Saturday, March 27, 2010

Security configuration guides

When auditors visit your company for checking overall information security level they usually shower you with questions about vulnerability and patch management process. And if you haven't one of these processes well established - I'm dead sure you will get serious deficiency in the audit results.
But what about system hardening process ( it could part of configuration management ) - do you have such process established? Do yo have security configuration standards for all yours OS, DB and application well developed and updated? If you will start doing this from a scratch you gonna waste hell of a lot time. To save your time I propose you list of links to the well known library of security configuration guides:
  1. USA National Security Agency (NSA) - Security Configuration Guides
  2. USA National Institute of Standards and Technology (NIST) - National Checklist Program Repository
  3. USA Defense Information System Agency (DISA) - Security Technical Implementation Guides (STIGS)
  4. Community: the Center of Internet Security (CIS) - CIS Benchmarks
Sure thing you can find a lot of such guides on vendors websites:
  1. Apple Mac OS X Security Configuration Guide
  2. Microsoft Security Configuration Guides and Wizards
  3. Apache community Security Tips
  4. Cisco IOS Security Configuration Guide
  5. Debian Linux Securing Debian Manual
Automated Hardening Tools:
So, use it and stay secured!

PS. If you got more links and guides , pls add it in comments.

I do it myself:
Old one general Unix security checklist

Saturday, March 13, 2010

Using Google Alert for information security

So, we have spent hell of a lot of time and money installing different systems but how we can be sure that everything done good? Once in the morning you can find out that top today news is: your company has been hacked! I think, you must get worst news first. For this purpose you can write own web robot but from my point of view the simplest way is google alert service. How we can use it?
Create a search pattern like " my_company_name hacked OR compromised OR defaced " change option How often to as-it-happens, provide email and vuala - once google find something it gonna inform you.
More over you can use google alert service for checking your company web-resources for occasional leakage of confidential information. For this purpose create pattern like " confidential OR secret OR internal use" or special pattern for documents that should not be published " confidential filetype:doc OR filetype:cad". So, google will monitor your web sites instead of you and notify you.
Sure thing you can combine both methods for control of private data leakage over the internet, finding negative information about your company, advertisement about selling your protected data, etc.
Keep informed! :-)