[EdLUG] [Baen Baen's Bar] Fwd: Re: Fwd: Cybersecurity

Edinburgh Linux Users Group edlug at lists.edlug.org.uk
Wed Feb 20 15:38:28 UTC 2019 

The first thing to ask them would be what their concerns are.
If the clients and server are only being used by customers for casual
internet access then there would be little risk to the business.

The first things to ask are :-
Is there an adequate firewall in place ? - I have been using ClearOS since
it was born (formerly clarkconnect) which provides a cheap solution for
keeping intruders out and logging activity.

Is there separate data on a server ? and what kind of data is this ?
Security is a big issue, and it has lots of answers depending on the
organisation.

You should start by asking the questions such as

What do they want from a "Security Audit" ?

What data is held, and who has access to it ?
What measures are in place to protect its privacy, and what backups exist ?
Can backup data be accessed outside the system ?
Does the organisation need a GDPR statement ? Is there and need to register
as a data controller ?

Office systems and administration systems should sit behind a secondary
firewall if public internet access is provided, again I would use a ClearOS
gateway.

I suspect that they just need to make sure that they comply with GDPR, and
to know that their business systems are protected from public access.

I still have some older systems from Lawyers which can be used for gateways
if you need any.

Good Luck.
Mark



On Wed, 20 Feb 2019 at 13:35, Edinburgh Linux Users Group <
edlug at lists.edlug.org.uk> wrote:

> Another reply to the OP in response to a reply from this list.
> On 20/02/2019 10:13, dockrin wrote:
>
> AndrewR wrote on Tue, 19 February 2019 13:55
>
> Another reply
>
>
>
> -------- Forwarded Message --------
> Subject: 	Re: [EdLUG] Fwd: [Baen Baen's Bar] Cybersecurity
> Date: 	Tue, 19 Feb 2019 19:51:41 +0000
> From: 	Edinburgh Linux Users Group
> Reply-To: 	edlug at lists.edlug.org.uk
> To: 	Edinburgh Linux Users Group
>
>
>
> Hi Andrew
>
> (Obligatory disclaimer: I am neither a lawyer, nor a security
> professional. The following stems from my experience in general and
> cannot constitute advice.)
>
>
> On the face of it, yes, if it is an independent professional auditor,
> they will need full access to the system, or for him to provide proof
> that everything he is doing meets their requirements. Generally, only
> full access can provide such proof.
>
> Log files only provide minimal insight into what a system has done in
> the past ; it does not show how the system is configured, and what
> practices are in place, and whilst your friend's contact may in good
> faith believe he has a secure system and only his own processes are
> running on his computers, it is the auditor's responsibility to
> investigate it for themselves, first hand, and to possibly ferret out
> anything that was missed by the friend.
>
> That is what an audit precisely is.
>
> Conversely:
>
> If he himself is concerned about their activities, he can seek out a
> lawyer to provide him with a proper Non Disclosure Agreement contract to
> have the auditor sign - I wouldn't know it is standard practice, but I
> think he would be within his rights to require this in turn.
>
> If the computers in question are not being used directly to service the
> organisation or hold the organisation's data who is requiring the audit,
> there is a question mark over to what extent they can require the audit
> to be carried out. That's an entirely different question.
>
>
>
> Tai
>
> ===
> Tai Kedzierski
> Linux Operations and Deployments Engineer
>
> RHCSA # 170-060-834
>
>
>
>
> I use LibreOffice  , a free,
> Freedom-respecting replacement for MS Office
>
> /Open Source Free Software is a matter of liberty, not price./https://www.fsf.org/about/what-is-free-software
>
>
>
> On Tue, 19 Feb 2019 at 19:12, Edinburgh Linux Users Group > wrote:
>
>     I just received this email.  Can anyone advise the OP on this question ?
>
>     Andrew Ramage
>
>
>
>     -------- Forwarded Message --------
>     Subject: 	[Baen Baen's Bar] Cybersecurity
>     Date: 	Tue, 19 Feb 2019 11:32:46 -0600vise
>     From: 	piobair
>     Reply-To: 	baens_bar at bar.baen.com
>     Organization: 	Baen's Bar
>     To: 	baens_bar at bar.baen.com
>     Newsgroups: 	Baen_Baens_Bar
>
>
>
>     The Board of Directors overseeing a friend of mine has decided that they need a security audit by an independent auditor. My friend's entire system is running on Linux with Linux servers and (mostly) thin clients.
>     He put out an RFP and, in his words, they want the keys to the front door in order to see if the china cabinet is locked.
>     Can an adequate audit be made from the /var/log files?
>
>     --
>     EdLUG mailing list
>     EdLUG at lists.edlug.org.uk
>     https://lists.edlug.org.uk/mailman/listinfo/edlug
>
>  --
> EdLUG mailing listEdLUG at lists.edlug.org.ukhttps://lists.edlug.org.uk/mailman/listinfo/edlug
>
> --
>
> Doc Krin, deep in the Ozarks!
>
> A man’s greatest glory is to love his wife and raise his children well //
> Mankind’s greatest shame is an uncherished child. James Richard Shaver
>
> "You can not leave behind what is always by your side" Richard Castle
>
> The saddest words ever said: "If only...."
>
> _______________________________________________
> Baens_bar mailing listBaens_bar at bar.baen.comhttp://bar.baen.com/cgi-bin/mailman/listinfo/baens_bar
>
> --
> EdLUG mailing list
> EdLUG at lists.edlug.org.uk
> https://lists.edlug.org.uk/mailman/listinfo/edlug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.edlug.org.uk/pipermail/edlug/attachments/20190220/a2354062/attachment.html>

More information about the EdLUG mailing list