Re: Seucity audit

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 03/02/04 

Date: Tue, 02 Mar 2004 12:47:48 -0800

Forgot...

Passphrases ... make those passwords long and alphanumeric

If full XP/2k network turn on Lanman hash tightens up the security as
they password hashes are not stored on the system]

Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> Your security issues are not your server. Don't look there. It's your
> desktops. it's your employees. It's not "out there", it's "in here".
>
> In SBS land that $8,000 would be a waste of time because Foundstone
> would look at you from a corporate network "attitude".
>
> In big server land, you assume people are sniffing your traffic,
> examining what information is bleeding off your connections seeing what
> patch level you are at. If you had posted in via a newsgroup versus the
> web interface I could have told you your external IP address that you
> posted from what version of newsreader you used. I could [with
> permission] fire packets at you using Foundstone's Superscan tool and
> told you what ports you had open. I could use nmap or any number of
> freely available tools what operating system you were running and
> through what hotfix you had installed. If you were not up to date on
> patches, I'd go to FullDisclosure or K-0tiks.com [or whatever that
> disreputable site in French is] and I'd download exploit code and fire
> it off at your unpatched system and nail you if the proper port was open
> in your firewall.
>
> The reality is that none of this occurs in SBSland.
>
> We get nailed from OUR stupidity because we don't patch and don't maintain.
>
> You don't need to spend your security dollars on a security audit in SBS
> land. That's not where are risks lie out there.
>
> 1. What do "bots" see as your open ports? In SBS land we don't get
> hacked, we get stupid. Defcon hackers do not boast about taking down a
> SBS box. Go to grc.com click on shields up/ports up.. what ports are
> open. The fewer the ports, the less attack surface. Only open what you
> need, close what you don't.
>
> 2. What user rights are running on those workstations? I have to have
> a pretty loosey gooesy internal network to be "businessy" in my firm.
> I'm the only person running in "user" mode in my LAN, the rest are power
> users or local admin. Local admin means they can accidentally install
> ANYTHING... so to counter that with .....
>
> 3. Trend SMB ... EVERY email that comes in the door is scanned and
> checked, I also quarantine zip files and what not. A/v on the server
> and the desktop and it checks for updates every hour on the hour.
>
> 4. Pop up blockers on Windows machines in the form of the Google tool bar
>
> 5. Plans to roll out XP sp2 as soon as it hits the streets [lots of
> security features].
>
> 6. Get 100% Windows XP office so that at a moments notice I can patch
> ALL workstations - if you have one Windows 98 in the LAN you have no
> security.
>
> 7. Save your money on that audit and buy www.shavlik.com HfnetchkPro
> and be able to remotely from your desktop [or the server] patch the
> server and all XP workstations with one button.
>
> 8. Ensure that all laptops have antivirus/patching/firewall as well.
> Set up a procedure where standalone laptops are "checked in and checked
> out"
>
> 9. Do you have employee manuals that cover authorized and unauthorized
> internet and email use? {Policy first and foremost}
>
> 10. Buy employees a copy of Trend Micro's pccillian for home use,
> require that they load it up.
>
> 11. Sign up for Microsoft security bulletins and ensure you get
> notified. Patch in a timely manner.
>
> 12. Have monthly employee awareness meetings training people to "not
> just click"
>
> 13. Alarm on the building.
>
> 14. Good tape backup with rotation off site.
>
> 15. Kensington phyiscal cable locks on computers in the office to slow
> burglars down.
>
> There... I'll bet you those steps don't cost $8,000 and I just gave you
> action items rather than giving you a security audit that would tell you
> that you have weaknesses and then you'd have no budget to do anything
> about them.
>
> I'll send you a bill.
>
> A can of Mountain Dew and a promise that you'll hang around this
> newsgroup. :-)
>
> Susan
>
> Roger wrote:
>
>> Thanks... those are all great tools.
>>
>> Depending on the costs... I'd consider a full blown security assesment
>> from a company to evaluate my infrastructure, and even exploit the
>> vulnerabilities they find within...
>>
>> So far, I haven't found a company that's cost effective. These
>> evaluations are looking to be better then 8k!
>>
> 

-- 
http://www.sbslinks.com/really.htm