• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Security Audit for class

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion

View previous topic :: View next topic  
Author Message
StIlTz
Just Arrived
Just Arrived


Joined: 13 Feb 2003
Posts: 3
Location: Minnesota

Offline

PostPosted: Thu Mar 27, 2003 6:52 am    Post subject: Security Audit for class Reply with quote

All right everybody heres my deal...

I am taking a Computer Security Fundamentals course right now (a new program that is starting at my school so now I can go to school for another 4 years... oh joy Smile ) and for our final project we have to go out to a company (they know this is going on and are ready for us) and perform a security audit. So we go around we poke around and ask questions and whatnot... Then we give a presentation to the class and then submit our summary and reccomendations to the company.

Anyways we have been given some basic questions to ask. I want to get a list of questions to throw at the company I get so I can do a thorough job of this and give an in depth presentation and just wow them (maybe I can get a job at their company kinda thing afterwards)

Anyhoo and help would be appreciated and sorry but I can't post anything these companies tell me with the NDA (non-disclosure agreement) and all...

Thanks for the help...
And I already searched the forum to see if there was anything like this and I couldn't find anything...
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger
myhatisred
Just Arrived
Just Arrived


Joined: 11 Jan 2003
Posts: 0


Offline

PostPosted: Thu Mar 27, 2003 7:10 am    Post subject: Reply with quote

well what exactly do you have to audit? Web security? password strength? firewall config? etc...
Back to top
View user's profile Send private message Visit poster's website AIM Address
GSecur
Trusted SF Member
Trusted SF Member


Joined: 30 Sep 2002
Posts: 16777215


Offline

PostPosted: Thu Mar 27, 2003 7:10 am    Post subject: Reply with quote

This might help. It is a checklist that Nissan uses to Audit one of it's systems.

The checklist has some great questions and is a good resource.

http://www.governmentsecurity.org/download/security_audit_guide.pdf

Switch RACF with name of the company you are auditing and everything should apply (well almost, but it's a start Smile
Back to top
View user's profile Send private message Send e-mail Visit poster's website
StIlTz
Just Arrived
Just Arrived


Joined: 13 Feb 2003
Posts: 3
Location: Minnesota

Offline

PostPosted: Thu Mar 27, 2003 8:05 am    Post subject: thanks Reply with quote

Thanks Gsecur I will surely use that... A lot more than what I need to get into but I am going to use a lot that is provided there.

I have to audit network security, security policy, firewall, password strength and toughness, physical security, database policy, network usage policy, pretty much the whole spectrum... basically if it can be audited I am going to audit it.

Very Happy
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger
Guest







PostPosted: Thu Mar 27, 2003 9:25 am    Post subject: Re: thanks Reply with quote

StIlTz wrote:


I have to audit network security, security policy, firewall, password strength and toughness, physical security, database policy, network usage policy, pretty much the whole spectrum... basically if it can be audited I am going to audit it.

Very Happy


Woah... How much time do you get for this project?

Here are some security-related questions I would ask, but just a few Smile

-Do you have a vulnerability/patch management process
-Do you have a incident response/business continuity plan
-Do you have a change management process for
* firewalls
* servers (web-site etc)
* ..
...
..

There would probably be more, but none popping up in my mind right now. Hope those also help, and probably are already covered in that security audit guide.
Back to top
flw
Forum Fanatic
Forum Fanatic


Joined: 27 May 2002
Posts: 16777215
Location: U.S.A.

Offline

PostPosted: Thu Mar 27, 2003 2:42 pm    Post subject: Reply with quote

On the security policies, are you looking for addtional ones and which?
Back to top
View user's profile Send private message Visit poster's website
oeb
Just Arrived
Just Arrived


Joined: 17 Mar 2003
Posts: 2
Location: That Island of drunks over there

Offline

PostPosted: Thu Mar 27, 2003 3:54 pm    Post subject: Reply with quote

Personally I would go on site and try and root them =P

You can then show them where their weekness lie. It means you will have to go a few days earlier and SE your way in too.


Fun Fun Fun


Ian
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
GSecur
Trusted SF Member
Trusted SF Member


Joined: 30 Sep 2002
Posts: 16777215


Offline

PostPosted: Thu Mar 27, 2003 9:05 pm    Post subject: Reply with quote

Definatly ask them about continuity plans and disaster recovery. So many times people mainly focus on the technology, and not on the human factor.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
StIlTz
Just Arrived
Just Arrived


Joined: 13 Feb 2003
Posts: 3
Location: Minnesota

Offline

PostPosted: Fri Mar 28, 2003 6:53 am    Post subject: more thanks.. Reply with quote

I have from April 1st until roughly June... So a lot of time... and the purpose of this is not to try and root them...
Sorry Smile

Just do see what they have in place and determine how important security is to the company (because apparently there is one company on the list that could care less.. at least that is their attitude) and then make suggestions to what can be done to further their security...

Quote:
GSecur said: Definatly ask them about continuity plans and disaster recovery. So many times people mainly focus on the technology, and not on the human factor.


This is something we just covered in class last night and I was the only one in my security class that had a backup stored offsite... in case of disaster.
That is definetly on my list...

Thanks again and keep the suggestions coming if you can think of any.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register