Saturday, May 14, 2005

Greetings, Blog World!

Hello,

I'm Vincent LeVeque, an information security consultant. I'm currently on assignment with a large local government entity. I do general network management stuff in addition to security tasks.

I'm currently developing some security hardening documents for several operating environments: IBM AIX, Red Hat Enterprise Linux, Apache (Unix and Windows versions), and Windows 2000/2003 Server.

I've settled on the following criteria:
  • Refer to the vendor's recommendations as much as possible rather than third party standards. SANS (http://www.sans.org), NIST (http://www.csrc.nist.gov) and the Center for Internet Security (http://www.cisecurity.org/) all have excellent recommendations. They lag the most current vendor releases, and most importantly, if I follow a vendor recommendation and it breaks something, there is a valid reason to open a trouble ticket with the vendor. If one of NIST's recommendations break a Windows 2003 server app, do you think Microsoft will do anything about it?
  • Tie into the client's emerging change management and inventory management practices. If the device isn't in the asset inventory system, then it can't be hardened. Good management practices come before good technical security.
  • Make the recommendations as specific as humanly possible. Don't allow wiggle room.
  • Where wiggle room is necessary, set up a documented exception process.
  • Ensure that it is possible to audit for compliance. Standards should be testable after the fact.

0 Comments:

Post a Comment

<< Home