Free Management Security Assess= ment MSA Executive Analysis Scorecard Prioritized Action http://video.google.com/videoplay?docid=3D-41744491= 0876190163&q=3Drushinek+Accounting

(888)ITISJo= b.Net - Information Technology Information Systems Job Network specializing in Managemnt Baseline Security Analysis (MBSA) Vulnerability Assessment http://video.google.com/videoplay?docid=3D-2199987= 895572940206&q=3Drushinek+Accounting

(888)Nets-E= xpert.Org - the Network of Experts Organization providing Expert Witness Testimony and Computer Litigation Support Services email@Nets-Expert.Org h= ttp://video.google.com/videoplay?docid=3D5240188564675855151

(305)6384-3= 97 http://video.google.com/videoplay?docid=3D-4470389= 520639706819&q=3Drushinek+Accounting

Dr. A, &= ; S. Rushinek, Ph.D. U. of Miami Professor, eMail@OnAFree.com , 1205 Mariposa Ave. #208, Coral Gabl= es Fl, 33146

Accounting = and Computer Information Systems Dept., Business School, 417 Jenkins Bldg, U of Miami, = Coral Gables Fl, 33124

Free_Management_Secur= ity_Assessment_MSA_Executive_Analysis_Scorecard_Prioritized_Action http://www.webjobnet.com/ http://www.ITISJob.net <= /span>

3DMOL03E.ASF

(305)Web-Job-Net a Network of Jobs on= the Web

(305)932-5626 a Network of Jobs on th= e Web

e-Mail: ARsuh@OnTri= al.Org The On Trial Expert Witness Testimony & Computer Litigation team

Dr. A. Rush (305)668-7425

http://www.onafree.com/default= .aspx http://www.onafree.com/Quiz%20Engine%20= Projects/1Free%20Managemnt%20Baseline%20Security%20Analysis%20(MBSA)%20Vuln= erability%20Assessment%20Trustworthy%20Computing%20Scanner.htm

http://www.on= afree.com/Lists/Announcements/DispForm.aspx?ID=3D13&Source=3Dhttp%3A%2F= %2Fwww%2Eonafree%2Ecom%2Fdefault%2Easpx

This report contains = the following sections:

qExecutive Summary
  wIntroduction
  wBackground: Assessment Process and Scope
  wSituation Analysis
  wScorecard
  wSecurity Initiatives
qAssessment in Detail
  wAreas of Analysis
    wInfrastructure
    wApplications
    wOperations
    wPeople
qPrioritized Action List
qAppendices
  wQuestions and Answers
  wGlossary
  wInterpreting the Graphs

A Microsoft partner c= an review this report with you and help with developing a detailed action plan= for implementing the recommendations. If you do not have an existing relationsh= ip with a Microsoft partner, you may wish to view a list of Microsoft Partners= for Security Solutions at http://directory.microsoft.com/mprd/.=

The Microsoft Security Assessment Tool is designed to help = you determine the level of risk your computing infrastructure faces and the ste= ps you have taken to mitigate that risk, and to off= er suggestions of additional steps you can take to help further reduce your le= vel of risk. It is not a replacement for an audit by a professional security consultant.

Use of the Microsoft Security Assessment Tool is governed by the terms of t= he End-User License Agreement (EULA) which accompanied the software, and this report is subject to the exclusions, disclaimers, and limitations of liabil= ity contained in the EULA.

This report is for informational purposes only. Neither Microsoft Corporation, its suppliers, or partners make any representation or warranty of any kind, whether express or implied, concern= ing the Security Assessment Tool, or the use, accuracy, or reliability of the results of the Assessment and information contained in this report.

Executive Summ= ary

Introduction

This Microsoft Securi= ty Assessment Tool is designed to assist you with identifying and addressing security risks in your computing environment. The tool employs a holistic approach to measuring security strategy by covering topics across people, process, and technology. Findings are coupled with recommended mitigation efforts, including links to more information for additional guidance if nee= ded. These resources may assist you in learning more about the specific tools and methods that can help increase the security of your environment.=

This summary section = is intended to give IT and senior managers a snapshot of the company's overall security posture. Detailed findings and recommendations can be found in the detailed report following.

Background: Assessment Process and Scope

The assessment is des= igned to identify the business risk of your organization and the security measures deployed to mitigate risk. Focusing on common issues in this market segment, the questions have been developed to provide a high-level security risk assessment of the technology, processes, and people that support the busine= ss.

Beginning with a seri= es of questions about your company's business model, the tool builds a Business R= isk Profile (BRP), measuring the risk of doing business your company must face = due to the industry and business model chosen. A second series of questions are posed to compile a listing of the security measures your company has deploy= ed over time. Together, these security measures form layers of defense, provid= ing greater protection against security risk and specific vulnerabilities. Each layer contributes to a combined strategy for defense-in-depth. This sum is referred to as the Defense-in-Depth Index (DiDI). The BRP and DiDI are then compared to measure risk distribution across the areas of analysis (AoAs)—infrastructure, applications, operations, and people.

In addition to measur= ing the alignment of security risk and defenses, this tool also measures the security maturity of your organization. Security maturity refers to the evolution of strong security and maintainable practices. At the low end, few security defenses are employed and actions are reactive. At the high end, established and proven processes allow a company to be more proactive, and respond more efficiently and consistently when needed.

Risk management recommendations are suggested for your environment by taking into considera= tion existing technology deployment, current security posture, and defense-in-de= pth strategies. Suggestions are designed to move you along a path toward recogn= ized best practices.

This assessment—including the questions, measures, and recommendations—is designed for midsize organizations that have betwe= en 50 and 500 desktops in their environment. It is meant to broadly cover area= s of potential risk across your environment, rather than provide an in-depth ana= lysis of a particular technology or process. As a result, the tool cannot measure= the effectiveness of the security measures employed. To that end, this report should be used as a preliminary guide to help you focus on specific areas t= hat require more rigorous attention, and should not replace a focused assessmen= t by trained third-party assessment teams.

Situation Analysis

This section graphica= lly represents the concepts described above for your organization, based on the answers you provided. As a reminder:

BRP is a measure of the r= isk related to the industry and business model of the company <= /span>
DiDI is a measure of the security defenses used across people, process, and technology to help mitigate identified risks to the business
Security Maturity is a me= asure of the organization's ability to effectively use the tools available to create a maintainable security level across many disciplines

[See Appendices for additional information on these terms and how to interpret the graphs.]=

Results:

Areas of Analysi= s	Risk-Defense Distribution	Security Maturity
Infrastructure
Applications
Operations<= /p>
People

Risk-Defense Distribution

This chart indicates differences in the Defense-in-Depth score, organized by Area of Analysis. B= ased on your answers to the risk assessment and as depicted in the chart below, = it appears that additional focus is needed to shore up security measures in so= me areas. This is a strong indicator that your security posture is based on a = few standard security solutions. Contacting a security partner that can help you identify critical areas of risk should be made a priority of your near term security plans.

