part 3

[Audio] Data hiding when viewing logs System logs can include a large amount of personally identifiable information including: Username Your IP address Action performed Application responses (eg a network filter blocking access to a questionable website) Date and time Combining all of this information could allow for a level of monitoring that isn't covered by an (I-T ) Use Policy. On other occasions it may just be that some of that data should not be shared outside of an organisation – for instance a software error may be logged alongside a lot of unnecessary information: the answer in this case is data hiding making sure that data is obfuscated or removed before subsequent use. Users with special privileges The basic rule of thumb is to only afford users with the minimum level of access that they require in order to do their job. Of course different users perform different jobs and need to access different resources. For this purpose all networks feature users with special privileges – that is privileges granted to them in addition to the base level afforded to all users. When granting additional access rights to users always check what the effective access rights will be – this is the result of all policies applied to the user. This is important as you may apply multiple policies to a single user and this means other policies could overwrite the policy being implemented most recently. It is advised to remove special privileges from accounts as soon as they are no longer required. The Active Directory User management tool built in to Windows Servers helps to keep users organised..

[Audio] Testing and reviewing protection Firewall testing System scans Network testing tools Judging effectiveness and making recommendations for improvement Firewall test strategy Test Case Generation For Firewall Testing (acsac.org) A test strategy should cover all areas of the implementation of the firewall. For example the implementation of the equipment – is it in the correct location or does it only provide protection for some areas of the network? Do the firewall rules work as intended? If you have a rule to block connections to a specific application does it actually achieve this? Sometimes applications have back-up hosts in the event that the main host can't be contacted. Finally a firewall should undergo penetration testing. This ensures that no known flaws are present that all patches are installed and that the default configuration properties are indeed secure enough. The link at the head of this page covers the strategy in more detail. System Scans Regular system scans should be part of any security policy and should be scheduled to occur automatically. The purpose of a system scan is simply to ensure that there is nothing stored that has evaded initial virus scanning. It is wise to schedule full system scans to take place outside of normal office hours as scanning every file on a system can be extremely time consuming and processor intensive..

[Audio] Network testing tools System admins can use many different tools to scan and probe their networks looking for security vulnerabilities. One of the simplest pieces of software is a port scanner – this checks all IP addresses within a supplied range and scans all ports to see whether any of the machines are listening on those ports. Port scanners can reveal what devices are connected to a network and also what software services are running on those devices. This can be an important first step when trying to attack a network; it is therefore also an important step in securing a network. There are also network management packages for example KaliOS – this provides tools to inspect a network discover devices and software probe devices to see if they are patched or vulnerable to attack and much more. Find out more at kali.org Judging effectiveness and making recommendations In order to know how effective a policy is it must be measured and evaluated using quantitative measures. See setting targets for further guidance. Using event logs from network management software alongside server logs it is possible to identify how often threats are blocked and what threats are most prevalent. This information allows a network administrator to identify where further security would be beneficial and also highlight any breaches in security. Recommendations can involve anything from changing policy providing additional staff training or additional hardware/software. Outside companies can provide these services and will typically begin by running network scanning tools to locate weaknesses..