How do you justify the security infrastructure investment?

·          Perform a risk analysis on your site to determine the value of your assets and risks to those assets.

·          Demonstrate that the threat from intruders is too high to ignore. One method to do this is to set up a passive network sniffer on your network backbone to show the high frequency of remote access attempts and probes.

·          Run some of the high-profile tools (e.g., ISS, Netsonar, SATAN) against your network from the outside and present a report to management.

·          Discuss the potential impact on your company's reputation or revenue and profits of widespread reports that your site has been hacked.

·          Discuss the potential impact on your company’s reputation or revenue and profits of a widespread denial of service attack.

·          Provide information on the frequency of Internet attacks, the companies that were attacked, and the damage inflicted.

How do you determine your site's security philosophy? Ask yourself and others in your organization these questions

·          What do your users and customers expect in the way of system security controls and procedures?

·          Will you lose customers if security is not taken seriously enough, or if it is taken too seriously that functionality is impaired?

·          How much downtime or monetary loss has occurred due to security incidents in the past?

·          Are you concerned about insider threats? Should you trust your users? Are most of your users local or remote?

·          How much sensitive information is on-line? What is the loss to your organization if this information is compromised or stolen?

·          Do you need different levels of security for different parts of your organization (e.g., ERP systems, development and testing labs, and customer support groups)?

·          How much negative publicity has the organization suffered due to an insufficient security framework?

Are there security guidelines, regulations, or laws your organization is required to meet? If so, does your organization make an effort to meet these guidelines and rules?

·          Do business requirements take precedence over security where there is a conflict? If so, is this what your want?

·          How important are confidentiality, integrity, and availability to the overall operation of your organization?

·          Are the decisions you have made consistent with the business needs and economic stance of your organization?

What are the key elements of a successful security awareness program?

·          Provide training using different media (classes, web pages, on-line documentation, and video).

·          Provide training on a regular basis and as part of your new employee orientation program.

·          Provide training to support staff, users and managers.

·          As part of the training, stage mock incidents to see how well users and support staff respond.

·          Keep users and support staff informed about current trends in computer incidents. This includes making information such as advisories and alerts available to everyone in your organization and encouraging them to read it.

·          Review your security training procedures regularly to ensure they are up to date and relevant.

What are the key elements of a good security infrastructure?

·          A strong commitment from management to provide sufficient resources to get the work done and to back security policies and procedures.

·          A staff dedicated to security tasks.

·          A well-defined security mission statement.

·          A well-developed security awareness training program.

·          Clearly defined, implemented and documented security policies and procedures which are supplied to everyone within your organization.

·          A strong flow of information to and from the appropriate groups.

·          A security incident response team.

·          External and internal security perimeter controls (e.g., firewalls)

·          A suite of host and network based security auditing and improvement tools.

What are some common security problems that continue to plague many sites?

·          Sites do not dedicate staff or sufficient resources to improve and maintain security.

·          Support personnel do not have management support or the authority to deploy appropriate security measures.

·          Sites do not install vendor patches for known security problems.

·          Sites do not monitor or restrict network access to their internal hosts.

·          Sites do not use sufficient authentication and authorization systems for remote access.

·          Sites do not implement or enforce procedures and standards when installing new devices on their network.

·          Sites still place too much emphasis on "security through obscurity"

·          Sites do not use host and network based auditing and intrusion detection tools.

What are some typical duties of security support personnel?

·          Help recommend and develop internal security standards.

·          Help define, produce, and maintain official security policy and documentation.

·          Monitor, audit, and test systems and networks for possible security problems.

·          Monitor security newsgroups, mailing lists, and postings and respond to them accordingly.

·          Review security log files on a daily basis and investigate anomalies as needed.

·          Test, install, and maintain security infrastructure tools.

·          Test and install patches and fixes for security vulnerabilities in vendor software.

·          Stay current on security technology and possible threats to your organization.

·          Provide investigation, coordination, reporting, and follow-up of network security incidents.

·          Participate in reviews and analysis of internal projects that may have an impact on the security of the organization.

·          Advocate corporate information security policy and procedures to internal and external clients, customers, users, and staff.

How do you ensure or document the effectiveness of your security infrastructure? Perform the following auditing functions:

·          New System Installation Security Audits: To ensure conformance to existing policies and a standard system configuration.

