[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] 'On my Soap Box'
- Subject: [cobalt-security] 'On my Soap Box'
- From: "Adam Sculthorpe" <sculthorpe@xxxxxxxxxxxxx>
- Date: Tue, 06 Mar 2001 01:07:01 +0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I really have to yell this out right now, don't wait for problems to occur.
0. Take security personally, don't rely on service providers or assume others care about it !
The majority of hosting companies and ISP's do not have the time or motivation to ensure
you have a secure service, which you have every right to have in my estimation. It is very
important that you take security as 'your' responsibility.
1. Assess the state of your system.
Do you even know what your server is running? Did you build it? Probably not, so find out
now and don't assume that because it is a 'new' server it hasn't already been compromised.
a) assume your server may be compromised, don't trust netstat or other OS functions
b) get nmap and learn how to use it - http://www.insecure.org/nmap
c) scan every IP address you have using something like ./nmap ip.address.goes.here -sTU -p 1-65535
d) make a note of every port you find and find out what it is doing (good luck!)
2. Take charge of your system, assuming you have the right to under your T&C's
Now you have identified some potential risks work out how you can fix them, make a list
of everything you have found, check all versions of running services (daemon's - whatever!)
and start doing your home work, check security sites such as http://xforece.iss.net/ and
prioritise your work.
Trawl http://www.securityfocus.com/ and lookup all the versions of running services, make
sure you make notes of which versions you have and which versions are recommended and
pay attention to the potential impact on your system before rushing into things.
3. Make a plan, to fix your security and then get rid of those bugs
Yes, a plan with timescales. Force yourself to do it within say 14 days, be aggressive
and give it priority, if you don't think you have enough knowledge then get out there and
learn, everything you need for a hackers eye view is at http://packetstorm.securify.com/
Before you make changes don't forget to backup your system, remember security is also
about preventing accidental downtime too, read up on BS7799 and learn how to manage
your security effectively using proven standards methodology.
4. When you have fixed it, go back and check your work regularly
This is the bit a lot of people can't grasp, security of a system has an undetermined time
of relaxation, in fact exactly until the moment that you learn about a new BIND exploit that
has hit the streets, or another little nasty.
It WILL HAPPEN, in time your system goes out of the baseline you set by doing the sweep
and fixing all those bugs, the nature of the security cycle is such that you must regularly go
back and check everything is still ok.
5. Educate yourself, know your enemy and reduce the risk
You really don't have to look far these days to find a good book on security, but more than
that it is about attitude and taking responsibility for the state of your system, the fact is
that you can only do so much.
A 'determined' attacker will find a way into your system, doing the above reduces that risk
by in excess of 99% in my estimation, the majority of breaches are non-intelligent scripts
searching for certain versions of services (daemon's - whatever!) and reporting them back
to a specific place or kicking in an automated attack.
How would you scan thousands of systems to find the easy way in?
Imagine a burglar prowling a row of houses at night in a quiet street, one of those has an
open window at the rear and the rest don't, which house would you break into, the one with
easy access or the one that may cause a disturbance upon entering?
That's it, I feel better now, thanks!
'Knowledge Dissipates Fear' - Adam Sculthorpe