Figure 1: Comparison of BRP and DiDI=

In general, it is bes= t to have a DiDI rating on par with the BRP rating for the same category. An imbalance either within a category or across categories—in either direction—may indicate the need to realign your IT investments.<= /o:p>

Security Maturity

Security maturity is inclusive of controls (both physical and technical), the technical acumen o= f IT resources, policy, process, and maintainable practices. Security maturity c= an be measured only through the organization's ability to effectively use the tools available to create a maintainable security level across many disciplines. A baseline of security maturity should be established and used= to define areas of focus for the organization's security programs. Not all organizations should strive to reach the optimized level, but all should as= sess where they are and determine where they should be, in light of the business risk they face. For example, a company with a low-risk environment may never need to advance beyond the upper range of the Baseline level or the lower r= ange of the Standardized level. A company with a high-risk environment will like= ly push well into the Optimized level. Your Business Risk Profile scores help = you gauge your risk.

nSecurity Maturity<= /span>	A measure of a company's prac= tices against industry best practices for maintainable security. Each company should strive to align its maturity level, and associated security strate= gy, relative to the risks taken in doing business:
nBaseline	Some proactive security measu= res deployed as first-line defenses; operations and incident response still v= ery reactive
nStandardized	Multiple layers of defense de= ployed in support of a defined strategy
nOptimized	Effectively protecting the ri= ght things the right way and ensuring ongoing utilization of best practices

Based on your answers= to the risk assessment and as depicted in the chart below, your company is doi= ng well in that it has a defined security strategy and a practices defense in depth. You can further enhance your maturity by leveraging your comprehensi= ve corporate security policy, IT security policies and procedures for the IT infrastructure. Use those to define a layered approach to security that fol= lows industry best practices, and applies only the necessary amount of protectio= n to assets.

Figure 2: Security Maturity

Scorecard

Based on your answers= to the risk assessment, the following ratings have been applied to your defens= ive measures. The Assessment Detail and Prioritized Action List sections of this repo= rt include further detail for each, including the findings, best practices, an= d recommendations.

Legend:

Meets best practice

Needs improvement

Severely lacking=

Infrastructure
Perimeter Defense
Firewall Rules and Filters<= o:p>
Anti-virus
Anti-virus - Desktops<= /o:p>
Anti-virus - Servers
Remote Access
Segmentation
Remote-Access Users
Intrusion-Detection System = (IDS)
Wireless<= /p>
Authentication
Administrative Users
Internal Users
Remote-Access Users
Password Policies
Password Policies - Adminis= trator Account
Password Policies - User Ac= count
Password Policies - Remote-= Access Account
Management and Monitoring
Build
Secure Build
Third-Party Relationships
Physical Security

Operations
Environment
Firewall Rules and Filters<= o:p>
Administrative Users
Management Host<= /span>
Management Host - Servers
Management Host - Network D= evices
Third-Party Relationships
Security Policy<= /span>
Secure Build
Protocols & Services
Acceptable Use
User Account Management
Security Requirements<= /o:p>
Governance
Security Policy<= /span>
Patch & Update Manageme= nt
Network Documentation<= /o:p>
Application Data Flow<= /o:p>
Patch Management=
Virus Signatures=
Change Management and Configuration
Backup and Recovery
Log Files=
Log Files - Rotation
Backup
Backup Media
Backup & Restore

Applications
Applications
Load-Balancing
Clustering
Application & Data Reco= very
Third-party independent sof= tware vendor (ISV)
Internally Developed
Vulnerabilities<= /span>
Application Design
Authentication
Password Policies
Authorization & Access Control
Logging
Input Validation=
Data Storage & Communic= ations
Encryption
Encryption - Algorithm=

People
Requirements & Assessme= nts
Security Requirements<= /o:p>
Security Assessments
Security Awareness
Policy & Procedures
Background Checks
Human Resources Policy=
Third-Party Relationships
Training & Awareness
Security Awareness

Security Initiatives

The following areas f= all short of best practices and should be addressed to increase the security of your environment. The Assessment Detail and Prioritized Action List sections of this repo= rt include further detail for each, including the findings, best practices, and recommendations.

High Priority	Medium Priority<= o:p>	Low Priority
Anti-virus - Servers= Clustering Anti-virus - Desktop= s Management Host - Se= rvers Application & Da= ta Recovery	Virus Signatures Protocols & Serv= ices Intrusion-Detection = System (IDS) Application Data Flo= w Backup & Restore=	Firewall Rules and F= ilters Governance Management Host= Backup Management Host - Ne= twork Devices

High Priority

Medium Priority<= o:p>

Low Priority

Anti-virus - Servers=

Clustering

Anti-virus - Desktop= s

Management Host - Se= rvers

Application & Da= ta Recovery

Virus Signatures

Protocols & Serv= ices

Intrusion-Detection = System (IDS)

Application Data Flo= w

Backup & Restore=

Firewall Rules and F= ilters

Governance

Management Host=

Backup

Management Host - Ne= twork Devices

Assessment in Detail

This section of the r= eport provides the detailed findings for each category, as well as best practices, recommendations, and references for additional information. Recommendations= are prioritized in the following section.

Areas of Analysis

The following table l= ists the areas that were included for high-level analysis in this security risk assessment and describes each area's relevance to security. The Assessment Detail section of this document describes your organization's security post= ure (based on answers you gave during the assessment) in each of these areas and provides industry-recognized best practices and recommendations for achievi= ng those practices.

