Oyle,

Get a backup of everything first - all personal stuff like favourites, My documents, all office documents and personal stuff and burn it to cd/dvd to be safe.

Couple of questions:
Did the support tech know the network was a bunch of XP home machines?
Do you have copy of the database off the good USB backup?
Do you have an XP Pro machine you can test installing the FoxPro database software on?

I’d try to drop a copy of the FoxPro on a good machine and attempt to restore the database from the good backup. If you get that working, make a backup of that database to cd and show it to the client, so she can check it.
Unless the “server” has more than two physical disks, it won’t matter which drive letter the FoxPro db goes on. I’d get rid of the multiple copies and just pick one location.

Once you have a working copy of the FoxPro system, then you can talk about cleaning up the “network”. as the database working is their number one issue.
XP Home is for home systems, not for businesses, but it’ll come down to money at the end of the day.

A clean rebuild of the systems might be the best way for them to go, as long as they have all the right install cd’s!

Hope that’s some help.

Have you ever started a job and been told to fix a network?
How about make it secure and not break anything?

A couple of my friends had just started new jobs and we'd been talking about the huge task in front of them. It's pretty scary and can be overwhelming. These were some of the suggestions to get started and cover your own butt at the same time. Though they might be worth sharing.

Let’s say you start your new job as the head (or only) network/security guru, you’ve got good network and OS skills and you’re keen to make your mark running by cleaning up this Wild West network and kick off using those newly acquired security skills.

Where do you start?
Patching, inventory, mapping the devices on the network, risk analysis, vulnerability assessments, checking the firewall, VPN, wireless access points, installing anti virus, log correlation, validating the backups works (or even exist!), DRP/BCP, upgrading the hardware, software, firmware or removing Quake off the accounts pc?

The sentence above is enough work to keep you busy for at least six months and that’s without dealing with customer requests for help with printing, using word or finding their lost files. 

Let’s say that you have you’re boss’s support, a basic IT/security policy and they have a budget to do work, as long as you can justify why you need to spend it.
When you’re securing a network it’s all about having the basics done right and verified first before tackling the more exciting stuff.

Start by making notes and documenting everything you do. Get a bound A4 book and use it as a journal. IT folks often get blasted for bad documentation skills. Writing down your actions and processes stops you from trying to do too many things at once. It also makes you think what you’re doing and how you’re try to achieve it. Thinking and planning stops those nasty moments where you ask yourself “Did I mean to make that change?”

A nice, simple but great place to start technically is the backups. Old, boring and very unexciting but working backups and being able to validate they can be restored are key to making sure that if a disaster happen tomorrow, you come out looking like a hero.
Knowing what, how and why you have to backup systems and configurations can give you a solid understanding of the company you’re protecting, what their needs are and what’s important to them.

While you working out the backups, start making a full network inventory.
That’s make, model serial number of the hardware, type & version of firmware and software, then licensing, configuration & owner of the system’s and software.

Finding out the owner of a system or software is very important so you can ask questions or get help from with working it out how it works or should work and what it does.

Get this out of the way and you’re safe to move on to the more fun and challenging parts.

You’ve got the management backing, backups are good and a solid network layout, so it’s on to the firewall.
The firewall should be the main portal to the network and control all traffic in (ingress) and out (egress) bound.
Review the rules, ask why they're there and what they actually do. I’ve seen some crazy rules put in place that no-one knows why, but are terrified to remove them in case it breaks something. Take a backup of the configuration and slowly comment out the odd or old rules one at a time, checking the nothing important stops working!

Firewalls should be a default block everything policy and only allow traffic has been understood, documented, agreed and signed off.
The outbound rules are just as important as the inbound one and are more useful to see if trouble is on your internal network.
How can that be?
As you build and document the firewall rules, set up a rule for any failed packets and ip addresses of systems trying to go outbound should be logged. The firewall outbound logs (also know as drop logs) should be always empty, as you’ve spent time make sure all the firewall rules are in place for all the system you want to go outbound are specifically allowed.
If they start filling up, this immediately tells you that some is wrong on the network. It might be a mis-configured pc, someone has plugged in a laptop from home or a new virus is trying to scan other computers out side your network. This gives you the starting point to investigate this problem. Again, write up each of these events in the logs as they help make your case in the future .


With these basic steps you’ve now got a clear, documented picture of the network, its systems and its general health.
If fact you’ve done your first documented audit and risk assessment!

Having hard, clear documented notes on the problems and suggestions on how they can be addressed, management tend to listen. You can use the documented created to show management weakness, like old software/hardware or out of date unsafe systems.
From here you can then target the most important steps to secure the rest of the network.

Remember - If you don't understand what's makes up and happening on the network, how can you know what's right or wrong, what's normal or abnormal?

Spend the time to get the basics done well, then go off and save the world :-)

Fuzzing is a software testing technique where you supply a program with faulty or randomized data in place of its normally expected input.

