RE: Security Basics Exercise - How do you know?

["David Gillett" <gillettdavid () fhda edu>]

  Have you used Tripwire or the equivalent to verify that the current
image matches the deployed image?

David Gillett


> -----Original Message-----
> From: Ryan Greenier [mailto:rgreenier () gmail com] 
> Sent: Thursday, September 11, 2008 11:15 AM
> To: security-basics () securityfocus com
> Subject: Security Basics Exercise - How do you know?
>
> Here's the what-if scenario:
>
> Your CTO calls your various IT groups together and poses the 
> following question:
>
> "Do we know, as of right now, whether or not one of our 
> public-facing systems has been compromised?"
>
> The fact is, and there is no way to answer this question with 
> 100% certainty (at least I don't believe so). However, we 
> should be able to answer this way:
>
> "We have as high a confidence-level as we can that no system 
> has been breached because when we look at the various systems, we:
>
>       - do not see any unauthorized user IDs (or, no 
> unauthorized ID's have been created within the last x 
> hours/days/weeks)
>       - do not see any unexpected services running
>       - show the systems are fully patched
>       - show the systems are 100% compliant with our standard build
>       - show that there are no known vulnerabilities 
> presently unaddressed
>       - have not seen any unauthorized root user activity
>       - do not see any unusual activity in our host-based IPS
>       - have not received any alerts from the network-based IPS
>       - see that disk space usage has not changed significantly
>       - so not see any unusual traffic on the firewall (such 
> as denies, numerous abnormal connection-types, etc)
>       - checked the system with AV and anti-spyware and it 
> came back clean
>
> ....."
>
>
> > From a high-level, what else would you have in place to prove that
> your public systems are/were not breached?
>
> - Ryan