Phase Three in Software

Drawing PDF-417 2d barcode in Software Phase Three

This part of the assessment looks at server configuration Examining all the local servers and the services they run will provide important information about what needs to be protected Document the specifications and the configuration of the server hardware and software Also, look closely at usage profiles, the types of applications being used, and who uses them The level of detail amassed should be significantly greater than in phase two This adds a complete configuration profile of the servers in the network to the system specification database

In general, it is important to conclude each phase of an assessment with a tangible result that can be presented to management Working toward this outcome helps maintain focus throughout the assessment process It also keeps everybody on the same page and allows errors and omissions to be caught before they compound into serious problems Management should get a short document that summarizes the key findings and future steps It is analogous to having a good roadmap while driving in unfamiliar territory

All organizations rely on information flow between departments Data moves across the desks of workers, into computer systems, through servers, and out through printers Normal operational procedures expose information and make it insecure Limiting this exposure is easier to do with a dataflow map This diagram represents a highly simplified example of a dataflow map These maps can help managers decide at a glance critical information access points and bottlenecks Without a comprehensive understanding of data flow, security initiatives are likely to fail

Sales A sale is made; a chain reaction begins The customer and order data is entered into a sales database The order is sent off to production through the database so it can be filled Meanwhile, marketing and accounting access the sales database The marketing department receives the new customer's information, and accounting prepares an invoice to bill for the order

Production Production needs certain materials to fill an order A vendor is contacted,but before a purchase is made, accounting is consulted and a budget is set To obtain credit with the vendor, production needs to sign a legal agreement The vendor will ultimately send a bill to the accounting department when the order is filled

Research Research looks at the competition and designs a product enhancement Details of the product are placed on the research file server The legal department examines the files and considers regulatory issues and intellectual property protection Research informs marketing and production of the new product specifications

I Figure 1-1

One of the biggest security issues for servers is trust When servers work together, they must be able to trust each other s integrity A trusted server or user has permission to perform sensitive or potentially damaging actions Flaws in trust relationships are some of the most common and dangerous security problems

The information from this phase will help when making difficult decisions about security policies By the end of phase three, the following questions should be asked: Are the critical servers properly configured Are there any exploitable trust situations Do we really need all these services Is critical data adequately protected from loss and theft by implementing uninterruptable power supply (UPS), RAID, or backups

By now, the assessment process has collected a lot of facts about the technology used by the business What else is left Phase four focuses on one of the most overlooked aspects of network security: the workstation You may wonder why you should be concerned After all, if only trusted employees have access to company desktops, what can go wrong A closer look reveals that a lot can go wrong and usually does The workstation is the hardest computer to control effectively Restrict it too much and people can t get work done Give it too much flexibility and it becomes impossible to maintain Even basic and necessary daily computing tasks can unintentionally lead to an insecure environment Check the workstations to see how close they are to the ideal balance Take note of each computer s hardware specifications Then look closely at the software, ensuring that the applications installed are those that have been mandated The following questions should help identify most of the critical workstation security issues: How much access does a hacker have on a compromised workstation Are the workstations sufficiently hardened against hacks Can problems be detected or preemptively fixed Are workstations thin or fat Are there critical workstations How are applications rolled out to desktops Is workstation access physically secure Are desktop passwords protected and do passwords expire Is wireless network access allowed Are PDAs permitted to connect to the network Can laptops be connected to the network Are consultants permitted to connect to the internal network Do vendors perform demonstrations with their laptops connected to the network