My new domain network Management
Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Security Controls.

0 comments Saturday, October 3, 2009
Security controls are the building blocks of a security program. They are the tools that you implement to protect the confidentiality, integrity, and availability of important assets and data. Much of the assessment work that an auditor conducts is around the many controls that a company has (or doesn't have) to reduce risk. Auditors are concerned with how well the controls accomplish the goals set forth by the security policy.

Controls are typically thought of in terms of technology. Firewalls or IPS systems come to mind, but there are many types of controls that can be used to protect your systems. The primary classification of controls can be accomplished by grouping them under three main categories: administrative, technical, and physical.

Administrative Controls
Administrative controls can consist of policies, like Acceptable use or security awareness training. Additionally, administrative controls can also consist of processes like balancing the corporate books, and security auditing. This type of control is typically focused on managing people, like separation of duties, requiring vacation or any other rules that provide a deterrent to fraud or improper behavior.

Technical Controls
Technical controls consist of the technology that you implement to prevent or enforce behavior on the network or computing resources. They can include Firewalls, IPS, HIPS, Role Based Access control, or any other mechanism of enforcing policy.

Physical Controls
If you want to deter people from walking through your yard, put a fence up. While this won't keep everyone out it is an example of a useful physical control. In an office setting, physical controls include locked doors, key card access systems, video surveillance, guards, gates, and so on. This type of control is designed to restrict access to sensitive devices and areas.

Each of the primary control groups can be further broken out into specific types of actions the control can take. While there are others, the standard set includes preventive, detective, corrective, and recovery.

Preventative
A Preventative controls purpose is to enforce the confidentiality, integrity, and availability of data and assets. If the primary control is Technical, then preventive controls will be firewall rules, ACLs, or other technology used to block unauthorized access. Administrative preventative controls can include things like policies and warning banners. The primary category of controls (administrative, technical, and physical) gives context to how to implement the secondary controls.

Detective
Detective controls are the alarm systems built into various parts of the business to detect if bad things are happening. These could be video surveillance, firewall logs, an intrusion prevention system, or Cisco MARS. This type of control also includes financial and security audits.

Corrective
Corrective controls are reactionary in nature. If you detect a malicious packet on the network, and your IPS is configured to drop the packet and also block the source, then this is an example of a corrective control. Patch management is another example of correcting a vulnerability and would fall under this control type.

Recovery
Recovery controls are like parachutes on a plane. Hopefully you won't need then, but they are there if you do. Backup systems, redundant power supplies, and spare parts are all examples of recovery controls. Restoring services is the goal of these controls.
read more “Security Controls.”

Turning Off What You Do Not Need on system

0 comments
Take a look at your system. Is it running 50 different processes you know nothing about? If we take some random windows XP intall and run netstat -aon inside a CMD window, what might we see?

Active Connections
Proto Local Address Foreign Address State PID
TCP 192.168.1.81:1292 64.191.197.245:706 ESTABLISHED 2160
TCP 192.168.1.81:1863 192.168.1.1:5819 ESTABLISHED 3828
TCP 192.168.1.81:1894 70.109.139.219:52525 ESTABLISHED 3828
TCP 192.168.1.81:1919 192.168.1.1:5819 ESTABLISHED 3828
TCP 192.168.1.81:1967 24.8.195.195:30809 ESTABLISHED 3828
TCP 192.168.1.81:1971 81.93.108.73:46123 ESTABLISHED 3828
TCP 192.168.1.81:1972 75.134.131.167:16470 ESTABLISHED 3828
TCP 192.168.1.81:2031 84.190.103.54:6881 ESTABLISHED 3828

What is all this stuff? Why is it running and listening on all of these ports? If you want to get a quick view of what processes are using the network, pop open a CMD window and run netstat –aonbv. The –n disables DNS lookups (for speed), the –o shows the Parent Process ID, and the –b and the –v work in conjunction to show the name of the executable currently using the connection. GNU/Linux administrators should get in the habit of popping off netstat –aopl —numeric–hosts, which does the same thing, just with different letters. If the machine has been heavily compromised and is running a rootkit, don't expect netstat to show truthful data. Windows administrators can download a copy of TCPView from internet .

which is from the Sysinternals tool suite .I really like this tool. It's like a combination of netstat and the Windows Task Manager, and it allows you to right-click on a process to either examine the properties or kill the process.

read more “Turning Off What You Do Not Need on system”
Subscribe to: Posts (Atom)