How do I fill the gap of knowing how important "good" security is and actually doing something about it?

[Shaun Curry <scurry () smsd gs>]

Hello everyone!

I have difficult issue...  I am sys admin and the one and only IT person for a small organization.  I have attended 
SANS courses and have listened to pauldotcom for years now.  I have been learning a lot in the area of network 
security, but I need to fill a crucial gap in my knowledge.

Here's the scenario:

I review my logs daily and started noticing some strange things.  For example, an "IP Spoof" with an internal IP 
address talking to my VOIP server.  I see port scans coming from facebook domain that are obviously apps.

I see things that alarm me; however, I don't know how to verify the validity of what I'm seeing.  I know that sometimes 
you can get false positives and sometimes an all in one IDS/IPS/Firewall can get it wrong.  I'm feeling a bit lost!  I 
know that I can expect port scanning and I tend to ignore it.  But some of the other things I'm seeing just leave me 
very nervous...

I'm doing my best and as far as I can tell it's been working well, but there has to be a good training course or two 
that I can take that will teach me how to identify this stuff quicker and more easily.

Do you just learn this stuff as you go?  Is experience the key?

If anyone has advice I'd appreciate it!  I can't be the first or only person to reach this point....

Thanks!

Shaun Curry

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com