RE: Security Evaluation Project

["Shawn Jackson" <sjackson () horizonusa com>]

> From: Donald Gerkin [mailto:dgerki1 () towson edu]
> So.... what is that I ask? Advice, links to resources, and even war 
> stories from those who may have done this before, regardless of the
forum.

I apologize for the late reply, but I've been pretty busy and haven't
been able to keep up with the list lately. As always, I believe that you
can't have a canned audit path for testing the physical,
policy/political and electronic of every origination. I've done a few
security audits for local banks and credit unions, and
county/local/state agencies in my area. 

Here is just a quick list, please feel free to ask if you want me to
elaborate on anything.

Physical Security: Placement of Computers, Access (RJ45 and RJ11) Ports,
Monitor Placement, Access to wires (Telco and Data, i.e. T1 smart jacks,
DSL endpoints, etc), Physical computer security (systems is
bolted/locked down, etc), physical access to network infrastructure
(routers, switches, repeaters, etc), physical access to servers and data
centers

Political Security: Climate of 'secure by default', punishment for
breaking/breaching security, managers/exec's don't 'bypass' security
when they feel it's not worth 'their' time. Constant reminders of the
security policy and it's need for the companies wellbeing.

Policy Security: Clear Human Readable computer security guidelines,
password length and complexity requirements, password and pass code
(doors, access hatches, etc) aging, users sign NDR/Computer security
rules and regs, PKI Policies, foreign media allowed (i.e. floppies,
cdroms, USB drives, thumb drives), policy for software evaluation
criteria (have demos onsite of software, try and hack new software
before purchase, etc). Standards for computing infrastructure equipment
(buy one type of desktop/server (HP, Dell, IBM, etc) same for printers,
switches, routers, firewalls, and all other components.

Data Security: Critical Transactions are Encrypted/Hashed, network is of
a switched type with port security on, VLAN's for each department,
multiple firewalls layers, host and network IDS (I think host is much
more important the network IDS), constant monitoring with syslog
backups, maybe a honeypot?, passwords and other network access control
information (plus ALL documentation) in in a LOCKED fireproof safe.
Internet access is limited (no firewall external interface but internal
can do anything it wants), selective use of remote access technologies,
(VPN, RAS, Modems, WiFi, etc), everything is constantly up2date,
services are locked down run in a chroot jail if needed and unneeded
services are off, people DON'T run their systems and ANY kind of
AMIN/ROOT! This goes for IT people too they can sudo/runas if they need
to do something! Site-to-Site internet traffic is IPSEC or SSL NOT PPTP
or L2TP (RAS is ok for PPTP or L2TP). Proper use of DMZ's, network
islands and dead zones. 

Good list of resources: http://is-it-true.org/pt/
Security Resource Center: http://csrc.nist.gov/
W3C Protocol Security: http://www.w3.org/Security/
SANS: http://www.sans.org
CERT: http://www.cert.org/
Web pen-test article: http://www.securityfocus.com/infocus/1704
Firewall pen-testing: http://www.wittys.com/files/mab/fwpentesting.html
White Hat's (us) Resources: http://www.whitehats.com/

I do have some stories, but I wouldn't want to bore the list with my
endless banter.

> Rick, I know you're still lurking out there in this list, so I fully
expect 
> an e-mail from you nagging me about going to Linux!

I've cleaned up plenty of Linux servers that were hacked in my life and
I'm still fairly young! I know people who've cleaned up more UNIX and
Linux systems then NT boxes! Not saying that I don't clean up Windows
servers also! Basically Linux has a few things it 'forces' on users, a
major thing is running as admin/root in Windows is the 'norm' while when
you use Linux that's a big NO-NO. Now there is more risk with Windows
due to virii and worms but that risk can be mitigated. In example,
applying firewall rules for your LAN-to-INET traffic helps (keeps worm
spreading in check, and stops Trojans), don't run as root/admin, run a
good virus scanner (anything that can be forced on clients, i.e.
Symantec Corporate Edition, Trend Officescan etc), apply ACL's to your
network shares, printers and hard drive resources. A big help is to not
use the C drive, most virii tend to look for that as a static path
instead of using %systemroot%. Also not using HTML/scripted email helps.
I'd argue though that not using Outlook helps reduce the risk even more
bringing it down to Linux levels, with the above ideas. Most of the 'use
Linux' folks don't realize, or want to acknowledge, that there is a
business need to use Windows/Office and we work FOR the business not
against it.

Personally I run a XP Pro system with Mandrake and OpenBSD as Virtual
PC's. I also have a SuSE laptop and another workstation running Red Hat.
All my forward seeing servers are Linux/BSD (Go OpenBSD!), minus or web
server which is IIS due to they used VBScript to make the site *yuck*.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521

www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------