Cate= gory	Impo= rtance to security
Busin= ess Risk Profile
Business Risk Profil= e	Understanding how the nature of your business affects risk is important in determining where to apply resources in order to help mitigate those risks. Recognizing critic= al areas of business risk will help you to optimize allocation of your secur= ity budget.
Infra= structure
Perimeter Defense	Perimeter defense addresses security at network borders, where your internal network connec= ts to the outside world. This constitutes your first line of defense against intruders.
Authentication<= /o:p>	Rigorous authenticat= ion procedures for users, administrators, and remote users help to ensure that outsiders do not gain unauthorized access to the network through the use = of local or remote attacks.
Management & Monitoring	Management, monitori= ng, and proper logging are critical to maintaining and analyzing IT environme= nts. These tools are even more important after an attack has occurred and inci= dent analysis is required.
Workstations	The security of indi= vidual workstations is a critical factor in the defense of any environment, especially when remote access is allowed. Workstations should have safegu= ards in place to resist common attacks.
Appli= cations
Deployment & Use=	When business-critic= al applications are deployed in production, the security and availability of those applications and servers must be ensured. Continued maintenance is essential to help ensure that security bugs are patched and that new vulnerabilities are not introduced into the environment.
Application Design	Design that does not properly address security mechanisms such as authentication, authorizatio= n, and data validation can allow attackers to exploit security vulnerabiliti= es and thereby gain access to sensitive information.
Data Storage & Communications	Integrity and confidentiality of data is one of the greatest concerns for any business. Data loss or theft can hurt an organization's revenue as well as reputati= on. It is important to understand how applications handle business critical d= ata and how that data is protected.
Opera= tions
Environment	The security of an organization is dependent on the operational procedures, processes and guidelines that are applied to the environment. They can enhance the secu= rity of an organization by including more than just technology defenses. Accur= ate environment documentation and guidelines are critical to the operation te= am's ability to support and maintain the security of the environment.
Security Policy=	Corporate security p= olicy refers to individual policies and guidelines that exist to govern the sec= ure and appropriate use of technology and processes within the organization. = This area covers policies to address all types of security, such as user, syst= em, and data.
Backup & Recover= y	Data backup and reco= very is essential to maintaining business continuity in the event of a disaste= r or hardware/software failure. Lack of appropriate backup and recovery proced= ures could lead to significant loss of data and productivity.
Patch & Update Management	Good management of p= atches and updates is important to securing an organization's IT environment. Th= e timely application of patches and updates is necessary to help protect against k= nown and exploitable vulnerabilities.
Peopl= e
Requirements and Assessments	Security requirements should be understood by all decision-makers so that both their technical = and business decisions enhance security rather than conflict with it. Regular assessments by a third party can help a company review, evaluate, and identify areas for improvement.
Policies and Procedu= res	Clear, practical procedures for managing relationships with vendors and partners can help limit your company's exposure to risk. Procedures covering employee hiring and termination can help protect your company from unscrupulous or disgruntled employees.
Training and Awarene= ss	Employees should be trained and made aware of how security applies to their daily job activit= ies so that they do not inadvertently expose their company to greater risks.<= o:p>

Assessment Analysis

This section is divided into the four major areas of analysis—Infrastructu= re, Applications, Operations, and People.

Infrastructure

Infrastructure securi= ty focuses on how the network should function, what business processes (intern= al or external) it must support, how hosts are built and deployed, and how the network will be managed and maintained. Effective infrastructure security c= an help provide significant improvements in the areas of network defense, inci= dent response, network availability, and fault analysis. By establishing a sound infrastructure design that is understood and followed, an organization can identify areas of risk and can design methods of threat mitigation. The assessment reviews high-level procedures that an organization can follow to help mitigate infrastructure risk by focusing on the following areas of infrastructure security:

Perimeter Defense—Firewalls, Anti-virus, Remote Access, Segmentation<= /o:p>
Authentication—Pass= word Policies
Management & Monitoring—Management Hosts, Log files
Workstation—Build Configuration

Peri= meter Defense

Subca= tegory

Best Practices

Firewall Rules an= d Filters

Firewalls are a firs= t-line defense mechanism and should be placed at all network border locations. R= ules implemented on firewalls should be highly restrictive and set on a host-by-host and service-by-service basis.

When creating firewall rules and router ACLs (Access Control Lists), focu= s on first protecting access control devices and the network from attack.

+ Enforce data flow by use of network ACLs and firewall rules.
+ Test firewall rules and router ACLs to determine whether or not existin= g rules contribute to Denial of Service (DoS) attacks.
+ Deploy one or more DMZs as part of a systematic and formal firewall development.
+ Place all Internet accessible servers there. Restrict connectivity to a= nd from the DMZs.

	Findi= ngs	Recom= mendations
Firewall Rules and Filters	You have indicated t= hat you do not know the answer to this question	Review this open ite= m with your IT staff or a security partner. Input the most appropriate answer to this question in the MSAT for further information.

	Findi= ngs	Recom= mendations
Firewall Rules and Filters	Your answers indicat= e that not only have you deployed firewalls at network borders, you have also ta= ken an extra precaution by creating one or more DMZ segments to protect Internet-accessible resources.	Review firewall poli= cies regularly and prune old or improper rules. Implement rules for controlling inbound and outbound access and consider implementing egress filtering to prevent unnecessary outbound connections. Limit internal users' direct access to DMZ segments as it is not likely t= hey would work with the host computers that reside in the DMZ on a regular ba= sis. Limit access from the core network into the DMZ segment to only specific hosts or administrative networks.

	Findi= ngs	Recom= mendations
Firewall Rules and Filters	You have indicated t= hat host-based firewall software is used to protect servers.	Continue installing host-based firewalls on all servers, and consider extending this software= to all desktops and laptops in the organization also.

&n= bsp;

Resources

Securing Your Netw= ork

This article, written= for network administrators and IT professionals, presents an overview of the top network-level threats and the ways in which you can counter them. The autho= rs review security issues and the configuration settings to be applied to rout= ers, firewalls and switches.

http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMC= h15.asp

FAQ About Internet Firewalls

This FAQ is appropria= te for users who are not IT professionals and who have questions about using and deploying a firewall.

http://www.microsoft.com/security/protect/firewall.asp<= /span>

Subca= tegory

Best Practices

Anti-virus

Deploy anti-virus solutions throughout the environment on both the server and desktop level= s. Deploy specialized anti-virus solutions for specific tasks such as file server scanners, content screening tools, and data upload and download scanners. Configure anti-virus solutions to scan for viruses both entering and leaving the environment.

Anti-virus solutions should be implemented first on critical file servers= and then extended to mail, database, and Web servers.

For desktops and laptops an anti-virus solution should be included in the default build environment.

If you are using Microsoft Exchange, use the additional anti-virus and content filtering-capabilities it offers at the mailbox level.=

	Findi= ngs	Recom= mendations
Anti-virus	You have indicated t= hat perimeter hosts have anti-virus software installed.

	Findi= ngs	Recom= mendations
Anti-virus	You have indicated t= hat email servers have anti-virus software installed.

&n= bsp;

Resources

FAQ About Anti-vir= us Software

This FAQ is appropria= te for users who are not IT professionals and who have questions about using antiv= irus software.

http://www.microsoft.com/security/protect/antivirus.asp

Subca= tegory	Best Practices
Anti-virus - Desk= tops

	Findi= ngs	Recom= mendations
Anti-virus - Desk= tops	You indicated that anti-virus solutions have not been deployed at the desktop level.	Consider deploying an anti-virus solution to all employees' laptops and/or desktops. Add the anti-virus client in the default workstation build environment.

&n= bsp;

Subca= tegory	Best Practices
Anti-virus - Serv= ers

	Findi= ngs	Recom= mendations
Anti-virus - Serv= ers	You indicated that anti-virus solutions have not been deployed at the server level.	Consider deploying an anti-virus solution to critical file servers initially and then to e-mail, database, and web servers. If you are using Microsoft Exchange, consider using the additional anti-virus and content-filtering capabilities at the mailbox level.

&n= bsp;

Subca= tegory

Best Practices

Remote Access

Workstations are a critical factor in the defense of any environment, especially if there are remote and roaming users that connect to the environment.

Tools such as personal firewalls, anti-virus, and remote-access software should be present and properly configured on all workstations.