Here's some more to read on it:

http://reddevnews.com/techbriefs/article.aspx?editorialsid=261

http://appliedsec.com/resources.html

Playing with Ruby to build a fuzzer framework:
http://www.devx.com/security/Article/33559

Word of mouth got me here.
I was talking to classmates while taking the GCIH course at a SANS conference and asking for good resources. They point me here.

For me this is great opportunity to listen, learn and ask questions.

It's wonderful to have a friendly and open forum to keep the mind sharp and tracking the multitude of issues in the ever changing security world.

I found the story fasinating and had a good chuckle at the flame war that kicked off about a couple of comments.

I sure Roger would make a great and entertaining speaker do you think you could con him in to doing an couple of pieces on some of the bad habits or mistakes he's found during his time pen testing?

It would make great reading for either side of the fence on what should be avoid or looked for :-)

I have to say that the Syngress books I've read have all been from good to excellent. I have a reasonable pile of them at home.

I think I know of the book Kev's refering to (I'm guess they are the tools/open source compilation ones) but haven't read them. I'm a bit curious now if they are a poor production. Do you have one the stands out in your mind?

As an aside, I tend to use Richard Bejtlich's reviews on Amazon as a good starting point if the book worth reading or listen out for a postive review for a couple of trusted sources.

One of the fun things about protecting a network is that we’re fighting a never ending battle against attackers, with unlimited time, resources from almost every corner of the world on their side.
We have to sit there and attempt to deal with whatever is thrown at us.
There's one weapon that’s more devastating that any zero day attack that attackers use to bypass all our fancy high tech defences, are the one constant in any network, anywhere and one that constantly surprises us -

Users!

Yup, the very people that pay us to make sure that they can come on to the network, read their email, check the sports pages and occasionally do some profit generating work, are the biggest attack vector.

Have you ever got a call for one of them wanting to open at a file or web site with the latest celebrity scandal or forward on a chain mail to the entire company to avoid bad luck? How about add a gadget which will enhance their effectiveness performance?
With every new gadget designed to make their lives easier ours becomes harder, introducing new attack vectors and headaches to get them to work with the existing systems.
Oh, by gadgets I mean everything from simple home internet access to office system, blackberries, and mobile phones, to the business critical “need” to have iPod’s and iTunes on corporate machines.

The gleeful looks I’ve got from security researchers or penetration testers that are allow to launch social engineering attacking on the users can put you off lunch for a week.
There are dozens of stories about people swapping password for chocolate bars or even worse, usb drives. http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1
But the good ol’ “Hi, I’m from your helpdesk, we’re having a problem with your account. Can you confirm your username and password?” works more times than not and doesn’t cost anything.
If your still not convinced about the powers of social engineering on your users, read the about Kevin Minick http://en.wikipedia.org/wiki/Kevin_Mitnick or listen to http://www.phonelosers.org/
Be warned, phonelosers is fairly explicit and constantly uses bad language, but proves how much sensitive, personal information can easily be obtained from a small amount of research and a phone call.

So what to do?

Well forget tech, it is people skills that fix this security issue. 
Getting your management and then the users working with you can make all the difference. Most people want to help out, so imagine having even 10 percent of the company occasionally giving a heads up when something odd happens.  Anything that makes our lives easier in the long run is worth a small amount of short term pain.
These are my top three steps to “patching” users and making defending network a heck of a lot easier.

Get Management buy in for security
This is for senior management to understand and support a security stance for your company. It’s critical to explain the risk of not having a security in business terms, not technical ones. If they stand behind the policy, no-one is going to mess with it.
So when Dave from finance wants to install his weird PDA and its awful software, smile sweetly, glance at the policy - “I’m sorry Dave, I can’t do that” Unless he can prove to the bosses it’s important for the company, it stays off the network.

This is the most important to have. If you can’t get this, you’ll spend all your time fighting security fires and getting blamed for the problems.  Not a fun place to be, if you can’t get through to them the first time, try working with one of them to put your message in their language. The rules of the road are a good analogy to use; they are there to keep everyone safe and working in the same framework. Driving down the wrong side of the street is instantly recognised as breaking the rules and dangerous. Once the management team grasp this for their company’s security, most of the resistance will go.

Help write a solid, easy to understand security policy which protects the business, not cripples it
Don’t get carried away with technical details or writing a block everything document. Talk to the different teams and find out what they need to do their jobs. Then write the policy around those conversations, find a couple of senior managers to then present and explain it to.  Doing this way will help create a policy that get you talking to other departments in your company and have them understand why security is important to protect their work and staff.
The fear, doubt and uncertainly (FUD) of the dark magic that is IT security can be dispelled by a couple for friendly chats and taking time to explain why pirated software and having full local admin rights to a machine is dangerous. It can bring up topics you may not have thought about, like modems attached to the finance desktops for banking apps, or the ad-hoc upload of files to ftp sites.

