Slashdot Mirror

← Back to Domains

Domain: cisecurity.org

Stories and comments across the archive that link to cisecurity.org.

Comments · 94

  1. Try looking at Benchmarks by Jim+Robinson+Jr. · · Score: 5, Informative · on Best Linux Security Books?

    While books are good, you will have to wade through a lot of verbiage to find the gems. Although they won't provide the historical and technical backgrounds, you should seriously consider beginning with industry benchmarks rather than trying to make up your own.

    Try these for starters:

    Center for Internet Security
    http://www.cisecurity.org/

    SANS Step-By-Step Guides
    https://store.sans.org/store_category.php?category =stepxstep&portal=d3e56294b582309b0d88a6990e8621ce

    Both will provide you with a checklist to secure your systems, and although neither will be "all inclusive" they will give you a foundation to build your security program on.

    In large enterprises subject to regulatory oversight and external auditing they use these as a starting point.

    Hope this helps,

    Jim Robinson Jr., CISSP

  2. Use defence in depth by kmckinlay · · Score: 1 · on What is the Best Firewall for Servers?
    Short of airgapping your network, might I suggest a couple of different approaches?

    If possible, put a firewall between your network and the rest of the networks. Whether it is a commercial firewall or homebrew, find something that you can manage and properly secure.

    Whether or not a network firewall is possible, harden your systems.
    • Disable all those services that are not needed
    • Make sure the systems are properly patched
    • Run the Center for Internet Security benchmark tool found at http://cisecurity.org/ and read and follow their recommendations
    • Install a personal firewall on the systems
    • Finally, install a Host IDS system so you know what is getting through and may impact your systems

  3. Re:Pseudo-Written Password by J.+Random+Luser · · Score: 1 · on Write Down Your Passwords

    A couple of days ago I was directed to http://www.cisecurity.org/ to get their "Macintosh OS X Panther Benchmark Security Document". I was surprised to see (p.20) they recommend old chestnuts like 1qaz@Wsx and 89)Okm,. as "strong" passwords which are fairly easy to remember. Of course MacOS' bad joke 8 char limit doesn't help.

  4. Great news by Anonymous Coward · · Score: 2, Interesting · on Bastille Adds Reporting, Grabs Fed Attention

    This new reporting feature reminds me of the CIS Security Benchmark which was recently covered by NewsForge. The thing that has always bothered me about CIScan, however, is the mandatory registration process you have to go through before you download it. With Bastille offering similar functionality the need to use CIScan is greatly deminished in favor of a more "open" solution (not to bash CIS, but I don't enjoy having to keep track of yet-another-download-account).

    What really makes the CIS benchmark great is the manual it comes with (which I briefly described in a comment here), so I hope the Bastille project doesn't neglect to document the benchmark in a similar way as to inform adminstrators about the various trade-off's involved. I suspect Bastille has modeled the reporting-feature after CIScan, though, so it will probably turn out to be a great replacement.

    Great work guys, this new feature is welcomed with open arms.

  5. Re:Hardening systems works! by Anonymous Coward · · Score: 2, Informative · on Linux Getting Harder To Crack
    There are several Linux hardening projects around. Interestingly enough, they are somewhat orthogonal to each other, and tend to complement one another.

    Here's a basic roundup of useful links:

  6. Re:Hardening Linux works! by Anonymous Coward · · Score: 0 · on Linux Getting Harder To Crack

    What about CIS security scan/benchmark ? Not only does it harden your system, but it educates as well. It is a great complement to Bastille.

  7. Re:Open source tools? by andynz · · Score: 1 · on Assessing Network Security

    I used to run the Center for Internet Security benchmarking tools on a regular basis to audit my systems (particularly after applying patches to see what they had opened up). They can be found at http://www.cisecurity.org/.

  8. Re:The layered onion approach... by 6.023e23 · · Score: 1 · on Spyware/Adware Prevention In Large Deployments?
    Having dealt with a round of this recently, I cannot echo my agreement loudly enough. Most malware targets IE, you can't eliminate the malware (but can try to limit it via Ad-Aware, Spybot, et al), so get rid of its major target, i.e IE.