Implement a policy which requires periodic review of these tools to make = sure their configurations reflect changes in applications and services being u= sed, but at the same time still keep the workstation resistant to attacks.

	Findi= ngs	Recom= mendations
Remote Access	You have indicated t= hat remote access to your organization's network is available

	Findi= ngs	Recom= mendations
Remote Access	Your answers indicat= e that not only have you implemented a VPN for remote access, but you have also incorporated multifactor authentication as a second line of defense.=	Regularly audit the = access list for all the users on the VPN device. Consider managing the VPN device from inside the corporate network only.

	Findi= ngs	Recom= mendations
Remote Access	Your answers indicat= e that employees and/or partners remotely connect to your internal network, but = no VPN technology is currently being used to secure access for these users.<= o:p>	Deploy VPN for remote-user-access connectivity based on IP Security (IPSec), Secure Sock= ets Layer (SSL), and Secure Shell (SSH) technologies. Deploy site-to-site connectivity based on IPSec technology. Configure net= work access lists and user access lists for restricting access to necessary corporate resources.

	Findi= ngs	Recom= mendations
Remote Access	You have indicated t= hat the VPN is capable of limiting connectivity to a quar= antine until all necessary security checks have been passed.

&n= bsp;

Subca= tegory

Best = Practices

Segmentation=

Use segmentation to separate specific extranets from vendor, partner, and customer access.

Each external network segment should allow only specific application traf= fic to be routed to the specific application hosts and ports that are used to supply services to customers.

Ensure that network controls are in place to restrict access to only what= is required for each third-party connection.

Restrict access to and from the network services being provided, and rest= rict access between network segments.

	Findi= ngs	Recom= mendations
Segmentation=	Your response indica= tes that Internet-facing services are hosted on your organization's network	Ensure that firewall= s, segmentation and intrusion-detection systems are in place in order to pro= tect the company's infrastructure from Internet-based attacks.

	Findi= ngs	Recom= mendations
Segmentation=	You have indicated t= hat the network has more than one segment.	Continue using netwo= rk segmentation in order to better manage network traffic and limit access t= o resources based on user requirements.

	Findi= ngs	Recom= mendations
Segmentation=	Your answer indicate= s that network segmentation is not currently being used in the environment. It is important to keep customer-/partner-specific extranet services on their o= wn network segments.	Move extranet access servers to a physically separate network segment. Apply restrictive access controls to allow third-party access to specific hosts only, restrict access to only necessary corporate infrastructure, a= nd block connection attempts to remote networks.

	Findi= ngs	Recom= mendations
Segmentation=	You have indicated t= hat hosts are grouped into network segments based on offering similar service= s.

	Findi= ngs	Recom= mendations
Segmentation=	You have indicated t= hat hosts are grouped into network segments based on providing only the neces= sary services for the users that connect.

&n= bsp;

Subca= tegory

Best Practices

Remote-Access Use= rs

Implement complex pa= ssword controls for all users of remote access, whether this access is granted through the use of dial-up or VPN technologies. A password is considered = to be complex if it meets the following criteria:

+ Alphanumeric
+ Upper and lower case
+ At least one special character
+ Minimum length of 8 characters

Implement an additional factor of authentication for accounts that are granted remote access. Also consider implementing advanced controls around account management (do not allow sharing of accounts) and account access logging.

In the case of remote access, it is especially important to protect the environment through the use of strong account management practices, sound logging practices, and incident detection capabilities. To further mitiga= te the risks of brute-force password attacks, consider implementing the following controls:

+ Password expiration
+ Account lockout after 7 to 10 failed login attempts
+ System logging

Remote-access services should also take into account systems that will be used to access the network or hosts. Also consider implementing controls around hosts that are allowed to access the network via remote access.

	Findi= ngs	Recom= mendations
Remote-Access Use= rs	You have indicated t= hat employees are not able to remotely connect to the network.	By not allowing remo= te access, you reduce your overall risk. However if remote access is planned= or implemented in the future, be sure to follow best practice when deploying= the remote-access solution in order to minimize the risk associated with that access.

	Findi= ngs	Recom= mendations
Remote-Access Use= rs	You have indicated t= hat contractors are not able to remotely connect to the network.	By not allowing remo= te access, you reduce your overall risk. However if remote access is planned= or implemented in the future, be sure to follow best practice when deploying= the remote-access solution in order to minimize the risk associated with that access.

	Findi= ngs	Recom= mendations
Remote-Access Use= rs	You have indicated t= hat third parties are not able to remotely connect to the network.=	By not allowing remo= te access, you reduce your overall risk. However if remote access is planned= or implemented in the future, be sure to follow best practice when deploying= the remote-access solution in order to minimize the risk associated with that access.

&n= bsp;

Subca= tegory	Best Practices
Intrusion-Detecti= on System (IDS)	Both network- and host-based intrusion-detection systems should be deployed to detect and notify of attacks against corporate systems.

	Findi= ngs	Recom= mendations
Intrusion-Detecti= on System (IDS)	You have indicated t= hat you are using intrusion-detection hardware or software.=

	Findi= ngs	Recom= mendations
Intrusion-Detecti= on System (IDS)	You have indicated t= hat you are not using a host-based intrusion-detection system (HIDS)	Consider deploying host-based intrusion-detection systems, which can help notify administrat= ors that an attack is occurring against your hosts and help the administrators respond in a timely manner.

	Findi= ngs	Recom= mendations
Intrusion-Detecti= on System (IDS)	You have indicated t= hat you are using a network-based intrusion-detection system (NIDS)	Continue the practic= e of deploying a network-based intrusion-detection system. Ensure that the signatures are kept current, and investigate intrusion-prevention technol= ogy as it becomes more widely available.

&n= bsp;

Resources

Auditing & Int= rusion Detection

This document provide= s a high-level overview of what types of events you should be logging and their importance in trying to detect an intruder. It also covers different monito= ring techniques and detection methods.

http://www.microsoft.com/technet/treeview/default.asp?url= =3D/technet/security/prodtech/win2000/secwin2k/09detect.asp<= /span>

Subca= tegory	Best Practices
Wireless	Best practice for wi= reless implementation should include ensuring that the network does not broadcast its SSID; that WPA encryption is used; that the network is fundamentally treated as untrustworthy.

	Findi= ngs	Recom= mendations
Wireless	You have indicated t= hat wireless connectivity to the network is available	In order to minimize= the risk associated with wireless networks, the implementation should include non-broadcast of SSID, WPA encryption, and treating the network as untrus= ted.

	Findi= ngs	Recom= mendations
Wireless	You have indicated t= hat the wireless network is not treated as untrusted.	Consider migrating your wireless network to an untrusted netw= ork segment and requiring the use of VPN or similar technologies in order to better preserve data integrity.

	Findi= ngs	Recom= mendations
Wireless	You have indicated t= hat you are not using WEP encryption in your wireless environment.=	If you are currently= using no encryption, consider using WPA to prevent wireless network traffic fro= m being 'sniffed' and read as clear text.

	Findi= ngs	Recom= mendations
Wireless	You have indicated t= hat you are not using WPA encryption in your wireless environment.=	If you are currently= using no encryption, consider using WPA to prevent wireless network traffic from being 'sniffed' and read as clear text.

	Findi= ngs	Recom= mendations
Wireless	You have indicated t= hat you have not disabled broadcasting of the SSID on the access point.<= /o:p>	Consider disabling S= SID broadcast to make it more difficult for a casual user to attempt to conne= ct to your wireless network.

	Findi= ngs	Recom= mendations
Wireless	You have indicated t= hat you are not using MAC restrictions in your wireless environment.	Consider using WPA authentication in addition to MAC filtering in order to prevent unauthori= zed computers from connecting to the network.

	Findi= ngs	Recom= mendations
Wireless	Your response is tha= t you have changed the SSID on the access point from the default.	Changing the default= SSID is the first step in securing your wireless network. However, this needs = to be combined with further best practices in order to minimize risk. These include non-broadcast of SSID, WPA encryption, and treating the network as untrusted.

&n= bsp;

Auth= entication

Subca= tegory

Best Practices

Administrative Us= ers

For administrative accounts, implement a strict policy that requires the use of complex passwords that meet the following criteria:

+ Alphanumeric
+ Upper and lower case
+ At least one special character
+ Minimum length of 14 characters

To further mitigate the risk of a password attack, implement the following controls:

+ Password expiration
+ Account lockout after 7 to 10 failed login attempts
+ System logging

In addition to implementing complex passwords, consider implementing multifactor authentication. Implement advanced controls around account management (do not allow account sharing) and account-access logging.

	Findi= ngs	Recom= mendations
Administrative Us= ers	Your answers indicat= ed that currently there is either none or only simple password authentication required for administrative access to manage devices and hosts.	Consider implementing complex password controls for all administrative accounts and service accounts. A password is considered to be complex if it meets the following criteria: + Alphanumeric + Upper and lower case + At least one special character + Minimum length of 8 characters

&n= bsp;

Subca= tegory

Best Practices

Internal Users

For user accounts, implement a policy that requires the use of complex passwords that meet t= he following criteria:

+ Alphanumeric
+ Upper and lower case
+ At least one special character
+ Minimum length of 8 characters

To further mitigate the risk of a password attack implement the following controls:

+ Password expiration
+ Account lockout after at least 10 failed login attempts
+ System logging

In addition to complex passwords, consider implementing multifactor authentication.

Implement advanced controls around account management (do not allow shari= ng of accounts) and account-access logging.

	Findi= ngs	Recom= mendations
Internal Users	You indicated that multifactor authentication is required for user access to the internal network and hosts.	To further mitigate = the risk of access to the environment being gained through low-level user accounts, consider implementing the following controls: + Password expiration + Account lockout after at least 10 failed login attempts + System logging Ensure that password controls for both local and domain accounts are enforced.

&n= bsp;

Subca= tegory

Best Practices

Remote-Access Use= rs

	Findi= ngs	Recom= mendations
Remote-Access Use= rs	You indicated that multifactor authentication is required for users who remotely access your internal network and host computers.	To further mitigate = the risks of brute-force password attacks through remote access services, consider implementing the following controls: + Password expiration + Account logout + System logging In the case of remote access, it is especially important to protect the environment through the use of strong account management practices, sound logging practices, and incident detection capabilities. Remote-access services should also take into account the systems that wil= l be used to access the network or hosts. Consider implementing controls around the hosts that are allowed to access the network via remote access.<= /o:p>

&n= bsp;

Subca= tegory	Best Practices
Password Policies=	Typically the restri= ctions around creating passwords for administrators should be greater than those= for normal accounts. On Windows systems, administrative accounts (and service accounts) should= be set with passwords that are 14 characters in length and use alphanumeric = and special characters.

&n= bsp;

Subca= tegory	Best Practices
Password Policies= - Administrator Account

	Findi= ngs	Recom= mendations
Password Policies= - Administrator Account	You have indicated t= hat administrator accounts have password policies implemented.	Consider implementing additional protections around administrative accounts, such as logging and monitoring services, around all successful and failed authentications. Migrate away from clear text protocols.

&n= bsp;

Subca= tegory	Best Practices
Password Policies= - User Account

	Findi= ngs	Recom= mendations
Password Policies= - User Account	You have indicated t= hat user accounts have password policies implemented.	Consider implementing logging thresholds around failed authentications so that alerts can be se= nt to systems administrators. Consider testing the password policies in place.

&n= bsp;

Subca= tegory	Best Practices
Password Policies= - Remote-Access Account

	Findi= ngs	Recom= mendations
Password Policies= - Remote-Access Account	You have indicated t= hat remote access accounts have password policies implemented.	Consider implementing additional security around remote-access accounts through the use of logg= ing and monitoring services on the remote-access device/host. Consider implementing logging thresholds around failed authentications so that alerts can be sent to systems administrators.

&n= bsp;

Mana= gement and Monitoring

Subca= tegory

Best Practices

Build<= /span>

Maintain a build pro= cess with all vendor patches and recommended lockdown configuration. Test this process regularly.

Use host-hardening procedures to patch and properly configure services and applications on each host. Disable all nonessential services and applications.

Workstations should be hardened by installing recommended patches, removi= ng all unnecessary services and packages, and auditing file permissions.

Incorporate host-hardening steps into standard workstation build procedur= es.

&n= bsp;

Subca= tegory	Best Practices
Secure Build=

	Findi= ngs	Recom= mendations
Secure Build=	You have indicated t= hat your system builds include host-hardening procedures.

	Findi= ngs	Recom= mendations
Secure Build=	You have indicated t= hat remote control/management software is not used in the environment.	Continue the practic= e of not using remote control/management software.

	Findi= ngs	Recom= mendations
Secure Build=	You have indicated t= hat disk-encryption software is not used in the environment.	Consider using disk encryption software in order to prevent data compromise in the event of machine theft.

	Findi= ngs	Recom= mendations
Secure Build=	You have indicated t= hat a password-protected screen saver is not used in the environment.	Consider requiring a= ll users to have a password-protected screen saver with a short time-out per= iod.

	Findi= ngs	Recom= mendations
Secure Build=	You have indicated t= hat personal firewalls have not been installed on all of the workstations in = the environment.	Implement a policy w= hich calls for periodic review of default firewall settings, so as to allow for changes in applications or services being used.

	Findi= ngs	Recom= mendations
Secure Build=	You have indicated t= hat client-side remote access software has been installed on workstations that connect remotely to the internal network.	Consider using a sin= gle remote-access solution for the environment, if there are multiple types of solution deployed.

	Findi= ngs	Recom= mendations
Secure Build=	You have indicated t= hat modems are not used in the environment.	Continue disabling m= odem and dial-up access in order to reduce the risk of having machines able to= be directly dialed into.

