Security Audit for class

Networking/Security Forums -> General Security Discussion

Author: StIlTzLocation: Minnesota PostPosted: Thu Mar 27, 2003 6:52 am    Post subject: Security Audit for class
    ----
All right everybody heres my deal...

I am taking a Computer Security Fundamentals course right now (a new program that is starting at my school so now I can go to school for another 4 years... oh joy Smile ) and for our final project we have to go out to a company (they know this is going on and are ready for us) and perform a security audit. So we go around we poke around and ask questions and whatnot... Then we give a presentation to the class and then submit our summary and reccomendations to the company.

Anyways we have been given some basic questions to ask. I want to get a list of questions to throw at the company I get so I can do a thorough job of this and give an in depth presentation and just wow them (maybe I can get a job at their company kinda thing afterwards)

Anyhoo and help would be appreciated and sorry but I can't post anything these companies tell me with the NDA (non-disclosure agreement) and all...

Thanks for the help...
And I already searched the forum to see if there was anything like this and I couldn't find anything...

Author: myhatisred PostPosted: Thu Mar 27, 2003 7:10 am    Post subject:
    ----
well what exactly do you have to audit? Web security? password strength? firewall config? etc...

Author: GSecur PostPosted: Thu Mar 27, 2003 7:10 am    Post subject:
    ----
This might help. It is a checklist that Nissan uses to Audit one of it's systems.

The checklist has some great questions and is a good resource.

http://www.governmentsecurity.org/download/security_audit_guide.pdf

Switch RACF with name of the company you are auditing and everything should apply (well almost, but it's a start Smile

Author: StIlTzLocation: Minnesota PostPosted: Thu Mar 27, 2003 8:05 am    Post subject: thanks
    ----
Thanks Gsecur I will surely use that... A lot more than what I need to get into but I am going to use a lot that is provided there.

I have to audit network security, security policy, firewall, password strength and toughness, physical security, database policy, network usage policy, pretty much the whole spectrum... basically if it can be audited I am going to audit it.

Very Happy

Author: Guest PostPosted: Thu Mar 27, 2003 9:25 am    Post subject: Re: thanks
    ----
StIlTz wrote:


I have to audit network security, security policy, firewall, password strength and toughness, physical security, database policy, network usage policy, pretty much the whole spectrum... basically if it can be audited I am going to audit it.

Very Happy


Woah... How much time do you get for this project?

Here are some security-related questions I would ask, but just a few Smile

-Do you have a vulnerability/patch management process
-Do you have a incident response/business continuity plan
-Do you have a change management process for
* firewalls
* servers (web-site etc)
* ..
...
..

There would probably be more, but none popping up in my mind right now. Hope those also help, and probably are already covered in that security audit guide.

Author: flwLocation: U.S.A. PostPosted: Thu Mar 27, 2003 2:42 pm    Post subject:
    ----
On the security policies, are you looking for addtional ones and which?

Author: oebLocation: That Island of drunks over there PostPosted: Thu Mar 27, 2003 3:54 pm    Post subject:
    ----
Personally I would go on site and try and root them =P

You can then show them where their weekness lie. It means you will have to go a few days earlier and SE your way in too.


Fun Fun Fun


Ian

Author: GSecur PostPosted: Thu Mar 27, 2003 9:05 pm    Post subject:
    ----
Definatly ask them about continuity plans and disaster recovery. So many times people mainly focus on the technology, and not on the human factor.

Author: StIlTzLocation: Minnesota PostPosted: Fri Mar 28, 2003 6:53 am    Post subject: more thanks..
    ----
I have from April 1st until roughly June... So a lot of time... and the purpose of this is not to try and root them...
Sorry Smile

Just do see what they have in place and determine how important security is to the company (because apparently there is one company on the list that could care less.. at least that is their attitude) and then make suggestions to what can be done to further their security...

Quote:
GSecur said: Definatly ask them about continuity plans and disaster recovery. So many times people mainly focus on the technology, and not on the human factor.


This is something we just covered in class last night and I was the only one in my security class that had a backup stored offsite... in case of disaster.
That is definetly on my list...

Thanks again and keep the suggestions coming if you can think of any.



Networking/Security Forums -> General Security Discussion


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group