Re: Security Audit and Priorities

[M Taylor <mctaylor () privacy nb ca>]

Paul Ammann wrote:
> I will be starting a new job in the next few weeks. I went to Netcraft and
> typed in the company's URL and was amazed by what I saw: the version of
> Linux, the version of Apache, the version of OpenSSL... literally everything
> about their web servers.
>
> 1. What is the best way to block Netcraft from obtain all this information.
> Are there Open Source solutions that would be better than commercial
> solutions?

Don't bother. I think it is best to actually easily check what software 
you are currently actually running. It is also useful for the system 
administrators to be able to easily check what version they are actually 
running. I think it is far more valuable to easily know if you are 
vulnerable than the risk of others also knowing your systems are 
vulnerable. When you and the system administrators known the systems are 
unnecessarily at risk, then it more likely the actual problem will be 
fixed. Reducing the unnecessary exposure to known and unknown 
vulnerabilities is the goal.

Second, I thought CodeRed, SQL Slammer and other automated worms 
demonstrated that most self-propagating malicious software do NOT check 
banners, they blindly try their attack, in cases even against systems 
not running any web server or listening on 1434/udp (MS-SQL) 
 
> 2. The company has acknowledged they are lacking in security. What is the
> best method for doing a security audit?

See SANS Reading Room http://www.sans.org/rr/ and 
http://www.cisecurity.org/ as a starting point. Start with external 
facing services first, then examine internal services.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards