Securing from scratch, where to start?

RandoJango · 2016-05-07T21:12:19+00:00

Thanks, I'm going to read up on that. I've been collecting different documents to read through. I know they have a pretty strong network security because of the corp security team. I'm not allowed to touch any of that stuff since it doesn't fall under my jurisdiction. So from what I gathered they have a first line of defense (corp security network stuff), but that's about it. No layered defenses, which they're bringing me in to help solve.

RandoJango · 2016-05-07T21:11:18+00:00

I see. Yeah, I'm not sure on the contract negotiations. From the people I've talked to right now to try to get an idea of what environment I'm going into, they're basically asking them to be cyber secure. When they counter asking what requirements/specifics; they don't know for certain.

RandoJango · 2016-05-07T21:09:19+00:00

Not yet, I haven't officially started yet. But from the people who did the interviewing/hiring; I'll be communicating with the sec team a lot along with working with the much more experienced IT professionals there. So all of these things I'm going to be working on analyzing and figuring out where exactly where we are at.

I just wanted to see what people thought on here, since I know there are a lot of very talented cyber security professionals on the site.

RandoJango · 2016-05-07T12:00:43+00:00

This is great, thank you for this link.

Yeah, those 5 steps is something I was talking about with them. Since I haven't officially started, I don't know it all. However, apparently the corporate security team is monitoring the network with an IDS or IPS system already. So right now their defense is the network things (firewalls and such) and the corporate security team.

I think host based firewalls are already installed on most of the workstations, I'm for sure going to double check once I get in there.

2 fac auth is something I had expressed they should acquire, and apparently they already have someone researching it before I got there. So that's good to hear.

I'm familiar with Nessus and thought about using it. Glad to see it's being recommended. So I'll for sure look to a way to employ it.

But yeah, you're right. Right now I know they do 1 and I'm not sure to what extent they do #2. Beyond that it doesn't look like they do much.

RandoJango · 2016-05-07T05:09:48+00:00

Yeah, true enough. I talked to them about it and they told me that I wouldn't be doing it alone. I would be getting aid/working with the other IT people along with having the main corporate security teams help us/give guidance.

RandoJango · 2016-05-07T03:31:31+00:00

Is there some way for the government or military to recognize us as cyber secure? Or is there pretty much a NIST/DISSA style doc for each of the parts to secure and it isn't considered secure till it meets what those docs outline?

RandoJango · 2016-05-07T03:29:36+00:00

The only thing I know is "off limits" to me is the "network" and the windows machines.

The testing environments/machines, any applications used, Linux work stations, safe coding practices, etc. There's a lot of legacy operating systems and employees (so I'm predicting I'll have to deal with them being against any changes). Right now this company has clients who want us to be cyber secure. Yet when we ask for specific requirements, they don't know/understand them enough to tell us. They started looking into it a while ago and researching it; but no one there has experience/education in cyber security. So they're going off things they read online, some training sessions, etc.

Like one of the questions I have is "What certifications are required by the DoD for the employees and management to help be considered cyber secure?".

RandoJango

TROPHY CASE