Security Vulnerability Assessment

  Files and Directories

The next area to check is access permissions of Files and Directories in your PC/Server.

If your PC or server is used by a number of people, how can you confirm that only the authorized users are able to access the directories with sensitive information. The intruder who grants himself/herself as normal user can access all your files and directories without taking the trouble to gain superuser access !

Data Security

How do we minimise this threat ?

One way is to check the directories and files permissions and then remove the user access that are not required.

a) Use the DumpSec ACL tool and then capture the directories and files permission details.

b) We can then display the output in excel format for further analysis (e.g. remove the accessive permissions).

c) Now present these information to the administrator, programmers or the application owner. Workout what is extremely crucial to the business and who are the real authorized personnel. This is one of the effective way to review your Data Security.

d) I would advise that before you start removing the permission of these files and directories, run the application with the associate files and directories in a test environment.

e) Remove the identified files and directories that have access permissions. Check if this will cause any crashes to the application. Sometimes, the application requires these permissions.

f) Once you have confirm that it is working fine after tightening the access permissions, then only try it in the operation environment.

Tip: A great technology that allows "Virtual" environments to conduct testing and auto failover is Vmware. However, the Vmare licences are not cheap.

 

Example of Windows files and directory permissions extracted using Dumpsec ACL

files3

 

If you wish to learn more on Security Vulnerability Assessment and Data Security, look for IT Auditing/Security books in Amazon Book Store which I have compiled. I personally find the CISSP (Certified Information Systems Security Professional) Books contain loads of security information. Further, CISSP is a good certification to obtain if you want a career in IT Security.

Ok, keep going, NOW we will check the operating system for vulnerabilities and unnecessary services especially those servers that are not patched. One of the ways to penetrate the server is by exploiting the server vulnerabilities. I have uploaded a YouTube video on how to protect the server. Enjoy the video !

 

 

 

 

COPYRIGHT 2007 Security Vulnerability Assessment - Data Security

 

About Gabriel Ng
Home

Hacking Demo on YouTube.com
Basic Protection Tutorial
How to Protect from Viruses
Trojans and Personal Firewalls
Spywares Prevention

 
Windows Hardening
Firewalls the Bastion Host
Security Policy
Server Vulnerabilities
Importance of Security Assessment
Disaster Recovery
Are Firewalls and Anti-Virus Adequate ?
Website Hacking Prevention

Security Books
WEP Wireless Security Stinks
 
 
 
 
 
 
Internet Security Advisor
Step by Step Guide to Drill into Files and Directories Permission