·          Regular Automated System Audit Checks: To reveal a "visitation" by an intruder or illicit activity by insiders.

·          Random Security Audit Checks: To test for conformance to security policies and standards (by finding illicit activity), or to check for the existence of a specific class of problems (e.g., the presence of vulnerability reported by a vendor).

·          Nightly Audits of Critical Files: To assess the integrity of critical files (e.g., the password file) or databases (e.g., payroll or sales and marketing information).

·          User Account Activity Audits: To detect dormant, invalid or misused accounts.

·          Periodic audits and vulnerability assessments to determine overall state of your security infrastructure.

·          A regular practice of system auditing will help an organization balance resources expended against the most likely areas of weaknesses.

What types of security tools might best fit your needs and what are the most popular tools in use today?

·          Host-based Auditing Tools:

·          COPS, NCARP, crack, Tiger, Tripwire, logcheck, tklogger, Safesuite, NetSonar

·          Network Traffic Analysis & Intrusion Detection Tools:

·          tcpdump, synsniff, NetRanger, NOCOL, NFR, RealSecure, Shadow

·          Security Management and Improvement Tools:

·          crack, localmail, smrsh, logdaemon, npasswd, op, passwd+, S4-kit, sfingerd, sudo, swatch, watcher, wuftpd, LPRng

·          Firewall, Proxy amd Filtering Tools:

·          fwtk, ipfilter, ipfirewall, portmap v3, SOCKS, tcp_wrappers, smapd

·          Network-Based Auditing Tools:

·          nmap, nessus, SATAN, Safesuite

·          Encryption Tools:

·          md5, md5check, PGP, rpem, UFC-crypt

·          One-Time Password Tools:

·          OPIE, S/Key

·          Secure Remote Access and Authorization Tools:

·          RADIUS, TACACS+, SSL, SSH, Kerberos

What are seven important items to remember when responding to a security incident?

·          Follow your organization’s policies and procedures, including using the appropriate chain of command when notifying other people or organizations.

What are some of the frequently targeted system binaries and directories?

·          If you think your site may have been invaded by an intruder, chances are they tried to replace one of the following system binaries:

·          /bin/login

·          /usr/etc/in.telnetd

·          /usr/etc/in.ftpd

·          /usr/etc/in.tftpd

·          /usr/ucb/netstat

·          /bin/ps

·          /bin/ls

·          /usr/sbin/ifconfig

·          /bin/df

·          /usr/lib/libc.a

·          /usr/ucb/cc

·          Or they may have modified one of these files:

·          /.rhosts

·          /etc/hosts.equiv

·          /bin/.rhosts

·          /etc/passwd

·          /etc/group

·          /var/yp/* (nis maps)

·          root environment files (.login, .cshrc, .profile, .forward)

·          Intruders often hide their files using hidden directories in: /tmp, /var/tmp, /etc/tmp, /usr/spool, and /usr/lib/cron.

*   Locations may vary on different versions of UNIX.

What are some common Internet attack methods in use today?

·          Exploitation of vulnerabilities in vendor programs.

·          Exploitation of cgi-bin vulnerabilities.

·          Email bombing, spamming and relaying through other sites.

·          Exploitation of misconfigured anonymous FTP and web servers.

·          Exploitation of named/BIND vulnerabilities.

·          Exploitation of mail transfer agents and mail readers.

·          Denial of Services (DoS) attacks using various methods.

·          Sending hostile code and attack programs as mail attachments.

What are some common problems with security perimeter implementations?

·          Management and support personnel often assume that if they have a firewall they have sufficient security and no further security checks and controls are needed on their internal network.

·          Members of your organization can easily request analog lines be installed at their workspace. These are often used to connect to ISPs or to set up dial-in access to their desktop system, thus bypassing any protection from the security perimeter.

·          Some network services (e.g., ftp, tftp, http, sendmail) destined for internal hosts are passed through the security perimeter control points unscreened.

·          The firewall hosts or routers accept connections from multiple hosts on the internal network and from hosts on the DMZ network

·          Access lists are often configured incorrectly, allowing unknown and dangerous services to pass through freely.

·          Logging of connections through the security perimeter is either insufficient or not reviewed on a regular basis.

·          People frequently implement encrypted tunnels through their security perimeter without fully considering the security of the endpoints of the tunnel.