Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Information Security

from [Sheldon Malm] Network Security [Permanent Link]
Subject: RE: Information Security
Date: Fri, 14 Dec 2007 09:20:24 -0800 
Totally agree with Matt on this one - configuration and change
management is an important part of the overall security toolkit.

I would suggest that 3 important "controls" are:
- host configuration and change management
- vulnerability and exposure management, with risk-based prioritization 
- identity and/or access management

A good place to start is to go to mitre's "making security measurable"
information online.  There you will find information about various
standards, including:
- CPE: enumeration of "platforms" (operating systems, applications,
services) with common, unique identification, syntax, and organization
- CVE: enumeration of vulnerabilities (you're probably aware of this
one)
- CCE: similar to CVE's, but for configuration settings
- CWE: common weaknesses
- CVSS: vulnerability risk scoring methodology
- OVAL: methodology for presenting detection
- XCCDF: interoperability standards in representing these various
standards

Also, there is an emerging standard from the US Gov't called "SCAP" (as
in: 'es_cap') that ties these together under a formal program.

CIS Benchmarks (from the Center for Internet Security) are another good
source of hardening guides, and are somewhat parallel to mitre's CCE's.
DISA's STIG series is another good source of hardening guides, combining
prescriptive text and configuration best practice checklists.

Of course, nCircle has solutions available for vulnerability management
(IP360) and configuration & change management (nCircle CCM).

As for Identity Management, this can be as simple as tightening AD for
Windows systems or as complex as a combination of provisioning, password
management, authentication, and authorization tools from large vendors
like Oracle, IBM, and Sun or from small vendors like M-Tech, Passlogix,
etc.  There is also an interesting small company that offers On Demand
Identity services called sxip if you prefer to have things hosted for
you.

I hope this helps.  Good luck with it.


Sheldon Malm
Director
Security Research & Development
nCircle Network Security

Check out the VERT daily post
http://blog.ncircle.com/vert



-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Matthew Webster
Sent: Thursday, December 13, 2007 10:49 PM
To: security-basics@securityfocus.com
Cc: pen-test@securityfocus.com; wifisec@securityfocus.com
Subject: Re: Information Security

CHarles,

    Change Management is very important.  The big news for hardening
servers / workstations and soon network devices, databases etc. is the
Federal Desktop Core Configuration (FDCC) being designed from NIST.
Read up on that, but that is going to be the top dog for securing
systems.  There are a few products that offer configuration management
out there for the FDCC.  Good luck!

Matt

-----Original Message-----

From: Charles Hardin <fonestorm@gmail.com>
Sent: Dec 13, 2007 8:03 PM
To: security-basics@securityfocus.com
Cc: pen-test@securityfocus.com, wifisec@securityfocus.com
Subject: Information Security

A few months ago I joined a medium sized company as a systems admin.
The company's prior IT team did little in the forms of maintenance and 
nothing in the form of security. I come from an administration 
background but only common sense when it comes to decent security.
There are shared domain admin passwords, shared user logons and many 
users have local admin on their pcs. I know best practice is to 
separate the admins from the security team but this company views IT as



a necessary evil, ie theres 4 IT techs for 7 sites and around 500 pc 
users spread across the sites, all techs being at corporate. These 
issues are being addressed but what I would like to know from the 
community is the following:

Id like to assemble a toolkit both for gaining security control and 
then maintaining it. Also pointers as to best practices and the like 
would be most appreciated.

-----------------------------------------------------------------------
-
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
-----------------------------------------------------------------------
-
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: XSS vulnerability, Anthony Cicalla
Next by Date:  Re: XSS vulnerability, Ankur Jindal
Previous by Thread:  Re: Information Security, Matthew Webster
Next by Thread:  Policy enforcement- Admin accounts, WALI
Indexes:  [Date] [Thread] [Top] [All Lists]