&n= bsp;

Resources

Windows Server 2003 Security Guide

This guide provides easy-to-understand advice, tools, and templates to help you secure Microsoft® Windows Server™ 2003 operating system in many environments. Network administrators and IT professionals responsible for installing and configuring servers would likely benefit the most from this information.

http://www.microsoft.com/technet/treeview/default.asp?url= =3D/technet/security/prodtech/win2003/w2003hg/sgch00.asp

Microsoft Gold Cer= tified Partners

The Microsoft® Go= ld Certified Partner Program for Security Solutions will help you find special= ists in building and deploying IT solutions that help protect user security. Mic= rosoft works closely with partners to help ensure they have the highest level of expertise with Microsoft technologies and solutions.

http://directory.microsoft.com/resourcedirectory/Services.a= spx

Securing Your Data= base Server

Database architects a= nd database administrators will benefit most from this guide, which provides a proven methodology for securing database servers--Microsoft® SQL Server™ in particular. The guide reviews the most common threats that affect database servers, then steps through the process of applying a secure configuration.

http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMC= h18.asp

passfilt.dll<= /o:p>

Passfilt.dll is a replacement .dll for Microsoft® Windows NT® 4.0 operating system. U= sing passfilt, you can modify the operating system's default parameters to provi= de strong password support and administrative account lockout (at the network level).

http://msdn.microsoft.com/library/default.asp?url=3D/librar= y/en-us/security/security/strong_password_enforcement_and_passfilt_dll.asp<= /a>

Subca= tegory

Best Practices

Third-Party Relationships

To help reduce the r= isk of exposure, formal policies and procedures should exist to govern relations= hips with third parties. These policies and procedures help to identify securi= ty issues and the responsibilities of each party in mitigating them.

These policies should include:
+ Level of connectivity and access
+ Data presentation and manipulation
+ Roles and responsibilities (including authority) of each party
+ Management of the relationship—setup, ongoing, and termination.

	Findi= ngs	Recom= mendations
Third-Party Relationships	You have indicated t= hat systems are configured by internal staff.	Systems should be configured by internal staff following a tested build image.

&n= bsp;

Subca= tegory	Best Practices
Physical Security=	All computer systems should be secured to prevent easy theft. Servers and networking equipment should be secured in locked cabinets in locked rooms with controlled acce= ss.

	Findi= ngs	Recom= mendations
Physical Security=	Your response indica= ted that physical security controls have been deployed to secure your organization's assets.	Continue use of phys= ical controls, and consider extending them to all computer equipment, if that = has not already been done.

	Findi= ngs	Recom= mendations
Physical Security=	You have indicated t= hat servers are not in a lockable cabinet or rack.	Having servers in a lockable cabinet/rack further protects against unauthorized tampering. If possible, consider migrating servers to lockable enclosures.

	Findi= ngs	Recom= mendations
Physical Security=	You have indicated t= hat an alarm system has not been installed to detect and report break-ins	Consider installing = an alarm system in order to detect and report break-ins.

	Findi= ngs	Recom= mendations
Physical Security=	You have indicated t= hat networking equipment is not in a locked room with restricted access.=	Networking equipment should be secured in a locked room or closet. Plan to migrate network equipment to a more secure area.

	Findi= ngs	Recom= mendations
Physical Security=	You have indicated t= hat workstations are not secured with cable locks	In order to prevent = theft, consider securing workstations with cable locks.

	Findi= ngs	Recom= mendations
Physical Security=	You have indicated t= hat laptops are not secured with cable locks	In order to prevent = theft, consider securing laptops with cable locks.

	Findi= ngs	Recom= mendations
Physical Security=	You have indicated t= hat sensitive printed materials are not stored in locked file cabinets.<= /o:p>	Sensitive documents = should be kept in locked cabinets in order to prevent theft and disclosure of sensitive information.

	Findi= ngs	Recom= mendations
Physical Security=	You have indicated t= hat network equipment is also in a lockable cabinet or rack.	Having network equip= ment in a lockable cabinet/rack further protects against unauthorized tamperin= g. Ensure that access to keys/combinations is limited to only those who have= a business need.

	Findi= ngs	Recom= mendations
Physical Security=	You have indicated t= hat servers are not in a locked room with restricted access.	Servers should be se= cured in a locked room or closet. Plan to migrate the servers to a more secure area.

&n= bsp;

Resources

Basic Physical Sec= urity

This resource provide= s a snapshot of the three basic principles of physical security: keeping people away, keeping people out, and protecting your plumbing.

http://www.microsoft.com/technet/treeview/default.asp?url= =3D/technet/columns/security/5min/5min-203.asp

Applications

A thorough understanding of application security requires in-depth knowledge = of the basic underlying application architecture as well as a solid understand= ing of the application's user base. Only then can you begin identifying the potential threat vectors.

Given the limited scope of this self assessment, a complete analysis of application architecture and thorough understanding of the user base is not possible. This assessment is meant to help you review applications within y= our organization and assess them from a security and availability standpoint. It examines technologies used within the environment to help enhance Defense-in-Depth. The assessment reviews the high level procedures an organ= ization can follow to help mitigate application risk by focusing on the following a= reas of application security:

Deployment & Use—Mechanisms to enhance availability
Application Design —Authentication, Access Control, Update Management, Input Validation, Logging & Auditing
Data Storage & Communications—Encryption, Data Transfer, Restrictive Access

Appl= ications

Subca= tegory	Best Practices
Load-Balancing

	Findi= ngs	Recom= mendations
Load-Balancing	You have indicated t= hat load balancers are currently deployed in the environment.	Periodically audit t= he configuration of your load balancers and run diagnostics on a regular bas= is to make sure they are functioning properly.

&n= bsp;

Subca= tegory	Best Practices
Clustering

	Findi= ngs	Recom= mendations
Clustering	You have indicated t= hat clustering is not deployed in your environment.	To ensure high availability for critical databases and file shares, consider deploying clustering mechanisms.

&n= bsp;

Subca= tegory	Best Practices
Application &= Data Recovery

	Findi= ngs	Recom= mendations
Application &= Data Recovery	You have indicated t= hat your organization has line of business applications	Any Line of Business applications should be periodically evaluated for security, backed up regularly, fully documented, and have continge= ncies in place in case they fail.

	Findi= ngs	Recom= mendations
Application &= Data Recovery	Your response indica= tes that regular testing of application and data recovery is not performed.	Perform full backups regularly. Perform regular tests of the backup and recovery mechanism that permits restoration of the application to a normal operating state.<= /o:p>

&n= bsp;

Subca= tegory

Best Practices

Third-party indep= endent software vendor (ISV)

The third-party independent software vendor (ISV) should regularly provide patches and up= grades for their application, and they should explain the purpose of patches and= any impact you may expect in terms of the functionality, configuration, or security of the application being patched.

The third-party ISV should clearly identify critical patches so that they= can quickly be applied.

The third-party ISV should explain all of the application's security mechanisms and provide up-to-date documentation.

