System Admin vs. Security Admin

Network administration is about ensuring that users can get to everything they need, security is about restricting access to things. So security administration at its core is fundamentally oposed to network adminstration - they have, in fact, conflicting goals.

Ideally, a security administrator should be someone who understands system and network administration, but whose job it is to think about security first, and usability/usefulness second. This person would need to work closely with the network/system administrator.

Adopted from from Protect Your Windows Network : From Perimeter to Data by Jesper M. Johansson, Steve Riley.

The Defense-in-Depth Model

The following is the defense-in-depth model adopted from from Protect Your Windows Network : From Perimeter to Data by Jesper M. Johansson, Steve Riley.

• People, policies, and processes
• Physical security
• Perimeter
• Network
• Host
• Application
• Data

SD3+C: High-level Principles for Building More Secure Software

Here a set of high-level principles for building more secure software. Microsoft refers to these principles as SD3+C

• Secure by Design
• Secure by Default
• Secure in Deployment
• Communications

Adopted from The Trustworthy Computing Security Development Lifecycle by Steve Lipner and Michael Howard.

Three Facets to Building More Secure Software

There are three facets to building more secure software: repeatable process, engineer education, and metrics and accountability.

Adopted from The Trustworthy Computing Security Development Lifecycle by Steve Lipner and Michael Howard.

A Definition of Network Security

The following defintion of network security is Jesper M. Johansson and Steve Riley's view from Protect Your Windows Network : From Perimeter to Data.

Network security is a process, a task description, not an end state. Therefore, we like to talk about network protection as the goal, and network security as a task description. The task is to detect problems and, preferably before someone else does, respond to those problems in a way that prevents them from becoming security vulnerabilities. At that point, the process repeats, and we look for more problems to prevent.

People+Processes+Technology

I cannot resist on recording the following quote from Protect Your Windows Network : From Perimeter to Data by Jesper M. Johansson, Steve Riley.

"You get only so much security if you concentrate solely on the technology; the people and the processes are equally important. Indeed, without thought in those two areas, most of the technology you deploy to protect information systems will fail to do what you intend - it will only give you a false sense of security, which in fact can be more dangerous than no security at all."

I cannot agree more on their comments on the people and the process factors. Without a good process, you won't have "secure enough" network. The enforcement of a security process will always bring inconvenience to people. You always expect the resistances from the people. Without the adoption of the people, a process is just a useless paper. So you need to educate people before introducing a process. Whence the people have more knowledge on security, they tend to adopt the process more easily and have less resistances.

On the other side, introducing a security process should be VERY GRACEFULLY. A security process should bring minimal inconvenience to people. That will make people to adopt processes more easily. If there is a conflict between a big inconvenience to people and less secure, I'd like to trade off security with inconvenience and let security admin to focus more on the less secure part.

Some Useful SQL Queries

Here are some useful SQL queries:

• select serverproperty ('productlevel') // SP version
• select serverproperty ('productversion')
• select serverproperty ('edition')
• select @@version // version+edition, also platform version + build + sp version

The system stored procedure xp_msver can return more detailed info than the SELECT @@VERSION query method.

Adopted from the book Assessing Network Security by Ben Smith, David LeBlanc, Kevin Lam.

You don't need to be sa to execute queries and stored procedure above. A login with the public role on a custom database can execute them!

IE Enhanced Security Configuration and Smart Clients on SSL

The enhanced security configuration adjusts the Internet Explorer extensibility and security settings. These settings can be found on the Advanced tab of Internet Options in Control Panel. One of adjustments is to turn on the "Do not save encrypted pages to disk" option.

If you have a Windows Forms control embedded to a Web page and the virtual directory containing the control is configured to turn on the "Require secure channel (SSL)" option to support HTTPS, then you should notify users to turn off the "Do not save encrypted pages to disk" option on client IEs, that prevents downloading the control on client machines.

The "Do not save encrypted pages to disk" option corresponds to the registry value "DisableCachingOfSSLPages" under the key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings".

The Goal of a Security Audit

The goal of a security audit is to ensure that security policy is followed except regulatory compliance. In case of regulatory compliance accessment, the primary goal of a security audit is to access the effectiveness of the organization's ability to protect its info assets.

Adopted from the book Assessing Network Security by Ben Smith, David LeBlanc, Kevin Lam.

Difference between Penetration Testing and Vulnerability Scanning

Both penetration testing and vulnerability scanning improve network security by locating weeknesses. However, the methods for arriving at the results are distinctly different.

Vulnerability scanning relies almost entirely the brute force provided by automated tools; in contrast, penetration testing relies on the ingenuity of the penetration tester.

Adopted from the book Assessing Network Security by Ben Smith, David LeBlanc, Kevin Lam.

Steps for a Vulnerability Scanning

The following are major steps for a vulnerability scanning:

1. Set a scope.
2. Determine goals
3. Choose a technology
4. Create a process for scanning for vulnerabilities
5. Create a process for analyzing the results

Adopted from the book Assessing Network Security by Ben Smith, David LeBlanc, Kevin Lam. The detail discussions in Chapter 3 about each step are very good.

Accessing and Managing Security Risks

You can use the following simple process outline for accessing and managing security risks:

1. Set the scope.
2. Identify assets and determines their value.
3. Predict threats and vulnerabilities to assets.
4. Document the security risks.
5. Determine a risk management strategy.
6. Monitor assets.
7. Track changes to assets.

Adopted from the book Assessing Network Security by Ben Smith, David LeBlanc, Kevin Lam.

Keep Security Simple

How do you keep security simple? One way is to break security down to discrete objectives:

1. Keep services running and info away from attackers. // Deny access by default
2. Allow the right users access to the right info. // least priviledge
3. Defend every layer as if it were the last layer of defense. // defense indepth
4. Keep a record of attempts to access info. // audit logs
5. Compartmentalise and isolate resources as much as possible.
6. Don't make the same mistakes that everyone else makes.
7. Don't let the aforementioned objectives cost too much.

Adopted from the book Assessing Network Security by Ben Smith, David LeBlanc, Kevin Lam.