Firewall Wizards mailing list archives
Re: Security Audit and Priorities
From: M Taylor <mctaylor () privacy nb ca>
Date: Mon, 14 Jul 2003 16:32:23 +0100
Paul Ammann wrote:
I will be starting a new job in the next few weeks. I went to Netcraft and typed in the company's URL and was amazed by what I saw: the version of Linux, the version of Apache, the version of OpenSSL... literally everything about their web servers. 1. What is the best way to block Netcraft from obtain all this information. Are there Open Source solutions that would be better than commercial solutions?
Don't bother. I think it is best to actually easily check what software you are currently actually running. It is also useful for the system administrators to be able to easily check what version they are actually running. I think it is far more valuable to easily know if you are vulnerable than the risk of others also knowing your systems are vulnerable. When you and the system administrators known the systems are unnecessarily at risk, then it more likely the actual problem will be fixed. Reducing the unnecessary exposure to known and unknown vulnerabilities is the goal. Second, I thought CodeRed, SQL Slammer and other automated worms demonstrated that most self-propagating malicious software do NOT check banners, they blindly try their attack, in cases even against systems not running any web server or listening on 1434/udp (MS-SQL)
2. The company has acknowledged they are lacking in security. What is the best method for doing a security audit?
See SANS Reading Room http://www.sans.org/rr/ and http://www.cisecurity.org/ as a starting point. Start with external facing services first, then examine internal services. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Security Audit and Priorities, (continued)
- Re: Security Audit and Priorities R. DuFresne (Jul 13)
- Re: Security Audit and Priorities Frank Knobbe (Jul 14)
- Re: Security Audit and Priorities ark (Jul 14)
- Re: Security Audit and Priorities Frank Knobbe (Jul 14)
- Re: Security Audit and Priorities ark (Jul 14)
- Re: Security Audit and Priorities lists (Jul 13)
- Re: Security Audit and Priorities Paul Ammann (Jul 14)
- Security Audit and Priorities Paul Ammann (Jul 13)
- Re: Security Audit and Priorities R. DuFresne (Jul 13)
- RE: Security Audit and Priorities Bob Wanamaker - Avant Systems, Inc. (Jul 14)
- re: Security Audit and Priorities Mike Hoskins (Jul 14)
- Re: Security Audit and Priorities M Taylor (Jul 14)