Re: Security Audit and Priorities

[pammann () execomm net (Paul Ammann)]

> Get yourself on the list of the people notified when new boxes are
> built and old ones are retired.  Make yourself helpful enough that
> people come to you rather than avoid you.

That's the blessing and curse of the company. The IT dept is 15 people. I
would be reporting to the Director and CIO. They both know security is need,
but they aren't sure where. For example, I know that the company doesn't
collect logs from its UNIX servers, routers, or firewalls. Servers need to
be hardened, but they lack knowledge and skills. Doing a traceroute to their
web site, I can see the firewall and router.


----- Original Message -----
From: <lists () notatla org uk>
To: <firewall-wizards () honor icsalabs com>
Sent: Sunday, July 13, 2003 1:21 AM
Subject: Re: [fw-wiz] Security Audit and Priorities


> From: Paul Robertson <proberts () patriot net>
>
> > Obscurity won't help you much, keep your servers up to date,
> > especially if they're facing the real world, turn off all
> > the stuff that's not strictly necessary, and then you won't
>
> And organise routine ongoing monitoring with record-keeping.
> Get yourself on the list of the people notified when new boxes are
> built and old ones are retired.  Make yourself helpful enough that
> people come to you rather than avoid you.
>
> Managers may leave various jobs unassigned - perhaps because they don't
> realise they need doing - and then they get done badly at last minute.
> That's when you get to hear about them and poeple whinge that they
> can't be reworked correctly because it's due right now.  I haven't
> yet mastered this problem in my workplace.  I've a suspicion some
> of these rush jobs may be deliberately so - but I border on paranoia.
>
> People need training - not everybody is a natural learner and those that
> are need time for that.  I'm constantly amazed by the inability of staff
> to apply sensible filemodes on their work (typically with 1000 accounts
> per host).  Some people seem to have a "I'm not a techy - I can't be
> bothered to do any of that" attitude that covers literally everything to
> do with computers.  (I say that if this attitude persists they should get
> other jobs - but who listens to me ?)  Proactive password checking has a
> high ROI.
>
> > > 2. The company has acknowledged they are lacking in security. What
> > > is the best method for doing a security audit?
>
> > Figure out what's exposed, make sure it's not anything that
> > shouldn't be, and make sure it's up to date, then ensure
> > that the security policy matches the needs and wishes of
> > the organization and make sure that it's being correctly
> > implemented.
>
> What's he going to do in the second week there ?
> Depending on size and culture most of the above steps could take
> forever.  Keeping up to date is certain to remain unfinished.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards