[EdLUG] [Baen Baen's Bar] Fwd: Re: Fwd: Cybersecurity
Edinburgh Linux Users Group
edlug at lists.edlug.org.uk
Wed Feb 20 20:49:32 UTC 2019
haha . yes because to do a security audit there is no need to have access
to any particular machines, nor to inform the sysadmin, and reaction from
the system administrators could be seen as signs of paranoia which is
necessary to have proper security. Its enough to plug in to a live network
socket and test from there. Perhaps from more than one socket to get a
bigger picture of the network, and looking at the setup is usually enough
to get an idea.
Data security can be checked by physical intervention to any backup device,
a bigger concern is often whether data can be rebuilt after server failure.
Typically NAS Raid can be problematic.
At first I thought you were a pub ... but its a BB/Forum
Don't worry about what happens - they might find some holes and make some
recommendations, and they still need someone to actually do the work and
run the systems on a day to day basis...
Lots of people are panicking about the GDPR deadline for publishing
compliance statement.
Usually I don't use a root password but pgp keys for ssh and when someone
asks for access I ask for their public key and don't allow root logins any
other way - its enough to shut up all the M$windows operators.
Good luck anyway, and when you get a chance think about what you would do
if your server went bang as this is the most common security failure which
I have come across. Not mentioning any names, but there are corporates out
there who cannot do simple arithmetic such as hourly downtime costs which
can amount to £100,000s if a server is lost. (hint - average cost of staff
wages x 5 x number of staff) - the 5 is an arbitrary multiplier because
staff have costs, overheads, and do work to generate revenues, so even with
10 staff on minimum wages (10 x 5 x 10 = £500/Hour) a live up to date
backup server is needed.
Mark
On Wed, 20 Feb 2019 at 17:26, Edinburgh Linux Users Group <
edlug at lists.edlug.org.uk> wrote:
>
> I'd rather differ...
>
> The first thing to ask them would be what their concerns are.
>>
>
> Whose concerns, the board of directors or the sys admin? :-) In this case
> it sounds like the board of directors (or their own stakeholders) have
> established the need to bring in an external auditor. If the machines are
> owned by the organisation, or holding the organisation's data, it's often
> above an admin's prerogative to push back on a request initiated by the
> organisation's upper management - hence separating the work machines from
> the personal ones to alleviate the sys admin's concerns...!
>
>
>> I suspect that they just need to make sure that they comply with GDPR,
>> and to know that their business systems are protected from public access.
>>
>
> My take is, that's a compliance audit, not a security audit. All good
> questions mentioned, but they come before, and are separate from, a
> security audit.
>
> In any case, it seems like the audit happened long before the mails were
> even forwarded on, so I'm not sure what was wanted as feedback....? :-)
>
> -- Tai
>
> --
> EdLUG mailing list
> EdLUG at lists.edlug.org.uk
> https://lists.edlug.org.uk/mailman/listinfo/edlug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.edlug.org.uk/pipermail/edlug/attachments/20190220/35e07bf7/attachment.html>
More information about the EdLUG
mailing list