RE: Oh Dear, Where to start?!

[sharon_joyner () timeinc com]

Steve,

You've just been asked to do the impossible (you knew that already
didn't you?) with no time and no resources.  Well guess what, you don't
have to sweat it cause you're only an intern - no one actually expects
you to do all this.  Get something done by going out to the SANS website
and downloading all the policy documents you can find, then edit them
and present them to your management as a first draft of a security
policy for their review.  After this sit back, do your other work and
wait for nature to take it's course.  Trust me, very little will happen.
Policy reviews take FOREVER - years even - even longer in government.
For example, someone will remember that this is a government agency and
that there must be policies higher up that have to be adhered to and the
local policy has to be changed to come into line, etc, etc.  It will go
on and on and by the end of the summer (and the end of your internship?)
no one will have made a final decision, so you'll be off the hook.  At
that point, you can feel pretty good about starting the ball rolling and
you will have gotten valuable experience trying to get something done
while walking through quicksand.  

Good Luck,

Sharon Joyner, CISSP
IS Security Administrator
Warner Publisher Services
9210 King Palm Drive
Tampa, FL  33619
Tel: 813-664-8147 Fax: 813-664-8195
 


-----Original Message-----
From: Steve Frank [mailto:stevefrankrit () yahoo com] 
Sent: Wednesday, June 25, 2003 7:56 AM
To: security-basics () securityfocus com
Subject: Oh Dear, Where to start?!


Hey everyone,

Ok... I am in a bit of a jam here and I was hoping to
get some feedback from some of you with appropriate
experience in the field of network security and policy development.

I am an senior at RIT studying (essentially) systems administration. My
main focus and priority has been computer security and policy
development. I recently took a internship with a small government office
helping out with computer administration tasks. Upon arrival, I decided
it would be fun to do a windows update to see what sort of things would
come up for my PC. Low and behold, there were over 40 critical updates,
driver updates, and recommended updates. 

Right off the bat this triggered the feeling that
there was absolutely no security or update plans in
place at this particular organization. I quickly
addressed the issue, and have been working to draft a comprehensive
security policy and implement technical controls.

What I need advice on is the following: If you were
introduced to a mixed network (literally all versions
of windows since 3.1 and mac systems) that have no
updates, backups, or patches installed... connected to
a network with only a basic NAT table and no other
security... with not even anti-virus software
enabled... with no user policies or disaster plans in
place... with unprotected netbios shares everywhere...
where would you start the process of building some
sort of security solution?

I mean, I've seen passwords on monitors, shared
accounts, open public ports (even the wiring cabinet
was unlocked in plain view of passbys to the
building). I've been tasked with creating the security
policies relating to internet use, network and phone
use, passwords, physical security, backup/disaster
plans, antivirus, incident response, email
use/protection, and whatever else needs done. This
wouldnt be so bad normally I guess, but there is
virtually no budget allocated to help for this project
and I have approximately 3 months to do it. To make
matters worse, I am also responsible for systems
admin, network admin, tech support, programming, and
whatever other tasks may need to be done in the
meantime.

So basically, if you had to start from nothing, where
would you start first? What would you consider to be
the most important things to be implemented? I am
literally working from ground zero here... heh!

Thank so much in advance ;-)

Steve Frank

----------------
President SPARSA
Security Practices and Research Student Association
Rochester Institute of Technology

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com

------------------------------------------------------------------------
---
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
analysts! The Gartner Group just put Neoteris in the top of its Magic
Quadrant, while InStat has confirmed Neoteris as the leader in
marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access
in about an hour, with no client, server changes, or ongoing
maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
------------------------------------------------------------------------
----


-----------------------------------------------------------------------

This message is the property of Time Inc. or its affiliates. It may be
legally privileged and/or confidential and is intended only for the use
of the addressee(s). No addressee should forward, print, copy, or
otherwise reproduce this message in any manner that would allow it to be
viewed by any individual not originally listed as a recipient. If the
reader of this message is not the intended recipient, you are hereby
notified that any unauthorized disclosure, dissemination, distribution,
copying or the taking of any action in reliance on the information
herein is strictly prohibited. If you have received this communication
in error, please immediately notify the sender and delete this message.
Thank you.


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------