The organization should be aware of any configuration requirements necess= ary to ensure the highest level of security.

	Findi= ngs	Recom= mendations
Third-party indep= endent software vendor (ISV)	You have indicated t= hat third party vendors have developed one or more of the key applications in your environment.	Ensure that the third party who has developed your key software will continue to support that software, provide updates in a timely manner, and can provide you with so= urce code in the event that the third party can no longer support the applicat= ion.

	Findi= ngs	Recom= mendations
Third-party indep= endent software vendor (ISV)	You have indicated t= hat you do not know the answer to this question	Review this open ite= m with your IT staff or a security partner. Input the most appropriate answer to this question in the MSAT for further information.

&n= bsp;

Subca= tegory

Best Practices

Internally Develo= ped

The in-house develop= ment team should regularly provide patches and upgrades for their application,= and they should explain the purpose of patches and any impact you may expect = in terms of the functionality, configuration, or security of the application being patched

The development team should clearly identify critical patches so that the organization can quickly apply them.

The development team should explain all of the application's security mechanisms and provide up-to-date documentation.

The organization should be aware of any configuration requirements necess= ary to ensure the highest level of security.

Consider contracting with an independent third party to review the application's architecture and deployment and identify any security issue= s of concern.

	Findi= ngs	Recom= mendations
Internally Develo= ped	You have indicated t= hat your organization uses custom macros for office applications.<= /span>	Using custom macros requires that the security settings in Office are downgraded, exposing yo= ur office applications to malicious documents. Consider limiting the ability= to develop and run custom macros to only those that have a business need.

	Findi= ngs	Recom= mendations
Internally Develo= ped	Your responses indic= ate that your in-house development team provides you with regular software updates and security patches for applications developed by them.	Continue to work wit= h the development team to address all application and security issues in the deployed applications. When a patch is made available, thoroughly test the patch in a lab environment before deploying it into production. Work with the development team to audit the application configuration to ensure maximum security. Consider contracting with an independent third party to review the application's architecture and deployment and identify any security issue= s of concern.

&n= bsp;

Subca= tegory

Best Practices

Vulnerabilities

All known security vulnerabilities should be identified and patched. Regularly monitor vendor and third-party security sites for new vulnerability information and available patches.

If there are any known security vulnerabilities that do not have available patches, determine when a patch will be available and develop an interim mitigation plan to address that vulnerability.

Consider using a third party to conduct periodic assessments to evaluate = the application's security design. A third-party assessment may also turn up areas where additional security mechanisms are beneficial.

	Findi= ngs	Recom= mendations
Vulnerabilities	Your responses indic= ate that procedures exist for addressing known security vulnerabilities in applications you are currently using.	These procedures sho= uld include lab testing of the patches as well as application testing after t= he patch has been applied, to identify conflicts that may require the patch = to be rolled back. Periodically revisit these procedures and verify that they meet current application requirements.

&n= bsp;

Appl= ication Design

Subca= tegory

Best Practices

Authentication

The application shou= ld implement an authentication mechanism whose strength is commensurate with requirements governing security of data or access to functionality. Applications that rely on passwords should provide for password complexity constraints that include character mix (alpha, numeric, and symbols), min= imum length, history maintenance, enforced lifetime, pre-expiration, and dictionary checking.

The application should log failed login attempts, excluding the password. Each component that provides access to data or functionality should verify the existence of proper authentication credentials.

Administrative access to systems should be protected with the strongest f= orms of authentication available. Typically the restrictions around password c= reation for administrators should be greater than those for normal accounts.

In addition to strong passwords with good password policies, for added security multifactor authentication should be considered.

	Findi= ngs	Recom= mendations
Authentication	Your responses indic= ate that multifactor authentication is being used for key applications.<= /o:p>	To further mitigate = the risks of brute-force password attacks for external applications, consider implementing the following controls: + Password expiration + Account lockout after at least 10 failed login attempts + System logging

&n= bsp;

Subca= tegory

Best Practices

Password Policies=

The use of strong passwords is a basic element of Defense-in-Depth. Strong passwords should= be 8 to 14 characters in length, with alphanumeric and special characters. Minimum length, history maintenance, lifetime, and pre-expiration of passwords should all be set to provide additional defenses to password strength. In general, password expiration should be set to the following:=

+ Maximum length 90 days
+ New accounts must change password at login
+ Password history of 8 passwords (8 days minimum)

Administrative access to systems should be protected with the strongest f= orms of authentication available. Typically, the restrictions around password = creation for administrators should be greater than those for normal accounts—= ;if normal accounts require a password length of 8 characters, then administrative accounts should have 14-character passwords.

Account lockout, after 10 failed login attempts, should be enabled on all user accounts. The controls around account lockout can vary from simply b= eing focused on blocking brute-force password attacks to as complex as requiri= ng administrator intervention to unlock. Consider the following guidelines w= hen implementing controls around account lockout:

+ Account lockout after at least 10 failed login attempts for user accoun= ts
+ Require administrative access to re-enable accounts for critical applications and automatically re-enable regular user accounts after 5 minutes for other applications
+ 30-minute length to cache failures for regular user accounts=

	Findi= ngs	Recom= mendations
Password Policies=	Your response indica= tes that strong password controls are implemented across key applications.	Consider implementing logging thresholds around failed authentications so that alerts can be se= nt to systems administrators. Also consider extending the use of strong passwords across all applications.

	Findi= ngs	Recom= mendations
Password Policies=	Your response indica= tes that account lockout controls are not implemented across key applications.	Think about implemen= ting account lockout (after 10 failed attempts), initially for all critical external applications. The controls around account lockout can vary from being focused on blocking brute-force password attacks to as complex as requiring administrator intervention to unlock the account. Consider the following guidelines when implementing controls around account lockout: + Lockout after 10 failed login attempts + Require administrative access to re-enable accounts + 30 minute length to cache failures for regular user accounts=

	Findi= ngs	Recom= mendations
Password Policies=	Your response indica= tes that a password-expiration control is not implemented across key applications.	Consider implementing password expiration for all types of accounts for critical applications b= ased on the guidelines mentioned in the Best Practice column. In general, pass= word expiration should be set to the following: + Maximum length 90 days + New accounts must change password at login + Password history of 8 passwords (8 days minimum)

&n= bsp;

Subca= tegory

Best Practices

Authorization &am= p; Access Control

Applications should implement an authorization mechanism that provides access to sensitive da= ta and functionality only to suitably permitted users or clients.

Role-based access controls should be enforced at the database level as we= ll as at the application interface.

This will protect the database in the event that the client application is exploited.

Authorization checks should require prior successful authentication to ha= ve occurred.

All attempts to obtain access without proper authorization should be logg= ed.

Conduct regular testing of key applications that process sensitive data a= nd of the interfaces available to users from the Internet. Include both "black box" and "informed" testing against the application. Determine if users can gain access to data from other accoun= ts.