Remember this is being written for non-technical staff to understand and it’s not details procedures. Think of getting your grandparents to understand it and try to keep it to one page.

Create a security awareness program
Even a simple “security tip of the week” posted to a company news letter, notice board, and intranet or added to IT team’s email tag line is a great way to keeping user informed. You can always link to a web site for more details.
Use it to warn of new attacks and problems, like a spam flood. It helps keep everyone aware and may help to drop calls to you or the helpdesk! 
If you also throw in tips for a safer home computing use, that gets a wider audience interested. Warnings on what phishing scams are and how to deal with them affect everyone who does online transactions is an easy example.

Wrap up
User can be the easiest path in to a network and no amount of system hardening can stop someone who has a legitimate username and password accessing the system. If you give these users a policy on what’s right and wrong, how to report and deal with a possible breaking of these rules, you just gained a whole new layer of defence that has only cost you some time and effort.
Just because you're the security guy, it doesn't mean you should hide in a dark corner and turn up when there's trouble. Get out there, talk to people let them know you there to keep them safe and in a job.
Getting the backing of your company and the security front line doesn't seem so unforgiving and lonely any more.

Some excellent resources of how to create a security policy and security standard can be found at SANS http://www.sans.org/resources/policies/?ref=3731 and NIST
http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/

Training courses by SANS, ISC2 and EC-Council, to name a few, can help build security people management skills which are well worth looking into for any future career moves up the food chain.

Guy,

Have you looked at going to http://www.theblackandwhiteball.co.uk/ ?
It's almost down the road for you and would give you access to a diverse range folk to chat with.

It looks like it could be a chuckle at the Ministry of Sound, filled with a somewhat different clientele .. 

I'd stick with the CCNA. I've always though it's an excellent path into networking. Obviously very vender focused, but the do have market share on the Internet's hardware...

I'd then look at + type courses and MCP in Xp/Vista for a solid general background knowledge.

Studying those courses would give you a real feel of where your strenghts and interest lie.

A word of caution on the CCSP track. I've interview a few folk new to IT with impressive qualifications and no real experience.

Cisco training isn't cheap and employers would ask you why you did it and why don't you want to continue to be a Cisco Network guy. Unless assessing Cisco networks is what you want to do.
Pix's and ASA's aren't cheap either if you want to build test labs at home.
If you can work part time with Cisco kit, that will go a long way in future interviews.

A simple, but useful, tip for taking exams, is to plan out your study time.
It helps make sure that you can get ahead of any reading and practicals, rather than cramming at the last minute.

As to where you'd like to work in the future, either check out their web sites or give them a call and see what skills you need to get a role there.
It'll help to understand the experience and background they be looking for and give you some targets to work towards.

If we were to put two AV's on mission critical server, a blood bath would ensue.

AV's don't have the best reputation in increasing server stability. Check Google for examples on all the major venders cocking up systems due to bad signatures. Not to mention the amount of system resources they suck up.

Most of the compromised servers for worms/malware/viruses I've seen tend to have all AV services stopped or host file entries to invalidate av updates.

AV's are only part of a security solution, and they are, at best a responsive measure due to the av companies making a sig after a virus hits and they get hold of a copy.

Locking down systems, restricting rights and good, solid procedures are more effective than most AV's at the end of the day.

That's just my 2 cents anyway..

For me Podcasts make keeping track a heck of a lot simpler. I can sit there while travelling to work or pretending to do house work and listen to what's going on in the security world.

Some of my favorities are:
http://www.pauldotcom.com/
http://cyberspeak.libsyn.com/
http://www.securitycatalyst.com/
http://www.mckeay.net/
http://sploitcast.libsyn.com/


There are a whole bunch more, I really enjoy the way the folks cover the content.

As an aside, Microsoft also have a couple of podcast of some of their presentations which can be useful to understand how security fits in with their products. Some of them don't make very good podcasts though, as they are hands on demos....

Don,

This is a phenomenal prize and a fantastic opportunity for anyone excited about IT security.

Perhaps you could give a few ideas on threads you like to hear about or get comments on, to spark that fire you’re looking for.

If only I lived in the continent and could take up the challenge 

p0et,

You are correct, but the $500 for a week is in the long term an excellent pay off for future employment and some

The only way I know of cheap attendance of events is to be part of the set up crew, crash on the floor of someone how lives in the area of a Con or know the event organisers. The folks in the States and some parts of Europe have all the luck with the Cons. 

For those of us in the outer reaches, or on a budget have a look at local users groups, eg Windows, Snort, Linux etc. They're free and some great passionate people are there. They may not have the scope of the security cons but they can be just instructive.

On the SANS conferences, you can throw your hat in to be a volunter.
If you are accepted, you'll spend the week being a goffer for the needs of the SANS staff, but I found it to be great fun, got to meet many people, plus have an exam attempt thrown in.

So far, SANS training has been the most comprehensive I've taken and highly recommend it.


Have a read of the link below:
http://www.sans.org/training/volunteer.php