[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ossig] When is secure, secure enough?

To: ossig@mncc.com.my
Subject: Re: [ossig] When is secure, secure enough?
From: Seah Hong Yee <hongyee@polyscientific.com.my>
Date: Wed, 22 Jan 2003 00:56:59 +0800
In-reply-to: <20030121032307.22609.qmail@email.com>
Reply-to: ossig@mncc.com.my
Sender: owner-ossig@mncc.com.my

On Tuesday, January 21, 2003, at 11:23 AM, Mukhsein Johari wrote:

Hey guys, just a quickie here:

When is it secure enough?

Depends on what you want, there are many different type of security. Physical, System and off course on the human level.

- use strong passwords and make sure they are not leaked (depends on users)

I used to run a perl script on my system than routinely crack user's password over a weekend and force them to change their password if it can be cracked. However, make sure you got consent form management first. You might get into trouble for running it in your organization, depending on the policy.

- use encrypted passwords

Password by default is hashed not encrypted. Some system today still uses the crypt function which is basically DES. Most out of the box linux distribution only hash up to 8 character. You can however play with pam and change this default policy to go beyond that by using MD5 or SHA-1. Use of other form of authetication such as smartcard is off course more secure. Other choices are one time password. If you are running windows 9X and ME and connect to samba machine, make sure you disable local password on these machine, the password stored in these machines are recoverable.

- do not use unsafe services like telnet

disable telnet on your system.

- close all 'unused' ports
- apply all security patches of service deamons that _are_ used
- use firewalls to filter ip requests into your network
- do not use M$ software

Windows 2000 can be made to be secure provided a few things are done properly. Especially like closing holes on blackjack and try not to run IIS on them. Even though I prefer linux to windows.

Would these practices be enough to keep your boxes safe? (apart from ddos and so forth). Is there more that a busy sysadmin must do?

IDS and a security policy would be nice. From my experience, you need to get management support to get this thorough. Training your end user is actually a very good idea. A good security policy is the one that everyone can accept or at least understand the implications. You can achieve security without cooperaiton from your end user.

Sometimes an obscure OS is the one that will be least likely to be hacked. Let's say if you run Apache on AtheOS. Chances are few people would want to hack into a system like this. Most crackers today are just script kiddies and know very few things in between.

Other things I would do is to get other sys admin you trust to audit your site.

Regards,
Mukhsein Johari

--
_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

Meet Singles
http://corp.mail.com/lavalife


------------------------------------------------------------
To unsubscribe: send mail to ossig-request@mncc.com.my
with "unsubscribe ossig" in the body of the message


------------------------------------------------------------
To unsubscribe: send mail to ossig-request@mncc.com.my
with "unsubscribe ossig" in the body of the message

References:
- [ossig] When is secure, secure enough?
  - From: "Mukhsein Johari" <mukhsein@email.com>

Prev by Date: RE: [ossig] When is secure, secure enough?
Next by Date: Re: [ossig] IDC: Windows cheaper than Linux
Previous by thread: Re: [ossig] When is secure, secure enough?
Next by thread: RE: [ossig] When is secure, secure enough?
Index(es):
- Date
- Thread