A guy (Scott Lazzari) on the SAGE list asked:

I've been tasked with putting together a risk assessment for the local office where I do nuts-to-bolts IT support. So far, I've identified the key equipment, and assigned a criticality level to this equipment. I'm not sure where I should go from here. My background is much more tech-oriented - fixing and installing equipment, servers, etc. so this level of business analysis is a little new to me.

Does anyone have some good resources, or advice they could drop my way?

Summary of some risk assessment resources, with responders, suggested in response:

• http://www.securityfocus.com/infocus/1591 [John Buys]
• http://www.securitymetrics.org/content/Wiki.jsp [Lynda]
• http://www.iatrp.com/ [Brian Kirouac]
• www.rcmp-grc.gc.ca/tsb//pubs/it_sec/g2-001_e.pdf [Sean MacGuire, he of Big Brother fame

If you're running PHP on production sites, especially in a shared hosting environment, you should probably add the PHP Security Blog to your RSS reader.

If you can get past the mild case of bad attitude, the details are very interesting.

Technorati Tags: system administration

I sent this to my team recently:

Here are the various security vulnerability sources I am using daily:

• http://secunia.com/
• http://www.securityfocus.com/
• http://www.securityfocus.com/vulnerabilities
• http://packetstormsecurity.org/advisories50.html

I'm also reading RSS feeds for the following:

• bugtraq
• incidents
• full-disclosure

You can get subscription info at http://seclists.org/

The SANS Internet Storm Center RSS is also good,http://isc.sans.org/

There's occasional duplication in some of these.

Computer security professional, Bruce Schneier, makes some good points about the importance of some software to an industry or even the economy. And he says, for the one-millionth time, "practice defense in depth."

It's a situation that snuck up on us. Everyone knew that the software that flies 747s or targets cruise missiles was critical, but who thought of the airlines' weight and balance computers, or the operating system running the databases and spreadsheets that determine which cruise missiles get shipped where?

And over the years, common, off-the-shelf, personal- and business-grade software has been used for more and more critical applications. Today we find ourselves in a situation where a well-positioned flaw in Windows, Cisco routers or Apache could seriously affect the economy.

...

If we were to get serious about critical infrastructure, we'd recognize it's all critical and start building security software to protect it. We'd build our security based on the principles of safe failure; we'd assume security would fail and make sure it's OK when it does. We'd use defense in depth and compartmentalization to minimize the effects of failure. Basically, we'd do everything we're supposed to do now to secure our networks.

I'd add that the ability to quickly respond to an exploit or vulnerability comes from being prepared. You should never have to hand-compile Apache and push it to your web-servers or futz with some arcane dependency problems in the face of an attack or vulnerability.

Take the time now, with no one in your face, to package your software and work out the dependencies. Practice the drill for remediating a serious flaw. As an administrator who cares about security, ask yourself, "how would I react to the announcement of a serious flaw in ________ (choose your most visible, important, or exposed piece of software)?"

Rinse and repeat.

Work out the weaknesses in your packaging, communications, and processes. The processes may not exist or may be broken, better to find out now than during an incident, right?

Now you have a to-do list. Get to work.

Technorati Tags: system administration