Security Basics mailing list archives

Re: Initial Security assesment for a large university - what to ask?

From: Adam Mooz <adam.mooz () gmail com>
Date: Thu, 1 Apr 2010 20:22:04 -0400

- ACL's for everything.
- Do a physical walk around each network closet, each lab, and physically inspect everything. You're sure to come up
with quite a few question
- Ask about any 'gotcha's that the network has.
- Get historical data for network load and go through them so you know how to spot unusual spikes
- Find out about the patching cycle
- Ask how the backup system works, offsiet, on site, rotation, etc. Get acquainted with the courier.
- DRP. For this see if any of them are willing to be put on a 'call list' incase you have to activate your DRP and get
stuck.
- Get network maps. Subnets, vlans, the whole shebang. Get map of the physical infrastructure, compare them so you
know what is what. Get these maps printed, on a plotter, and go through them with the network guys, write directly on
the map so you don't get confused later.
- On this note get a similar map of what you control, and what you don't. For instance, at my school there is
the university network controlled network which handles the WiFi, res, etc. Then there is the School of Computer
Science which runs it's own network; I believe it's hooked up to the universities network.
- You'll probably also be in control of the telephony system, get familiar with that.
- Go through all SLA's that you hold and are held against you. Meet with as many people as you can so, if shit hits
the fan, the ice breaker won't be along the lines of "so...about that support...where is it?". If you're at least not
just a name on a piece of paper to these people you'll be in much better shape when things go wrong.
- Find out of any equipment 'phones home.' For example, I know some high-end servers and backup drives will 'phone
home' when theres a problem and suddenly you'll have techs at your door, parts in hand.
- Look at your spare parts closet, if you have one. Go through the stock and find out what goes for what, the age, and
clean out anything that's too outdated to be of use.

Do all this with a notebook handy and take very good notes. Don't be afraid to 'shake things up', don't just accept
something and use it because "that's the way it was when I got here." IMO this is NOT a valid justification for
something. That being said, don't shake things up just for the sake of it. What I'm trying to say is make sure you
don't let them go before you've got all the answers, once they're gone you're at their mercy for getting questions
answered, usually. Hope this helps a bit...this is all coming from a student's perspective so there's bound to be a
lot more experience out there that can help some more then me.

-----------------------------------------------------------------
Adam Mooz
Adam.Mooz () gmail com
http://www.AdamMooz.com

On 2010-04-01, at 6:00 AM, Stanislav Burlakov wrote:

Hi Camilo,

You might also want to ask for ACL's for these, since things like IPS, some servers and switches can probably be 
accessed only from certain machines. Also asking them for documentation that they've written about system set-p, IPS 
rules, etc, may be useful. Finally, you want to know where all the logs / alarms go (assuming they don't have a 
central log server), and where to reconfigure them to point to new emails / pager numbers.

Also what not to do to trigger IDS (incase it has some sort of active response)


Hope this helps!

Stan





Camilo Olea wrote:

Dear friends,

I've been asked to be part of a large project. A local college (in Cancun,MX) is changing administration, and as a
part of it, seems like they are changing the whole IT team. My orders were clear "Make a list of all that they need
to give to you, security-related".

I'm thinking:

- root logins and passwords for all servers/routers/etc

... and I stopped there. Any other ideas on what I should demand from them?

Thanks,
Camilo Olea

-Por favor piense en el medio ambiente antes de imprimir este mensaje- -Please think of the environment before
printing this message-

La informacion de este correo es de caracter CONFIDENCIAL y PRIVADO y es propiedad de GRUPO SUNSET. La privacidad
de esta comunicacion goza de proteccion legal. Cualquier revision, retransmision, difusion o cualquier otro uso de
este correo, por personas o entidades distintas a las del destinatario legitimo, queda expresamente prohibida. Si
usted ha recibido este mensaje por error, por favor avise inmediatamente al remitente contestando y eliminando este
correo. Las opiniones incluidas son del remitente, y no necesariamente reflejan la opinion de GRUPO SUNSET. Este
correo electronico no pretende ni debe ser considerado como constitutivo de ninguna relacion legal, contractual o de
otra indole similar. No puede garantizarse que las comunicaciones de Internet sean seguras, libres de error o
virus. Por lo tanto GRUPO SUNSET, no acepta responsabilidad alguna.
The contents of this email are CONFIDENTIAL and PRIVATE in nature, and remain the property of SUNSET GROUP. The
privacy of this email is protected by law. Any revision, forwarding, distribution or any other use of this email,
for persons or entities other than the legitimate addressee, is forbidden. If you have received this message by
mistake, please alert the sender immediately by responding to and then eliminating this email. The opinions
expressed in this email are those of the sender, and may not necessarily reflect the opinions of SUNSET GROUP. This
email does not constitute, nor should it be considered as confirmation of any legal, contractual, or any other
relationship. Internet communications cannot be guaranteed to be secure or error-free, as information could be
intercepted, corrupted, lost, arrive late or contain viruses. SUNSET GROUP does not accept liability for any errors
or omissions in the context of this message which could arise as a result of Internet
transmission.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works,
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------




------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Attachment: smime.p7s
Description:

Current thread:

RE: Initial Security assesment for a large university - what to ask? Murda (Apr 01)
- <Possible follow-ups>
- Re: Initial Security assesment for a large university - what to ask? tas0584 (Apr 01)
- Re: Initial Security assesment for a large university - what to ask? Lorenzo Nicolodi (Apr 01)
- Re: Initial Security assesment for a large university - what to ask? Yousef Syed (Apr 01)
- Re: Initial Security assesment for a large university - what to ask? Stanislav Burlakov (Apr 01)
  - Re: Initial Security assesment for a large university - what to ask? Adam Mooz (Apr 05)