    I personally use Firefox and have also installed it as the primary browser on all user computers I support (including family and friends). The amount of malware has dropped to almost zero, and what little bit does manage to get through it readily dealt with via Ad-Aware, Spybot, etc.

    User education is also important. I've found that to be the case with viruses/worms as well.

    Speaking of viruses/worms, in the same context as before, while IE is the predominant target of web-based malware, the predominant target of mail-based malware is, you guessed it, OE. So, don't use it!

    I've switched to Thunderbird personally, though prior to that I was a solid Eudora user, which is what I have installed for family and friends. Honestly, if users are tied to the OE interface, Thunderbird should work fine for them. What mail-borne malware still makes it through, that's what antivirus is for.

    Finally, look at the other common vectors, including the Windows Messaging service. There are a number of services such as this that should not be on (but are on by default). XP SP2 is highly recommended. Also, if you're on Win2k or XP, check out the benchmark scoring tools and guides available from CISecurity. Some of the recommendations might be too draconian for many locations, but the general advise in the benchmarks is dead on.

  9. BSD is NOT dying. HPUX is. by alphaque · · Score: 4, Interesting · on CIS Releases FreeBSD Security Benchmark

    hmm, oddly the HTML title and title bar both say "Benchmarks for HPUX". :)

    see the link above at http://www.cisecurity.org/bench_freebsd.html

  10. Five easy steps. by plcurechax · · Score: 5, Insightful · on Securing Your Network?

    1. Education - Get educated about what information security is all about, you should know what C.I.A. stands for (in infosec, not the US federal agency), you should know what a security policy is, understand risk management and mitigation, and known what criminals/attackers can do in your organization.

    You can get a lot of this from several books and websites, such as Secrets and Lies by Bruce Schneier, the SANS Reading Room, if you can afford it SANS/GIAC training and/or certification may be of benefit to you and your org, the CISSP and SSCP Open Study Guides even if you don't go for CISSP or SSCP (I don't recommend paying any money to ISC^2), and Security Focus.

    2. Audit - This step is critical and too many places forget to do it. You need to know what you are trying to secure, yet most organizations do not have a complete picture of their network and all the systems on it. This includes security and non-security issues (e.g. software licenses, maintenance patches, standardization)

    Tools like those from IBM Tivoli or HP Openview can help here. For security specific vulnerability analyzer, open-source Nessus and eEye's Retina, ISS's Internet Scanner

    3. Policy - You need a plan and a document to give you and others guidenance, and this if your infosec policy.

    Large orgs should consider BS 7799 or ISO 17799 whereas smaller groups can look at Center for Internet Security for benchmarks, and SANS Reading Room - Auditing and Assessment, and Site Security Handbook - RFC 2196.

    4. Implement -- Using your education, audits and policies you can now implement decent security.

    Basic principles of defence in depth, fail-safe, separation of privilege, and complexity is the enemy of security can guide you to build a practical network of secured systems that limits exposure to criminal activities, and minimizes damage from attacks.

    5. Be vigilant - "Security is a process, not a product" - Bruce Schneier

    Now the work begins, up to now it was the fun stuff, now you get to dig in with boring but important tasks such as analyzing log files, maintaining a accurate asset database, applying patches, maintaining user accounts, periodic audits (internal and if you can afford it and it is warranted, external), educating users, and maintaining your security posture.

  11. ARgh Registration... by loconet · · Score: 2 · on Internet Security Standards

    Here are the testing kits direct links..

    Linux
    Solaris
    HP-Unix
    Cicso Router (nix)
    Cisco Router (win)
    Win2k/NT

  12. ARgh Registration... by loconet · · Score: 2 · on Internet Security Standards

    Here are the testing kits direct links..

    Linux
    Solaris
    HP-Unix
    Cicso Router (nix)
    Cisco Router (win)
    Win2k/NT

  13. ARgh Registration... by loconet · · Score: 2 · on Internet Security Standards

    Here are the testing kits direct links..

    Linux
    Solaris
    HP-Unix
    Cicso Router (nix)
    Cisco Router (win)
    Win2k/NT

  14. ARgh Registration... by loconet · · Score: 2 · on Internet Security Standards

    Here are the testing kits direct links..

