30 Questions Every Manager Should Ask
Páginas: 9 (2220 palabras)
Publicado: 22 de abril de 2012
Network Security:
30 Questions Every Manager Should Ask
Author: Dr. Eric Cole
Chief Security Strategist
Secure Anchor Consulting
Network Security: 30 Questions Every
Manager/Executive Must Answer in Order to Track and
Validate the Security of Their Organization
1. What does your network/security architecture diagram look like?
The first thing you need to know to protect your networkand systems is
what you are protecting. You must know:
•
•
•
•
•
•
•
•
The physical topologies
Logical topologies (Ethernet, ATM, 802.11, VoIP, etc.)
Types of operating systems
Perimeter protection measures (firewall and IDS placement, etc.)
Types of devices used (routers, switches, etc.)
Location of DMZs
IP address ranges and subnets
Use of NAT
In addition, you must knowwhere the diagram is stored and that it is
regularly updated as changes are made.
2. What resources are located on your DMZ?
Only systems that are semi-public should be kept on the DMZ. This
includes external web servers, external mail servers, and external DNS.
A split-architecture may be used where internal web, mail, and DNS are
also located on the internal network.
3. What resources arelocated on your internal network?
In addition to internal web, mail, and DNS servers, your internal network
could also include databases, application servers, and test and
development servers.
4. Where is your organization’s security policy posted and what is in it?
There should be an overall policy that establishes the direction of the
organization and its security mission as well as rolesand
responsibilities. There can also be system-specific policies to address
for individual systems. Most importantly, the policies should address the
appropriate use of computing resources. In addition, policies can
address a number of security controls from passwords and backups
to proprietary information. There should be clear procedures and
processes to follow for each policy. Thesepolicies should be included in
the employee handbook and posted on a readily accessible intranet site.
Network Security: 30 Questions Every Manager Should Ask │ Page 2
Copyright © 2006 Secure Anchor Consulting. All rights reserved.
5. What is your organization’s password policy?
A password policy should require that a password:
•
•
•
•
•
Be at least 8 characters long
Contain bothalphanumeric and special characters
Change every 60 days
Cannot be reused after every five cycles
Is locked out after 3 failed attempts
In addition, you should be performing regular password auditing to check
the strength of passwords; this should also be documented in the
password policy.
6. What applications and services are specifically denied by your
organization’s security policy?
Yourorganization’s security policy should specify applications, services,
and activities that are prohibited. These can include, among others:
•
•
•
•
•
•
Viewing inappropriate material
Spam
Peer-to-peer file sharing
Instant messaging
Unauthorized wireless devices
Use of unencrypted remote connections such as Telnet and FTP
7. What types of IDSs does your organization use?
Toprovide the best level of detection, an organization should use a
combination of both signature-based and anomaly-based intrusion
detection systems. This allows both known and unknown attacks to be
detected. The IDSs should be distributed throughout the network,
including areas such as the Internet connection, the DMZ, and internal
networks.
8. Besides default rulesets, what activities areactively monitored by
your IDS?
IDSs come with default rulesets to look for common attacks. These
rulesets must also be customized and augmented to look for traffic and
activities specific to your organization’s security policy. For example, if
your organization’s security policy prohibits peer-to-peer
communications, then a rule should be created to watch for that type of
activity. In...
30 Questions Every Manager Should Ask
Author: Dr. Eric Cole
Chief Security Strategist
Secure Anchor Consulting
Network Security: 30 Questions Every
Manager/Executive Must Answer in Order to Track and
Validate the Security of Their Organization
1. What does your network/security architecture diagram look like?
The first thing you need to know to protect your networkand systems is
what you are protecting. You must know:
•
•
•
•
•
•
•
•
The physical topologies
Logical topologies (Ethernet, ATM, 802.11, VoIP, etc.)
Types of operating systems
Perimeter protection measures (firewall and IDS placement, etc.)
Types of devices used (routers, switches, etc.)
Location of DMZs
IP address ranges and subnets
Use of NAT
In addition, you must knowwhere the diagram is stored and that it is
regularly updated as changes are made.
2. What resources are located on your DMZ?
Only systems that are semi-public should be kept on the DMZ. This
includes external web servers, external mail servers, and external DNS.
A split-architecture may be used where internal web, mail, and DNS are
also located on the internal network.
3. What resources arelocated on your internal network?
In addition to internal web, mail, and DNS servers, your internal network
could also include databases, application servers, and test and
development servers.
4. Where is your organization’s security policy posted and what is in it?
There should be an overall policy that establishes the direction of the
organization and its security mission as well as rolesand
responsibilities. There can also be system-specific policies to address
for individual systems. Most importantly, the policies should address the
appropriate use of computing resources. In addition, policies can
address a number of security controls from passwords and backups
to proprietary information. There should be clear procedures and
processes to follow for each policy. Thesepolicies should be included in
the employee handbook and posted on a readily accessible intranet site.
Network Security: 30 Questions Every Manager Should Ask │ Page 2
Copyright © 2006 Secure Anchor Consulting. All rights reserved.
5. What is your organization’s password policy?
A password policy should require that a password:
•
•
•
•
•
Be at least 8 characters long
Contain bothalphanumeric and special characters
Change every 60 days
Cannot be reused after every five cycles
Is locked out after 3 failed attempts
In addition, you should be performing regular password auditing to check
the strength of passwords; this should also be documented in the
password policy.
6. What applications and services are specifically denied by your
organization’s security policy?
Yourorganization’s security policy should specify applications, services,
and activities that are prohibited. These can include, among others:
•
•
•
•
•
•
Viewing inappropriate material
Spam
Peer-to-peer file sharing
Instant messaging
Unauthorized wireless devices
Use of unencrypted remote connections such as Telnet and FTP
7. What types of IDSs does your organization use?
Toprovide the best level of detection, an organization should use a
combination of both signature-based and anomaly-based intrusion
detection systems. This allows both known and unknown attacks to be
detected. The IDSs should be distributed throughout the network,
including areas such as the Internet connection, the DMZ, and internal
networks.
8. Besides default rulesets, what activities areactively monitored by
your IDS?
IDSs come with default rulesets to look for common attacks. These
rulesets must also be customized and augmented to look for traffic and
activities specific to your organization’s security policy. For example, if
your organization’s security policy prohibits peer-to-peer
communications, then a rule should be created to watch for that type of
activity. In...
Leer documento completo
Regístrate para leer el documento completo.