NetSec Letter #32, 12 January 2004
Security Checklist

Fred Avolio, Avolio Consulting, Inc., http://www.avolio.com/

Recently, a former student and propective client asked me to send, along with a proposal, a checklist of things he needs to be thinking about to help his company’s goal of "revamping security" in 2004. This is that checklist. Be forewarned. While risks change somewhat with network size, bandwidth, and connectivity, while business requirements grow, and while the technology we can use to mitigate and mediate risk gets fancier (it is hoped to meet the changing risks), there is nothing new under the sun. Also, this is purposely very high level. It is a general checklist of things to consider.

Foundation/Overview

  1. Business requirements assessment
    1. What is your enterprise’s mission/goal?
    2. What does it require from computers, networks, and the Internet in support of the mission?
  2. Risk assessment
    1. Where are your computers?
    2. To where do your network connections go?
    3. What sorts of threats are there to computers and networks in those environments?
    4. Any particular risks unique to your business? (E.g., defense contractor, pharmaceutical firm, furrier.)
    5. Any particular risks unique to your organization?  (E.g., did your company recently help topple a dictator, spill a lot of oil into the ocean or a fresh water supply, or endorse the wrong political candidate?)
  3. Security Architecture
    1. What controls are already in place? Did you remember to include physical controls? Someone recently told me that a particular product did not support administrative access using 2-factor authentication. He asked if limiting administrative access to the console was sufficiently secure. I told him, sure. A cipher lock and photo ID is 2-factor.
    2. Of those in place (firewalls, desktop AV, routers with ACLs, IDSes, password-protected screen savers, VPNs, etc.), which mitigate the identified risks?
    3. Do not forget the "little things." For example, security awareness education is part of the security architecture.
  4. System administration procedures
    1. Backup and restore
    2. Access controls
    3. Revision control
  5. Acceptable Use Policies (for users)
    1. Computer use
    2. Mobile computer use
    3. E-mail
    4. Internet access
    5. Home computer use
    6. VPN use
    7. Screensavers
  6. Computer Security Incident Response Procedures
    1. Definition of a security incident
    2. Who, what, when, where, why, and how.

Types of Security and Places to Deploy

Periodic Review and Audit

This whole process requires review and consideration by a team of individuals. Why? Because every one of us has blind-spots. [In God in the Docket, CS Lewis says every one of us had a fatal flaw to which we are blind. More recently, the late pastor Jack Miller said, smiling, "Cheer up! You’re ever so much worse than you think you are."] Every one of us has his own agenda. Also, people make mistakes in executing plans and procedures. Further, things — risks, requirements, and technology — change. So the policy and procedures have to change.

Promotions, Self and Otherwise

My (growing) speaking and teaching calendar is at http://www.avolio.com/.

Did you buy your parents or friends a personal (computer) firewall for Christmas? Personal Firewall Day is January 15th. See NetsecLetter #31 ( http://www.avolio.com/columns/31-PersonalFirewallDay.html).

There was an interesting Web Informant this week from David Strom. David seems to be enamored with the dark side. Is he? Read "Web Informant #355, 9 January 2004: Aiding and Abetting Adrian" at http://strom.com/awards/355.html.

For an excellent editorial on a similar topic, Dave Piscitello wrote "Ethical Hacking could be so much more than an oxymoron…" at http://hhi.corecom.com/ethicalhacking.htm.

Jon Callas, CTO, CSO, and DSD (Dynamite Sharp Dude) had some very interesting (as usual) comments on a webcast "The Dawn of Pervasive Encryption" at http://webevents.broadcast.com/techtarget/Security/121803/index.asp?loc=10

Other related articles and courses are