	Findi= ngs	Recom= mendations
Authorization &am= p; Access Control	Your response indica= tes that key applications restrict access to sensitive data and functionality based on privileges assigned to the account.	Consider conducting focused application testing on key applications that process sensitive da= ta and on the interfaces available to users from the Internet. Include both 'black box' and 'informed' testing against the application a= nd test for privilege escalation.

&n= bsp;

Subca= tegory

Best Practices

Logging

Logging should be en= abled across all applications in the environment. Log file data is important for incident and trend analysis as well as for auditing purposes.

The applications should log failed and successful authentication attempts, changes to application data including user accounts, severe application errors, and failed and successful access to resources.

When writing log data, the application should avoid writing sensitive dat= a to log files.

	Findi= ngs	Recom= mendations
Logging	Your answers indicat= e that various events are being logged by applications in the environment. The a= pplications should log all events based on listed best practices.	For ease of log-file management and analysis, consider integrating with a centralized logging mechanism. The logging mechanism should retain and archive logs in accord= ance with applicable corporate data retention policies.

	Findi= ngs	Recom= mendations
Logging	You have indicated t= hat changes to user accounts are not logged.	Consider logging cha= nges to user accounts in order to detect privilege escalations and unauthorized new account creations.

	Findi= ngs	Recom= mendations
Logging	You have indicated t= hat successful access to resources is not logged.	Consider logging successful access to resources in order to trace malicious behavior after= the fact.

	Findi= ngs	Recom= mendations
Logging	You have indicated t= hat access denied to resources is not logged.	Consider logging acc= ess denied to resources in order to be able to detect attempts at privilege escalation.

	Findi= ngs	Recom= mendations
Logging	You have indicated t= hat changes to data are not logged.	Consider logging cha= nges to data in order to track malicious activity.

	Findi= ngs	Recom= mendations
Logging	You have indicated t= hat application errors are not logged.	Consider logging application errors in order to be able to troubleshoot and detect any Tro= jan horses or malicious code.

	Findi= ngs	Recom= mendations
Logging	You have indicated t= hat successful authentications are not logged.	Consider logging successful authentications in order to track user activity.

	Findi= ngs	Recom= mendations
Logging	You have indicated t= hat failed authentication attempts are logged.	Continue logging fai= led authentication attempts.

&n= bsp;

Subca= tegory

Best Practices

Input Validation<= o:p>

The application may = accept input at multiple points from external sources, such as users, client app= lications, and data feeds. It should perform validation checks of the syntactic and semantic validity of the input. It should also check that input data does= not violate limitations of underlying or dependent components, particularly string length and character set.

All user-supplied fields should be validated at the server side.

	Findi= ngs	Recom= mendations
Input Validation<= o:p>	Your response indica= tes that input from data feeds is not validated.	Work with the applic= ation vendor (ISV or internal development team) to implement mechanisms to vali= date all data input. The validation constraints to input data should accept data that is syntactically and semantically correct; the constraints should not rely solely on screening of input for invalid characters.

	Findi= ngs	Recom= mendations
Input Validation<= o:p>	Your response indica= tes that all end-user input is validated.	Continue to audit ea= ch application to ensure that user input is consistently and appropriately validated. The validation constraints to input data should accept data that is syntactically and semantically correct; the constraints should not rely solely on screening of input for invalid characters.

	Findi= ngs	Recom= mendations
Input Validation<= o:p>	Your response indica= tes that client application input is not validated.	Work with the applic= ation vendor (ISV or internal development team) to implement mechanisms to vali= date all data input. The validation constraints to input data should accept data that is syntactically and semantically correct; the constraints should not rely solely on screening of input for invalid characters.

&n= bsp;

Data Storage & Communications

Subca= tegory

Best Practices

Encryption

Sensitive data shoul= d be encrypted or hashed in the database and file system. The application shou= ld differentiate between data that is sensitive to disclosure and must be encrypted, data that is sensitive only to tampering and for which a keyed hash value (HMAC) must be generated, and data that can be irreversibly transformed (hashed) without loss of functionality (such as passwords). T= he application should store keys used for decryption separately from the encrypted data.

Sensitive data should be encrypted prior to transmission to other compone= nts. Verify that intermediate components that handle the data in clear-text fo= rm, prior to transmission or subsequent to receipt, do not present an undue threat to the data. The application should take advantage of authenticati= on features available within the transport security mechanism.

Examples of widely accepted strong ciphers are 3DES, AES, RSA, RC4, and Blowfish. Use 128-bit keys (1024 bits for RSA) at a minimum.

	Findi= ngs	Recom= mendations
Encryption	Your response indica= tes that key applications in your environment are encrypting sensitive data p= rior to transmission. Your answer indicates that key applications in your environment do encrypt sensitive data that is in storage.	Use industry-standard encryption algorithms for all encryption.

&n= bsp;

Subca= tegory	Best Practices
Encryption - Algo= rithm	The application shou= ld use industry-standard cryptographic algorithms with keys of appropriate sizes= and cryptographic modes appropriate to the need. Industry recognized strong ciphers include 3DES, AES, RSA, Blowfish, and = RC4. A minimum key size of 128 bits (1024 bits for RSA) should be used.

	Findi= ngs	Recom= mendations
Encryption - Algo= rithm	You have indicated t= hat you are using DES encryption.	Consider upgrading y= our encryption to 3DES or AES in order to make it much more difficult to break through brute-force techniques.

&n= bsp;

Operations

This area of analysis examines the operational practices, procedures, and guidel= ines followed by the organization to help enhance Defence-in-Depth. This assessm= ent examines policies and procedures that govern system builds, network documentation, and the use of technology within the environment. It also includes supporting activities required to manage the information and procedures used by the administrators and operations staff within the environment. By establishing operational practices, procedures, and guideli= nes that are understood and followed, an organization can potentially enhance i= ts Defense-in-Depth posture. The assessment reviews high level procedures an organization can follow to help mitigate operations risk by focusing on the= following areas of operations security:

Environment—System = Build, Network Documentation, Application Data Flow, Application Architecture=
Security Policy—Pro= tocols & Services, Acceptable Use, User Account Management
Patch & Update Management—Patch Management, Virus Signatures<= /li>
Backup & Recovery—Backup, Storage, Testing

Envi= ronment

Subca= tegory

Best Practices

Firewall Rules and Filters

Firewalls are a firs= t-line defense mechanism and should be placed at all network border locations. R= ules implemented on firewalls should be highly restrictive and set on a host-by-host and service-by-service basis.

When creating firewall rules and router ACLs (Access Control Lists), focu= s on first protecting access control devices and the network from attack.

+ Enforce data flow by use of network ACLs and firewall rules.
+ Test firewall rules and router ACLs to determine whether or not existing rules contribute to Denial of Service (DoS) attacks.
+ Deploy one or more DMZs as part of a systematic and formal firewall development.
+ Place all Internet accessible servers there. Restrict connectivity to a= nd from the DMZs.