls your various IT groups together and poses the following
> question:
>
> "Do we know, as of right now, whether or not one of our public-facing
> systems has been compromised?"
>
> The fact is, and there is no way to answer this question with 100%
> certainty (at least I don't believe so). However, we should be able to
> answer this way:
>
> "We have as high a confidence-level as we can that no system has been
> breached because when we look at the various systems, we:
>
>         - do not see any unauthorized user IDs (or, no unauthorized ID's
> have
> been created within the last x hours/days/weeks)
>         - do not see any unexpected services running
>         - show the systems are fully patched
>         - show the systems are 100% compliant with our standard build
>         - show that there are no known vulnerabilities presently
> unaddressed
>         - have not seen any unauthorized root user activity
>         - do not see any unusual activity in our host-based IPS
>         - have not received any alerts from the network-based IPS
>         - see that disk space usage has not changed significantly
>         - so not see any unusual traffic on the firewall (such as denies,
> numerous abnormal connection-types, etc)
>         - checked the system with AV and anti-spyware and it came back
> clean
>
> ....."
>
>
> From a high-level, what else would you have in place to prove that
> your public systems are/were not breached?
>
> - Ryan
------------------------------------------------------------------------------

CONFIDENTIALITY AND DISCLAIMER NOTICE

This e-mail, including any attachments, is confidential and intended only for
the addressee. If you are not the intended recipient, please notify us
immediately and delete this e-mail from your system. Any use or disclosure of
the information contained herein is strictly prohibited.