View previous topic :: View next topic |
Author |
Message |
StIlTz Just Arrived
Joined: 13 Feb 2003 Posts: 3 Location: Minnesota
|
Posted: Thu Mar 27, 2003 6:52 am Post subject: Security Audit for class |
|
|
All right everybody heres my deal...
I am taking a Computer Security Fundamentals course right now (a new program that is starting at my school so now I can go to school for another 4 years... oh joy ) and for our final project we have to go out to a company (they know this is going on and are ready for us) and perform a security audit. So we go around we poke around and ask questions and whatnot... Then we give a presentation to the class and then submit our summary and reccomendations to the company.
Anyways we have been given some basic questions to ask. I want to get a list of questions to throw at the company I get so I can do a thorough job of this and give an in depth presentation and just wow them (maybe I can get a job at their company kinda thing afterwards)
Anyhoo and help would be appreciated and sorry but I can't post anything these companies tell me with the NDA (non-disclosure agreement) and all...
Thanks for the help...
And I already searched the forum to see if there was anything like this and I couldn't find anything...
|
|
Back to top |
|
|
myhatisred Just Arrived
Joined: 11 Jan 2003 Posts: 0
|
Posted: Thu Mar 27, 2003 7:10 am Post subject: |
|
|
well what exactly do you have to audit? Web security? password strength? firewall config? etc...
|
|
Back to top |
|
|
GSecur Trusted SF Member
Joined: 30 Sep 2002 Posts: 16777215
|
Posted: Thu Mar 27, 2003 7:10 am Post subject: |
|
|
This might help. It is a checklist that Nissan uses to Audit one of it's systems.
The checklist has some great questions and is a good resource.
http://www.governmentsecurity.org/download/security_audit_guide.pdf
Switch RACF with name of the company you are auditing and everything should apply (well almost, but it's a start
|
|
Back to top |
|
|
StIlTz Just Arrived
Joined: 13 Feb 2003 Posts: 3 Location: Minnesota
|
Posted: Thu Mar 27, 2003 8:05 am Post subject: thanks |
|
|
Thanks Gsecur I will surely use that... A lot more than what I need to get into but I am going to use a lot that is provided there.
I have to audit network security, security policy, firewall, password strength and toughness, physical security, database policy, network usage policy, pretty much the whole spectrum... basically if it can be audited I am going to audit it.
|
|
Back to top |
|
|
Guest
|
Posted: Thu Mar 27, 2003 9:25 am Post subject: Re: thanks |
|
|
StIlTz wrote: |
I have to audit network security, security policy, firewall, password strength and toughness, physical security, database policy, network usage policy, pretty much the whole spectrum... basically if it can be audited I am going to audit it.
|
Woah... How much time do you get for this project?
Here are some security-related questions I would ask, but just a few
-Do you have a vulnerability/patch management process
-Do you have a incident response/business continuity plan
-Do you have a change management process for
* firewalls
* servers (web-site etc)
* ..
...
..
There would probably be more, but none popping up in my mind right now. Hope those also help, and probably are already covered in that security audit guide.
|
|
Back to top |
|
|
flw Forum Fanatic
Joined: 27 May 2002 Posts: 16777215 Location: U.S.A.
|
Posted: Thu Mar 27, 2003 2:42 pm Post subject: |
|
|
On the security policies, are you looking for addtional ones and which?
|
|
Back to top |
|
|
oeb Just Arrived
Joined: 17 Mar 2003 Posts: 2 Location: That Island of drunks over there
|
Posted: Thu Mar 27, 2003 3:54 pm Post subject: |
|
|
Personally I would go on site and try and root them =P
You can then show them where their weekness lie. It means you will have to go a few days earlier and SE your way in too.
Fun Fun Fun
Ian
|
|
Back to top |
|
|
GSecur Trusted SF Member
Joined: 30 Sep 2002 Posts: 16777215
|
Posted: Thu Mar 27, 2003 9:05 pm Post subject: |
|
|
Definatly ask them about continuity plans and disaster recovery. So many times people mainly focus on the technology, and not on the human factor.
|
|
Back to top |
|
|
StIlTz Just Arrived
Joined: 13 Feb 2003 Posts: 3 Location: Minnesota
|
Posted: Fri Mar 28, 2003 6:53 am Post subject: more thanks.. |
|
|
I have from April 1st until roughly June... So a lot of time... and the purpose of this is not to try and root them...
Sorry
Just do see what they have in place and determine how important security is to the company (because apparently there is one company on the list that could care less.. at least that is their attitude) and then make suggestions to what can be done to further their security...
Quote: |
GSecur said: Definatly ask them about continuity plans and disaster recovery. So many times people mainly focus on the technology, and not on the human factor. |
This is something we just covered in class last night and I was the only one in my security class that had a backup stored offsite... in case of disaster.
That is definetly on my list...
Thanks again and keep the suggestions coming if you can think of any.
|
|
Back to top |
|
|
|