Security Analyst :

Posted by ayoi | NSM | Monday 29 January 2007 12:35 pm

~DISCLAIMER~

~In no way I am trying to impose my belief/opinion/views on you. I also never ever state or mention that I am damned good in this field and my belief/opinion/views are always correct. Security is an ongoing, evolving process where IMHO if you do feel that you are satisfied with your current knowledge, you’ll be obsolete before u even can say “berak”. I always promoting knowledge sharing and every opinion, comments, views are always welcome. Thank you for reading and your feedbacks.~

I used to post regarding how me and my team of analysts had to monitor the network, identify threat (structured and unstructured threat. But most of the time the latter). Even tho we do have the information on the assets that we monitored but after sometimes the info turn out to be damned obsolete. That’s why I always tell my analysts that we are  miracle workers. Why?

a). The Client feels like they simply just dun have to inform us whenever new asset added into the DMZ.

b). They change their range of IP without informing us. As a result their asset didn’t registered in the IDS.

c). No strict policy. I’ve encountered a case where a workstation bypassed the firewall and has direct connection to the router. :P

d). “Saya ingat IP (private) ni boleh bubuh ikut suka je?” “I thought that we just simply put any number for IP(private)” 

e).  Incompetent Network Administrator (sorry to say this). But that happened a lot!

f). No further data available to support our analysis.

The list can go on and on but I better shud stop it at (f).

Monitoring this kind of network is tiring, troublesome(trust me). How do you monitor a network that you dun even know/have the correct information? IMHO it shud be:

A. DMZ

a). Information on the asset

i). Hardware

ii). Software -     Operating System (version, service packs)
Services provided by the asset

Application that provide that services (including the version)

iii). IP address – Public and Private

iv). It would do no harm if we can get the info whether the asset will be maintained remotely or not. If yes then we shud ask on which IP or IP range that would be used in mantenance process.
Any other info needed?

3 Comments »

  1. Comment by IP_wind — February 7, 2007 @ 8:58 pm

    saje nak tambah, IP internal just utk pc windows je…unix x bleh gune nanti gates marah…

  2. Comment by abc — February 14, 2007 @ 1:46 am

    bese lah. tak ramai yg tau wlaupon keje dalam bidang IT. tap ada gak yg betul2 expert.

  3. Comment by jared — February 15, 2007 @ 12:57 pm

    yes true true

RSS feed for comments on this post. TrackBack URI

Leave a comment