Hi,
If you want to perform a security audit, the first thing you need to do is find
out what their security policy is. If they don't have one then the next thing you
need to do is sit down with them and write one. If you don't know what you are
auditing against then you cannot audit anything. Some companies will decide that
they want to protect their data a lot, and some others a bit more or less, etc.
To write up a policy you need to think about what the value of the data/service is
that you are trying to protect, and how much you are willing spend or how much you
are willing to go through to protect it. A risk assessment will need to be part of
this.
After you have a security policy worth auditing, then you do things like ask for a
topology diagram, scan the network, check configurations, examine processes for
things like configuring devices and checking devices, and emergency response.
You could just scan a box, but that only tells you what the box is running, not
what is needed, whether it is implemented most effectively, and what needs to be
done to secure it more given the value put upon it.
Hope that widens your scope ;-)
Joe
"Paul D. Robertson" wrote:
> On Mon, 13 Mar 2000, Larry wrote:
>
> > I need to be able to go to a customers site and do a Netwk/Security
> > audit and wondered if there was a piece of software that would do a pretty
> > good security audit out there ?
>
> If auditing software were good enough, there wouldn't be a reason for
> people to go to sites and do audits. The problem (mostly) *isn't*
> scanning boxes, it's knowing how things work and why- IOW interpreting the
> results.
>
> If you're looking for "a piece of software that would do a pretty good
> security audit", I personally think you shouldn't be trying to sell
> security audits. Questions like this *almost* make me change my mind
> about the whole certification debate [No Dave, you don't win yet.]
>
> Most commercial products and open source scanners are limited to "normal"
> IP. They don't touch a large number of other protocols that could
> have security implications, most of them don't touch routing protocol
> misconfiguration which is one of the best attack vectors out there, and a
> lot of the commercial products miss subtleties that aren't immediately
> apparent to those who would regurgitate their reports.
>
> IMNSHO, nmap is still the best scanner out there for IP. It doesn't do
> pretty graphs and it doesn't give you "might be right" assumptions, it
> gives you raw data. Older stacks have problems with some of its scans,
> and undoubtedly if you try to scan any network with old gear
> aggressively you'll bring something down sooner or later.
>
> If you want the point and click report thingie, just look at what everyone
> else is using for that.
>
> > If some one has a list to check by I would appreciate it, if your willing to
> > share.
>
> Auditors should be able to verify a network's security. That means they
> should know a *heck* of a lot about networking and security or have
> immediate access to someone who does. They also need to know a large
> ammount about current, past and future attacks and attack paterns.
> Lastly, they should have enough operational experience to be able to
> discuss the effects of interoperability or configuration issues.
>
> That's not static content, and any checklist that portends to be a full
> audit needs a heck of a lot of stuff behind it that passing it out doesn't
> produce out of thin air. If you can't make one, I think you'll have a
> heck of a time keeping one up to date. That said, a search on "Security
> Checklist" will turn up a few candidates. You also may want to read:
>
> http://www.nfr.net/firewall-wizards/mail-archive/1998/Mar/0052.html
>
> To paraphrase Marcus:
>
> "I'm not trying to attack you for asking a simple and straightforward
> question. But, I beg you, if you find a checklist, please don't think
> it's something you can apply in a simple and straightforward manner."
>
> Now maybe I'm mischaracterizing or misunderstanding your question, or
> maybe I'm not taking into account a long past history of INFOSEC
> experience that you have. But *If* I was looking for an auditor and I saw
> the above quesiton in a search, it'd make me think twice.
>
> Paul
> [DISCLAIMER: My current employer does some level of auditing/assurance
> work that may compete directly with such a service.]
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> [EMAIL PROTECTED] which may have no basis whatsoever in fact."
> PSB#9280
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
