Hi Charles,
I agree with the previous advice already provided to you. Securing the IT
environment will require a defense-in-depth approach that doesn't just
depend on a software tool, but that applied appropriate people, process and
technology controls to manage your information risks.
I would propose the following highly-simplified steps to get you up and
running in securing your IT environment:
1. If necessary, strengthen your IT security knowledge. I would recommend
reading the 60 minute network security guide from the NSA (The 60 Minute
Network Security Guide) as a start then I would recommend attending the SANS
Security essentials workshop.
2. Understand your IT environment and key assets by performing a business
impact assessment. (You can use the document 800-30 risk management guide
from NIST csrc.nist.gov/publications/PubsSPs.html)
3. Identify the key threats to and vulnerabilities in your IT environment
and key security issues by performing a risk assessment (You can use the
document 800-30 risk management guide from NIST
csrc.nist.gov/publications/PubsSPs.html) (e.g. using a vulnerability
assessment tool such and GFI languard or Nessus can be useful, but please be
careful when using these tools on a production environment!)
4. Once you have identified and prioritized your key risks, you figure out a
strategy to address these risks by using a security control framework (You
might want to check out ISO 27002 or the Standard of Good Practice from the
Information Security Forum, or use the guides provided by NIST and the NSA)
5. Implement the necessary security controls identified in 4. (e.g. network
security controls, protection against malicious code, access control,
separation of duties, security awareness training, communications security,
change management, and so on)
6. Monitor and audit your security posture
7. Repeat from 2.
Geoff
-----Original Message-----
From:
Sent: Dec 13, 2007 8:03 PM
To: security-basics@securityfocus.com
Cc: pen-test@securityfocus.com, wifisec@securityfocus.com
Subject: Information Security
A few months ago I joined a medium sized company as a systems admin.
The company's prior IT team did little in the forms of maintenance and
nothing in the form of security. I come from an administration
background but only common sense when it comes to decent security.
There are shared domain admin passwords, shared user logons and many
users have local admin on their pcs. I know best practice is to
separate the admins from the security team but this company views IT as
a necessary evil, ie theres 4 IT techs for 7 sites and around 500 pc
users spread across the sites, all techs being at corporate. These
issues are being addressed but what I would like to know from the
community is the following:
Id like to assemble a toolkit both for gaining security control and
then maintaining it. Also pointers as to best practices and the like
would be most appreciated.