    Linux
    Solaris
    HP-Unix
    Cicso Router (nix)
    Cisco Router (win)
    Win2k/NT

  15. ARgh Registration... by loconet · · Score: 2 · on Internet Security Standards

    Here are the testing kits direct links..

    Linux
    Solaris
    HP-Unix
    Cicso Router (nix)
    Cisco Router (win)
    Win2k/NT

  16. ARgh Registration... by loconet · · Score: 2 · on Internet Security Standards

    Here are the testing kits direct links..

    Linux
    Solaris
    HP-Unix
    Cicso Router (nix)
    Cisco Router (win)
    Win2k/NT

  17. links to Win2k and Linux files by Anonymous Coward · · Score: 0 · on Internet Security Standards
    fuck registering (you can just toss them anything)
  18. links to Win2k and Linux files by Anonymous Coward · · Score: 0 · on Internet Security Standards
    fuck registering (you can just toss them anything)
  19. links to Win2k and Linux files by Anonymous Coward · · Score: 0 · on Internet Security Standards
    fuck registering (you can just toss them anything)
  20. links to Win2k and Linux files by Anonymous Coward · · Score: 0 · on Internet Security Standards
    fuck registering (you can just toss them anything)
  21. links to Win2k and Linux files by Anonymous Coward · · Score: 0 · on Internet Security Standards
    fuck registering (you can just toss them anything)
  22. links to Win2k and Linux files by Anonymous Coward · · Score: 0 · on Internet Security Standards
    fuck registering (you can just toss them anything)
  23. links to Win2k and Linux files by Anonymous Coward · · Score: 0 · on Internet Security Standards
    fuck registering (you can just toss them anything)
  24. links to Win2k and Linux files by Anonymous Coward · · Score: 0 · on Internet Security Standards
    fuck registering (you can just toss them anything)
  25. links to Win2k and Linux files by Anonymous Coward · · Score: 0 · on Internet Security Standards
    fuck registering (you can just toss them anything)
  26. links to Win2k and Linux files by Anonymous Coward · · Score: 0 · on Internet Security Standards
    fuck registering (you can just toss them anything)
  27. links to Win2k and Linux files by Anonymous Coward · · Score: 0 · on Internet Security Standards
    fuck registering (you can just toss them anything)
  28. links to Win2k and Linux files by Anonymous Coward · · Score: 0 · on Internet Security Standards
    fuck registering (you can just toss them anything)
  29. links to Win2k and Linux files by Anonymous Coward · · Score: 0 · on Internet Security Standards
    fuck registering (you can just toss them anything)
  30. links to Win2k and Linux files by Anonymous Coward · · Score: 0 · on Internet Security Standards
    fuck registering (you can just toss them anything)
  31. links to Win2k and Linux files by Anonymous Coward · · Score: 0 · on Internet Security Standards
    fuck registering (you can just toss them anything)
  32. links to Win2k and Linux files by Anonymous Coward · · Score: 0 · on Internet Security Standards
    fuck registering (you can just toss them anything)
  33. links to Win2k and Linux files by Anonymous Coward · · Score: 0 · on Internet Security Standards
    fuck registering (you can just toss them anything)
  34. Direct Links by KPU · · Score: 1, Redundant · on Internet Security Standards

    For those of us who like privacy, here are the downloads: Linux Check W2k check.

  35. Direct Links by KPU · · Score: 1, Redundant · on Internet Security Standards

    For those of us who like privacy, here are the downloads: Linux Check W2k check.

  36. Re:brilliant by Anonymous Coward · · Score: 0 · on U.S. Gov't Planning To "Help Us" Secure Computers

    Look at the website [cisecurity.org]. They allready have a tool out. The Unix version is a Perl script that can be easily examined. I'm guessing that the 2000 version is similar. Basically, it's a security scanning script.. looks for unpatched holes, services that aren't normally necessary, etc, and gives your system a score based on what it finds. You can compare this score to other organization's scores, or try to reach a certain score on your own systems. Think of it as a Security 3DMark. As bad as it sounds, it's not really very sinister at all... you may find yourself running it some day.

