('binary' encoding is not supported, stored as-is) In-Reply-To: <GFEFLNCAJHGGEBHHGMIBAEPDCAAA.kirtat_private> >Explain: >1) That the clients setup is very insecure for the following reasons > a) The admin password is too short > b) The admin password does not contain special characters > c) The admin password should be changed regularly > I fully agree with these recommendations, but they should also be considered in the context of the infrastructure. You must be prepared to answer the customer's questions regarding firewalls blocking ports, etc. >2) The current information security environment. VIGILANCE IS NO LONGER AN OPTION. > >3) Explain that the system involved is a client of both. Then explain that >the client's information security/safety should come first. > >4) Recap on #1. Highlight on #2 and repeat #3 until you make your point and >can move on. > >5) Candidly explain to the vendor that if a serious > security incident should occur, and the weak > password was the root cause, that the vendor could be > held legally liable. While this is a valid concern, some research should be done regarding the firewall settings. If the firewall blocks ports 139 and 445, then someone accessing the system may not be the most immediate concern. Also, investigation into the firewall rulesets should be done to ensure that the pcAnywhere connections are restricted to both source and destination IP addresses. >6) Explain to the customer that if privacy and financial information should >leak, the client could be held legally liable. > >7) Explain to both that a security 'incident' has already occured. Repeat #5 >and #6 until you have made your point. Back the turnip truck up one second! What incident has occurred? If you're referring to the Exchange server set to being an open relay...what evidence do you have regarding this? Yes, there is significant risk associated w/ open relays, particularly if they're used to rely porno and/or spam. But what evidence is there to show that this change in the system is the result of an incident? Unless, of course, you're saying that someone accidently or unknowingly enabled relaying is the incident. >8) Then close the meeting with a remediation timeline. (This is the goal of the meeting!) It's always a good plan for a security professional to present options and a plan for resolution, rather than just problems. Take your customer solutions, not problems. Harlan --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Aug 17 2003 - 10:36:37 PDT