-
February 1st, 2002, 02:54 PM
#11
"The weakest link in any network's security is always the user."
I can't stress how important that factor is also. It dosen't make a difference how much you or your company uses on security software and/or hardware if the end user dosen't know what it's for and how to use it. So far no one has posted on how they would do a security audit and I'm still looking forward to hearning everyone's different procedures and methods of doing so.
Thanks,
Remote_Access_
-
February 1st, 2002, 03:04 PM
#12
Great posts R_A_, keep them up!
[shadow]uraloony, Founder of Loony Services[/shadow]
Visit us at
[gloworange]http://www.loonyservices.com/[/gloworange]
-
February 1st, 2002, 03:06 PM
#13
Any tips on raising conscience among normal users? At my last admin job people screamed for firewalls but opened al attachments, left their computers (with static ip) on over night and put their passwords on post-its on their computer screen.
After sending out a general security mail two out of the nine that had passwords on their screens removed it. No-one bothered to turn of their computer. I don´t know about the attachments since I wasn´t around to see any more viruses strike.
What is a person to do with middle-aged academic researchers?!? Any ideas?
Dear Santa, I liked the mp3 player I got but next christmas I want a SA-7 surface to air missile
-
February 1st, 2002, 03:46 PM
#14
Junior Member
two things
1. Well, when I do a penetration test I follow the following outline:
footprint
enumerate/scan
penetrate
pillage
cover tracks
repeat
(some may recognize this from 'Hacking Exposed', a very good book on the topic which I highly reccommend.
its also important to remember that when you get any info, you should write it down as it may become important later. The password for the admin on one machine, might also be the admin password on another. If you can tie an individual to a username, you will probably see passwords recycled, and if you can get the info knowing which users might be less likely to use strong passwords might also be helpful.
2. Another thing to bear in mind is just how important it is to verify permission to run any scans or exploits on a system. Although running scans without permission is not strictly illegal, it can really irritate an unsuspecting sysadmin. Further if you run an exploit on an IP that you got from your footprinting, but for some reason that IP doesn't belong to the client, you run some serious risks. So, after you've gotten the IP range, you should verify it with the client and then proceed.
-
February 1st, 2002, 04:01 PM
#15
Re: two things
Originally posted by mstrickland
Although running scans without permission is not strictly illegal, it can really irritate an unsuspecting sysadmin.
In some countries it is strictly illegal to perform these scans.
For instance: in Belgium is a law that can be used to convict people who did scans on the assumption that they were stealing electricity from some1 else. This law is used to catch some crackers in the past... indeed when you perform a scan, the other box responds (and this is a minimal power consumtion in the eyes of the judge and therefor a cost for the 'attacked' one).
there is also a cost for the admin who has to read the logs, if there is prove that your actions caused longer logs than normal you could be convicted on that base, cause there is a certain cost involved.
only a remark
-
February 1st, 2002, 04:19 PM
#16
good post RA and don't worry about that pinhead who keeps sending you stuff.
I'm going to have to agree with VictorKaum on this one. It IS often illegal not only in different countries but in the states (or provinces) of those countries which have their own laws.
don't assume any probe/assault is ok unless you are confident beyond reason. Get the legal permission signed off, verify ip etc, then proceed.
Trappedagainbyperfectlogic.
-
February 1st, 2002, 04:30 PM
#17
Junior Member
Good to know
Sorry for the incomplete info, as I've only worked in the US thus far, that's the only set of law with which I'm familiar. So its good to hear about the subtleties of rulings from other countries. What other interesting legal issues have people come across in this area?
-
February 1st, 2002, 05:26 PM
#18
Originally posted by Pooh-Bear
Any tips on raising conscience among normal users? At my last admin job people screamed for firewalls but opened al attachments, left their computers (with static ip) on over night and put their passwords on post-its on their computer screen.
After sending out a general security mail two out of the nine that had passwords on their screens removed it. No-one bothered to turn of their computer. I don´t know about the attachments since I wasn´t around to see any more viruses strike.
What is a person to do with middle-aged academic researchers?!? Any ideas?
You need to probably send daily or every other day reminders and tips. One place I worked at did that. The number of "sticky notes" disappeared as a result. Make the reminders fun and interesting to read rather than something bothersome. What users need to be reminded is that security is not necessarily a chore or a pain but can be part of the day-to-day routines.
Also, getting users to sign agreements in regards to security (usually referred to as an email policy or acceptable use policy) can be helpful. That puts part of the responsibility on them.
-
February 4th, 2002, 03:21 PM
#19
Yeah your right MsMittens, to bad I´ve already quit it.
But how does a 25 year old tech-geek write something funny for stuffy 40 year old academic scientists?
Dear Santa, I liked the mp3 player I got but next christmas I want a SA-7 surface to air missile
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|