  37. Re:Where is it? by __aasfhc1949 · · Score: 1 · on U.S. Gov't Planning To "Help Us" Secure Computers

    http://www.cisecurity.org/

  38. Standards Documents by Atryn · · Score: 2, Informative · on U.S. Gov't Planning To "Help Us" Secure Computers

    Check out the Center for Internet Security where you will find posted the new Win2k and WinNT standard benchmark. Interestingly enough, there have already been benchmarks for other systems, such as Linux.

  39. Standards Documents by Atryn · · Score: 2, Informative · on U.S. Gov't Planning To "Help Us" Secure Computers

    Check out the Center for Internet Security where you will find posted the new Win2k and WinNT standard benchmark. Interestingly enough, there have already been benchmarks for other systems, such as Linux.

  40. Standards Documents by Atryn · · Score: 2, Informative · on U.S. Gov't Planning To "Help Us" Secure Computers

    Check out the Center for Internet Security where you will find posted the new Win2k and WinNT standard benchmark. Interestingly enough, there have already been benchmarks for other systems, such as Linux.

  41. Re:Admin by UnderAttack · · Score: 5, Interesting · on Battle of the Secure Distros

    IMHO, a 'secure distro' is secure by default. You plug in the CD, turn on the box, install it and just keep clicking 'ok'. At the end, you should end up with a secure box. Now it is up to the admin to open the holes.

    However, many distros go a different path by enabling services and allowing installs with weak passwords (or no passwords).

    For a nice security benchmark, see the Center for Internet Security. I wait for the day where a default install of RedHat will score a perfect 10 with it... (It is more around 5 right now on their 0-10 point scale).

  42. Re:Put laws in place for Security Insurance by darkmoon03 · · Score: 1 · on Network Webcurity Wishlist?

    One thing that may help is if there was some independant firm that could give a qualitative and quanitative measurement of a company's security. These independant firms could review patch logs, sys admin proceedures, backup procedures, and employee training materials. They could also perform more intrusive audits, using a standard set of tools (upgraded quarterly) to attempt to infiltrate the organization. At the end, they could then give some sort of ranking, to let a company know what bases have been covered and how they rank with others in the industry.

    Try looking at http://www.cisecurity.org The benchmark tools give a simple score (out of 10). The tools are still pretty new, but are a good starting point for a security audit.

  43. Re:good in theory by Louis_Wu · · Score: 2 · on Unsafe At Any Runlevel
    I don't think that the goal is to get the government to require secure computer systems. Granted, whenever there is a "safety issue" the government tends to get involved and try to "help", but the Center for Internet Security seems to want industry partners to help each other.

    See their Charter's section on Participants in the Process, there are a few government agencies involved, but they are there in capacities which can only be filled by them. The FBI is the best to ask about how to collect data which can be used in a court of law, and one aspect of security is "get the bad guy" after he's done his deed. So why not ask the FBI how you can best support their efforts to find the guy who screwed you? Then there are the various secret-type agencies who are rather good at testing and classifying systems based upon security, so they might be good to talk to when establishing benchmarks.

  44. PEBKAC by Redking · · Score: 5 · on Unsafe At Any Runlevel

    Problem Exists Between Chair And Keyboard.

    No amount of pressuring of software vendors will make a difference. Did you look at the members lists?!? No Microsoft, No Oracle, No SAP, No Computer Associates, No Adobe, No Red Hat...hmm, pretty weak IMHO. If the vendors really cared, they would already be members in the CIS and not have to be "pressured".

    Back to my inital acronym, PEBKAC. It's the weakest point in the chain of security. How many people do we know write their passwords in easily located places? How many people do we know download anything (directx updates, flash, Comet Cursor!)? How many people do we know still give out AOL passwords, even though the Instant Messange windows have warnings not to give out passwords? Even if software security settings are the highest, social engineering will always be able to bypass wetware security settings. I'm not even going to mention exploits in software, just read BugTraq.

    Lastly, the car analogy doesn't hold up. You don't tell car manufacturers to build tanks because people are speeding and/or driving drunk. You educate them and if necessary, punish them. True, anti-lock brakes and airbags are standard in almost every modern car available today, but automakers only put them there because of pressure from the insurance industry. But do people will die from automobile accidents? Unfortunately, yes...again, PEBSWAC (Problem Exists Between Steering Wheel and Chair).

    redking