Security Action Plan

Networking/Security Forums -> General Security Discussion

Author: RottzLocation: East Coast, USA PostPosted: Mon Jun 23, 2003 11:31 pm    Post subject: Security Action Plan
    ----
Security Action Plan
By Gary Bronson (gary.bronson@wgint)
Gary Bronson wrote:
Security is about more than just technology. Sure, you have to use secure products, but building an environment where data is safe means ongoing diligence, both in the use of technical best practices and in confronting social engineering threats through changes in individual and group behavior. With this in mind, I decided to organize a security conference at the Boise, Idaho, headquarters of my company, Washington Group International, a construction and engineering firm. We brought in industry experts, featured speakers, panels and discussion groups. Here are the lessons that emerged:

Ensure that visitors are escorted in and out of the building. It is too easy to walk into a place of business, sit down and get on the network.

Do not give out log-in and password data to anyone. Default accounts should not be used. Passwords for administrators need to be sophisticated and include a variety of alphanumeric characters. Special characters are also recommended.

Follow strict procedures when employees are terminated to prevent them from gaining unauthorized access.

With the introduction of features, there is a risk of introducing security flaws. When we push for an immediate implementation and do not follow appropriate testing, we open ourselves to security risk.

Don't give hackers too much credit. They often use old exploits. Keep current with your security patches.

It's a good idea to keep news of security incidents within your company. Sharing knowledge in a community works for some technical areas, but publicizing such information might expose you as a target.

The bottom line: Plan security from the beginning so you don't have to wonder why you didn't in the first place.
Full Article: http://www.eweek.com/article2/0,3959,1134976,00.asp

Good Advice! Plan for security from the beginning when designing a network, so you don't have to plug holes later.

Author: ThePsykoLocation: California PostPosted: Tue Jun 24, 2003 4:14 am    Post subject:
    ----
I can't emphasize enough how important it is to have a plan from the start - I've seen places that had serious rag-tag networks that were patched here and propped up there, and they finally decided to revitalize it and put security up near the top of the priorities.. but by that point, it's fix one thing - it breaks something else, fix that and then something else doesn't work... takes 4 times longer because of all the unexpected and unnecessary troubleshooting / problem solving... and then when you're all done, how secure are you with the integrity of that network? I always get nervous when I think about those - it's too easy to miss soimething...

Author: b4rtm4nLocation: Bi Mon Sci Fi Con PostPosted: Tue Jun 24, 2003 9:58 am    Post subject:
    ----
Plan, plan, plan, and plan some more.

Theres an old saying "an ounce of prevention is worth a pound of cure".

In it security a few hundred spent on planning can save thousands spent fixing the problems later.

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Tue Jun 24, 2003 10:18 am    Post subject:
    ----
Indeed the average break in can cost hundreds of thousands in data recovery, reputation etc..

It's very important to plan, have layers and don't be afraid to spend a little on security measures (no need to go crazy like the salesmen want you to), but plan, define what you need and implement it.

Security is an onion, the more layers the better, and they don't all have to cost a fortune..(and as the article mentions, they shouldn't all be technological solutions).

Author: thllgoLocation: Laurel MD PostPosted: Thu Oct 09, 2003 5:20 pm    Post subject:
    ----
Hello,

I'm not sure I agree with Mr. Bronson's last point

"It's a good idea to keep news of security incidents within your company. Sharing knowledge in a community works for some technical areas, but publicizing such information might expose you as a target. "

Would it not be better to share such information to allow the community in general to see how large the problem truely is. If everyone were to keep this info quiet those in charge of the money may simply ask why should I spend all this money on security, the hard data of companies falling victim doesn't show that bad a picture?

Without hard data it's difficult to measure a threat.

Author: Sgt_BLocation: Chicago, IL US PostPosted: Thu Oct 09, 2003 5:29 pm    Post subject:
    ----
Quote:
If everyone were to keep this info quiet those in charge of the money may simply ask why should I spend all this money on security, the hard data of companies falling victim doesn't show that bad a picture?

Tell that to the company's stock holders. Smile
Telling the world you've been hacked is not a good idea. First it brings your company to the attention of blackhats as a viable target. One that may have more holes than the one they just found.
Second, and maybe more important, is the company's reputation would suffer. Customers and stock holders may lose faith in the company (especially if its e-commerce) and may sell their stock, or stop using the company's services.

Yeah it may help to provide "hard facts", but I don't think my company's reputation is worth it.

Author: thllgoLocation: Laurel MD PostPosted: Thu Oct 09, 2003 5:35 pm    Post subject:
    ----
Good point. It could be rather problematic, particularly for a company that provides e-services. Could not a system be established where a company can submit the info anonymously?

Author: Sgt_BLocation: Chicago, IL US PostPosted: Thu Oct 09, 2003 5:38 pm    Post subject:
    ----
Probably...set one up for us!
Smile

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Thu Oct 09, 2003 5:38 pm    Post subject:
    ----
thllgo wrote:
Good point. It could be rather problematic, particularly for a company that provides e-services. Could not a system be established where a company can submit the info anonymously?


This is how statistics are currently gathered, anonymous surveys.

The results are published infrequently (amount of attacks, monetary loss etc.)

You can find references to these reports in most Security books.



Networking/Security Forums -> General Security Discussion


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group