Security Basics mailing list archives

Re: Security Basics Exercise - How do you know?

From: "ॐ aditya mukadam ॐ" <aditya.mukadam () gmail com>
Date: Fri, 12 Sep 2008 16:39:50 +0530

Ryan,

Other things that I can think of :

- We donot see any suspicious traffic from public facing systems to
the internet.( This can occur if compromised system is uploading
information which it is not expected i.e No traffic 'initiated by
server' )
- No auth failure logs on the public facing system.

However, hope the CTO will be on phone till you read out the whole
list.Reading out checklist would make him feel that you are doing a
manual job than an intelligent one !

Smart answer would be :  "analysis and current logs from various
systems shows normal behavior which indicates public facing systems
are safe. For your review , I can send you a detailed report/email
with the information gathered to come to this conclusion "

Such statement would show more confidence than reading out the 'checklist'.

Thanks,
Aditya Govind Mukadam



On Thu, Sep 11, 2008 at 11:44 PM, Ryan Greenier <rgreenier () gmail com> wrote:

Here's the what-if scenario:

Your CTO calls your various IT groups together and poses the following question:

"Do we know, as of right now, whether or not one of our public-facing
systems has been compromised?"

The fact is, and there is no way to answer this question with 100%
certainty (at least I don't believe so). However, we should be able to
answer this way:

"We have as high a confidence-level as we can that no system has been
breached because when we look at the various systems, we:

       - do not see any unauthorized user IDs (or, no unauthorized ID's have
been created within the last x hours/days/weeks)
       - do not see any unexpected services running
       - show the systems are fully patched
       - show the systems are 100% compliant with our standard build
       - show that there are no known vulnerabilities presently unaddressed
       - have not seen any unauthorized root user activity
       - do not see any unusual activity in our host-based IPS
       - have not received any alerts from the network-based IPS
       - see that disk space usage has not changed significantly
       - so not see any unusual traffic on the firewall (such as denies,
numerous abnormal connection-types, etc)
       - checked the system with AV and anti-spyware and it came back clean

....."


From a high-level, what else would you have in place to prove that
your public systems are/were not breached?

- Ryan

Current thread:

Security Basics Exercise - How do you know? Ryan Greenier (Sep 11)
- RE: Security Basics Exercise - How do you know? David Gillett (Sep 12)
- Re: Security Basics Exercise - How do you know? ॐ aditya mukadam ॐ (Sep 12)
  - Re: Security Basics Exercise - How do you know? Meenal Mukadam (Sep 16)
    - MobileMe Krzyston, Randy (Sep 18)
    - Re: MobileMe Phil Holbrook (Sep 19)
    - Re: MobileMe Xelman (Sep 19)
    - Re: MobileMe Tremaine Lea (Sep 22)
    - Re: MobileMe Kurt Buff (Sep 23)
    - Re: MobileMe Tremaine Lea (Sep 23)
- <Possible follow-ups>
- Re: Security Basics Exercise - How do you know? krymson (Sep 14)
- Re: Security Basics Exercise - How do you know? alexander . bolante (Sep 18)