Re: Seucity audit

From: Kevin Weilbacher [SBS-MVP] (kweilbacMVP_at_gte.net)
Date: 03/02/04 

Date: Tue, 2 Mar 2004 18:55:55 -0500

Re: long passwords --- I upgraded this one customer this weekend, and when
everyone walked in yesterday, they had a sealed envelope with instructions
for setting their new long password - no ifs, ands or but. The surprising
thing is thaty I got no complaints!

Re: monthly awareness meetings --- I tend to send put a short email that
describes a particular ssecurity situation. Example: today one person at a
site was really concerned becauser he was starting to get emails with an
unusual attachment - like "RemovedAttachments010.txt". So, I'm working up a
security update email that addresses this - and use it as a way of saying --
this is why you bought SBS and have me taking care of the server for you! 

-- 
Kevin Weilbacher [SBS-MVP]
"The days pass by so quickly now, the nights are seldom long"
"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
wrote in message news:eMH%238eJAEHA.3400@tk2msftngp13.phx.gbl...
> Forgot...
>
> Passphrases ... make those passwords long and alphanumeric
>
> If full XP/2k network turn on Lanman hash tightens up the security as
> they password hashes are not stored on the system]
>
>
>
> Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> > Your security issues are not your server.  Don't look there.  It's your
> > desktops.  it's your employees.  It's not "out there", it's "in here".
> >
> > In SBS land that $8,000 would be a waste of time because Foundstone
> > would look at you from a corporate network "attitude".
> >
> > In big server land, you assume people are sniffing your traffic,
> > examining what information is bleeding off your connections seeing what
> > patch level you are at.  If you had posted in via a newsgroup versus the
> > web interface I could have told you your external IP address that you
> > posted from what version of newsreader you used.  I could [with
> > permission] fire packets at you using Foundstone's Superscan tool and
> > told you what ports you had open.  I could use nmap or any number of
> > freely available tools what operating system you were running and
> > through what hotfix you had installed.  If you were not up to date on
> > patches, I'd go to FullDisclosure or K-0tiks.com [or whatever that
> > disreputable site in French is] and I'd download exploit code and fire
> > it off at your unpatched system and nail you if the proper port was open
> > in your firewall.
> >
> > The reality is that none of this occurs in SBSland.
> >
> > We get nailed from OUR stupidity because we don't patch and don't
maintain.
> >
> > You don't need to spend your security dollars on a security audit in SBS
> > land.  That's not where are risks lie out there.
> >
> > 1.  What do "bots" see as your open ports?  In SBS land we don't get
> > hacked, we get stupid.  Defcon hackers do not boast about taking down a
> > SBS box.  Go to grc.com click on shields up/ports up.. what ports are
> > open.  The fewer the ports, the less attack surface.  Only open what you
> > need, close what you don't.
> >
> > 2.  What user rights are running on those workstations?  I have to have
> > a pretty loosey gooesy internal network to be "businessy" in my firm.
> > I'm the only person running in "user" mode in my LAN, the rest are power
> > users or local admin.  Local admin means they can accidentally install
> > ANYTHING... so to counter that with .....
> >
> > 3.  Trend SMB ... EVERY email that comes in the door is scanned and
> > checked, I also quarantine zip files and what not.  A/v on the server
> > and the desktop and it checks for updates every hour on the hour.
> >
> > 4.  Pop up blockers on Windows machines in the form of the Google tool
bar
> >
> > 5.  Plans to roll out XP sp2 as soon as it hits the streets [lots of
> > security features].
> >
> > 6.  Get 100% Windows XP office so that at a moments notice I can patch
> > ALL workstations - if you have one Windows 98 in the LAN you have no
> > security.
> >
> > 7.  Save your money on that audit and buy www.shavlik.com HfnetchkPro
> > and be able to remotely from your desktop [or the server] patch the
> > server and all XP workstations with one button.
> >
> > 8.  Ensure that all laptops have antivirus/patching/firewall as well.
> > Set up a procedure where standalone laptops are "checked in and checked
> > out"
> >
> > 9.  Do you have employee manuals that cover authorized and unauthorized
> > internet and email use?  {Policy first and foremost}
> >
> > 10.  Buy employees a copy of Trend Micro's pccillian for home use,
> > require that they load it up.
> >
> > 11.  Sign up for Microsoft security bulletins and ensure you get
> > notified.  Patch in a timely manner.
> >
> > 12.  Have monthly employee awareness meetings training people to "not
> > just click"
> >
> > 13.  Alarm on the building.
> >
> > 14.  Good tape backup with rotation off site.
> >
> > 15.  Kensington phyiscal cable locks on computers in the office to slow
> > burglars down.
> >
> > There... I'll bet you those steps don't cost $8,000 and I just gave you
> > action items rather than giving you a security audit that would tell you
> > that you have weaknesses and then you'd have no budget to do anything
> > about them.
> >
> > I'll send you a bill.
> >
> > A can of Mountain Dew and a promise that you'll hang around this
> > newsgroup.  :-)
> >
> > Susan
> >
> > Roger wrote:
> >
> >> Thanks... those are all great tools.
> >>
> >> Depending on the costs... I'd consider a full blown security assesment
> >> from a company to evaluate my infrastructure, and even exploit the
> >> vulnerabilities they find within...
> >>
> >> So far, I haven't found a company that's cost effective. These
> >> evaluations are looking to be better then 8k!
> >>
> >
>
> -- 
> http://www.sbslinks.com/really.htm
>