Firewalls: Re: Harsh Security audits? -reply

Firewalls
(February 1998)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Harsh Security audits? -reply
From:	mht @ clark . net
Date:	Sun, 22 Feb 1998 07:11:20 -0500
To:	"Craig I. Hagan" <hagan @ cih . com>, "Greg Collins" <gcollins @ dqisystems . com>
Cc:	<firewalls @ GreatCircle . COM>
In-reply-to:	<jbj7m6o1qu8 . fsf @ cih-gw . cih . com>
References:	<"Greg Collins"'s message of "Thu, 19 Feb 1998 21:29:14 -0500"> <01bd3da7$560a72c0$648010ac @ gcollins . dqisystems . com>

Greg et al,

To provide my .02 worth 

One could present an Executive summary of the overall security assessment
results which can be presented and distributed to key management at your
particular client in a clear and concise fashion. This executive summary
would describe at a high level the significance of the information that
your team was able to obtain, if any, and would "benchmark" your client's
overall security environment against other organizations having similar
technology and information protection concerns. In addition, you could
evaluate the data security environment and present the effectiveness with
which you are addressing the following:

Enticement Level of information provided to a potential hacker (e.g.,
letting an unauthorized user know that a computer of a major enterprise has
been accessed).
Prevention	Level of security measures used to prevent unauthorized access
(e.g., dial back, access control software).
Detection	Level of active security monitoring and follow-up of unauthorized
access attempts (e.g., review of unauthorized access reports).

The second half of your report could provide  detailed explanations of the
security implications and risks of the exposures found related to the
security assessment. Covering the following:

The finding or weakness noted;
The implication of the finding or weakness;
The level of risk the finding or weakness poses the organization;
The level of effort required (resources) to correct or minimize the
identified finding or weakness
A detailed solution to correct or minimize the identified finding or weakness.

/mht

At 06:27 PM 2/21/98 -0500, Craig I. Hagan wrote:
>I think that the real question might be the political need
>for not being harsh: by being blunt, the audit could
>be putting the instigators of the audit's jobs at
>risk whereas by using similar (but less threatening language),
>one might be able to present the information in a manner more
>politically palettable to the rest of the company.
>
>for example, instead of stating that the unix machine is
>wide open to hackers, one might instead recommend bringing
>internet mail server software up to the latest revision
>so as to mimimize risk. says roughly the same thing,
>but in a more passive tone.
>
>-- craig
------------------------------------------------------
"Let's Play, GLOBAL THERMO NUCLEAR WAR"

References:

Harsh Security audits?
From: "Greg Collins" <gcollins @ dqisystems . com>
Re: Harsh Security audits?
From: "Craig I. Hagan" <hagan @ cih . com>

Indexed By Date	Previous:	CISA, CISSP, etc. outside USA ? From: Emmanuel Gadaix <emmanuel @ siamrelay . com>
Indexed By Date	Next:	Re: Use the CISSP, Luke (was Re: Certifiying Security Auditors) From: "Paul D. Robertson" <proberts @ clark . net>
Indexed By Thread	Previous:	Re: Harsh Security audits? From: "Craig I. Hagan" <hagan @ cih . com>
Indexed By Thread	Next:	Re: Harsh Security audits? From: emaiwald @ bigdog . fred . net