安徽省商品住宅销售Title

Copyright2001Marchany1BuildingYourITSecurityChecklistSamplechecklist/auditplansforUnix,NTandWindows2000ActiveDirectory销售信TheTop20threatsmeetourriskcriteria:•Haveahighprobabilityofoccurring•Resultinthelossofacriticalservice•Beextremelyexpensivetofixlater•Resultinheavy,negativepublicityCopyright2001Marchany3ApplyingTBStotherealworld!TBS=TimeBasedSecurityTopTenVulnerabilities,thevulnerabilitiesresponsibleformosthacksApplyTBSasanapproachtoaneffectiveunderstandablesecuritypolicyBasicsPerimeterUnixNTWindows2000Copyright2001Marchany4TheTBSAuditLayersAcompleteITaudit/securitychecklistisasetofcomponentaudits/checklists.YoushouldbeabletomeasureE,DandRtimesforeachlayerofthesecurityarchitecture.ComponentsProcedural:E=D+RPerimeter(Firewall):E=D+RUNIX:E=D+RNT/Windows2000:E=D+RCopyright2001Marchany5CISRulersRulerslistasetofminimalactionsthatneedtobedoneonahostsystem.ThisisaconsensuslistderivedfromsecuritychecklistsprovidedbyCISchartermembers(VISA,IIA,ISACA,FirstUnion,PitneyBowes,AllstateInsurance,DOJ,Chevron,ShellOil,VATech,Stanford,Catepillar,PacificGas&Electric,RCMP,DODCIRT,Lucent,EduTestingServicesandothers)Can’tdevelopyourownset?Usethese!Level1MandatoryActionsrequiredregardlessofthehost’slocationorfunction.Level2DependentonyournetworktopologyDifferentforswitchednetsvs.sharednetsvs.wirelessnets,etc.Copyright2001Marchany7CISRulers:SecurityChecklist&AuditPlanLevel3ApplicationSpecific()ProceduralExaminesthepoliciesinplace.Thisisthepolicyreviewchecklist.FTPGeneralAdministrationPoliciesKeysecuritytoolinstalledUserAccountsandenvironmentSystemLogsNetworkFilesharingGeneralEmailIssuesThisreviewisdoneduringtheAuditPlanningPhaseoftheauditprocessCopyright2001Marchany9CISRuler:ProceduralGeneralAdministrationPoliciesAcceptableUsePolicyBackupPolicySecurityAdministratordutiesWhoisContactInformation(Tech/Admin)Systemchangelogs(SourceRevisionControl)IncidentResponseMinimumsoftwarerequirementsUser,temp,systemaccountpoliciesPatchesCopyright2001Marchany10CISRulerExample:Backups·Doesabackuppolicyexist?·Dobackuplogsexist?·Whatdataisbackedup·Howoftendataisbackedup·Typeofbackup(full,differential,etc.)·Howthebackupsarescheduledandverified·Howthebackupmediaishandledandlabeled·Howthebackupmediaisstored·Howlongthebackupmediaisretained·Howbackupmediaisrotatedandexpired·HowbackupdataisrecoveredCopyright2001Marchany11CISRuler:ProceduralKeysecuritytoolsinstalledNetworkroutersimplementminimumfilteringrequirementsVerifynetworkroutersareproperlyconfiguredandmonitoredforin/outtrafficAreallfirewallsproperlyconfiguredandmonitoredforin/outtrafficTheaboverulespreventDDOSattacksfromaffectingothernets.Copyright2001Marchany12CISRuler:ProceduralUserAccountsandEnvironmentRemoveobsoleteuserentriesfromsystemSystemLogsHowlongaretheykept?Aretheysecured?NetworkfilesharingReviewwhatfilesystemsthissystemcanaccessReviewwhatfilesystemsthissystemexportsEmailPolicyAbusePolicy?Copyright2001Marchany13CISRuler:WrittenDocumentation,PoliciesWhereisit?Isitavailabletoanyonethatneedsit?Isituptodate?Isanythingmajormissing(SGIpolicies,butnoHPpolicies)?Copyright2001Marchany14CISRulerExample:SecurityPolicyPurpose-thereasonforthepolicy.Relateddocuments–listsanydocuments(orotherpolicy)thataffectthecontentsofthispolicy.Cancellation-identifiesanyexistingpolicythatiscancelledwhenthispolicybecomeseffective.Background-providesamplifyinginformationontheneedforthepolicy.Copyright2001Marchany15CISRuler:Scope-statestherangeofcoverageforthepolicy(towhomorwhatdoesthepolicyapply?).Policystatement-identifiestheactualguidingprinciplesorwhatistobedone.Thestatementsaredesignedtoinfluenceanddeterminedecisionsandactionswithinthescopeofcoverage.Thestatementsshouldbeprudent,expedient,and/oradvantageoustotheorganization.Action-specifieswhatactionsarenecessaryandwhentheyaretobeaccomplished.Responsibility-stateswhoisresponsibleforwhat.Subsectionsmightidentifywhowilldevelopadditionaldetailedguidanceandwhenthepolicywillbereviewedandupdated.Copyright2001Marchany16Procedural:IncidentResponsePlanArethesixIncidentResponsestepscovered?PreparationIdentificationContainmentEradicationRecoveryLessonsLearned(iftherearenolessonslearneddocumentseithertheplanisn’tfollowedornoincidentshaveoccurred).Copyright2001Marchany17Procedural:Training&EducationDotechnicalpeoplehavethetrainingtodotheirjobcompetently?Aretherestandardstheirskillscanbemeasuredagainst?Aretherestandardsofcompliancethatensuretheyareusingtheirtraininginaccordancewithpolicy?Copyright2001Marchany18Procedural:PhysicalSecurityConsolesinphysicallysecureareas?Firesuppression?Backups?Offsitebackups?Networkcomponentssecured?Phonewiringsecured?Copyright2001Marchany19Procedural:Windows2000ThesearebasedontheSANS“SecuringWindows2000”