Security Auditing - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Security Auditing

  1. #11
    "The weakest link in any network's security is always the user."
    I can't stress how important that factor is also. It dosen't make a difference how much you or your company uses on security software and/or hardware if the end user dosen't know what it's for and how to use it. So far no one has posted on how they would do a security audit and I'm still looking forward to hearning everyone's different procedures and methods of doing so.

    Thanks,
    Remote_Access_

  2. #12
    AntiOnline Senior Member
    Join Date
    Oct 2001
    Posts
    514
    Great posts R_A_, keep them up!
    [shadow]uraloony, Founder of Loony Services[/shadow]
    Visit us at
    [gloworange]http://www.loonyservices.com/[/gloworange]

  3. #13
    Senior Member
    Join Date
    Nov 2001
    Posts
    276
    Any tips on raising conscience among normal users? At my last admin job people screamed for firewalls but opened al attachments, left their computers (with static ip) on over night and put their passwords on post-its on their computer screen.
    After sending out a general security mail two out of the nine that had passwords on their screens removed it. No-one bothered to turn of their computer. I donīt know about the attachments since I wasnīt around to see any more viruses strike.
    What is a person to do with middle-aged academic researchers?!? Any ideas?
    Dear Santa, I liked the mp3 player I got but next christmas I want a SA-7 surface to air missile

  4. #14
    Junior Member
    Join Date
    Jul 2001
    Posts
    11

    two things

    1. Well, when I do a penetration test I follow the following outline:

    footprint
    enumerate/scan
    penetrate
    pillage
    cover tracks
    repeat

    (some may recognize this from 'Hacking Exposed', a very good book on the topic which I highly reccommend.

    its also important to remember that when you get any info, you should write it down as it may become important later. The password for the admin on one machine, might also be the admin password on another. If you can tie an individual to a username, you will probably see passwords recycled, and if you can get the info knowing which users might be less likely to use strong passwords might also be helpful.

    2. Another thing to bear in mind is just how important it is to verify permission to run any scans or exploits on a system. Although running scans without permission is not strictly illegal, it can really irritate an unsuspecting sysadmin. Further if you run an exploit on an IP that you got from your footprinting, but for some reason that IP doesn't belong to the client, you run some serious risks. So, after you've gotten the IP range, you should verify it with the client and then proceed.

  5. #15
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,540

    Re: two things

    Originally posted by mstrickland
    Although running scans without permission is not strictly illegal, it can really irritate an unsuspecting sysadmin.
    In some countries it is strictly illegal to perform these scans.
    For instance: in Belgium is a law that can be used to convict people who did scans on the assumption that they were stealing electricity from some1 else. This law is used to catch some crackers in the past... indeed when you perform a scan, the other box responds (and this is a minimal power consumtion in the eyes of the judge and therefor a cost for the 'attacked' one).
    there is also a cost for the admin who has to read the logs, if there is prove that your actions caused longer logs than normal you could be convicted on that base, cause there is a certain cost involved.

    only a remark

  6. #16
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    good post RA and don't worry about that pinhead who keeps sending you stuff.

    I'm going to have to agree with VictorKaum on this one. It IS often illegal not only in different countries but in the states (or provinces) of those countries which have their own laws.

    don't assume any probe/assault is ok unless you are confident beyond reason. Get the legal permission signed off, verify ip etc, then proceed.
    Trappedagainbyperfectlogic.

  7. #17
    Junior Member
    Join Date
    Jul 2001
    Posts
    11

    Good to know

    Sorry for the incomplete info, as I've only worked in the US thus far, that's the only set of law with which I'm familiar. So its good to hear about the subtleties of rulings from other countries. What other interesting legal issues have people come across in this area?

  8. #18
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Originally posted by Pooh-Bear
    Any tips on raising conscience among normal users? At my last admin job people screamed for firewalls but opened al attachments, left their computers (with static ip) on over night and put their passwords on post-its on their computer screen.
    After sending out a general security mail two out of the nine that had passwords on their screens removed it. No-one bothered to turn of their computer. I donīt know about the attachments since I wasnīt around to see any more viruses strike.
    What is a person to do with middle-aged academic researchers?!? Any ideas?
    You need to probably send daily or every other day reminders and tips. One place I worked at did that. The number of "sticky notes" disappeared as a result. Make the reminders fun and interesting to read rather than something bothersome. What users need to be reminded is that security is not necessarily a chore or a pain but can be part of the day-to-day routines.

    Also, getting users to sign agreements in regards to security (usually referred to as an email policy or acceptable use policy) can be helpful. That puts part of the responsibility on them.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  9. #19
    Senior Member
    Join Date
    Nov 2001
    Posts
    276
    Yeah your right MsMittens, to bad Iīve already quit it.
    But how does a 25 year old tech-geek write something funny for stuffy 40 year old academic scientists?
    Dear Santa, I liked the mp3 player I got but next christmas I want a SA-7 surface to air missile

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides