• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Security Action Plan

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion

View previous topic :: View next topic  
Author Message
Rottz
Just Arrived
Just Arrived


Joined: 29 Mar 2003
Posts: 3
Location: East Coast, USA

Offline

PostPosted: Mon Jun 23, 2003 11:31 pm    Post subject: Security Action Plan Reply with quote

Security Action Plan
By Gary Bronson (gary.bronson@wgint)
Gary Bronson wrote:
Security is about more than just technology. Sure, you have to use secure products, but building an environment where data is safe means ongoing diligence, both in the use of technical best practices and in confronting social engineering threats through changes in individual and group behavior. With this in mind, I decided to organize a security conference at the Boise, Idaho, headquarters of my company, Washington Group International, a construction and engineering firm. We brought in industry experts, featured speakers, panels and discussion groups. Here are the lessons that emerged:

Ensure that visitors are escorted in and out of the building. It is too easy to walk into a place of business, sit down and get on the network.

Do not give out log-in and password data to anyone. Default accounts should not be used. Passwords for administrators need to be sophisticated and include a variety of alphanumeric characters. Special characters are also recommended.

Follow strict procedures when employees are terminated to prevent them from gaining unauthorized access.

With the introduction of features, there is a risk of introducing security flaws. When we push for an immediate implementation and do not follow appropriate testing, we open ourselves to security risk.

Don't give hackers too much credit. They often use old exploits. Keep current with your security patches.

It's a good idea to keep news of security incidents within your company. Sharing knowledge in a community works for some technical areas, but publicizing such information might expose you as a target.

The bottom line: Plan security from the beginning so you don't have to wonder why you didn't in the first place.
Full Article: http://www.eweek.com/article2/0,3959,1134976,00.asp

Good Advice! Plan for security from the beginning when designing a network, so you don't have to plug holes later.
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
ThePsyko
SF Mod
SF Mod


Joined: 17 Oct 2002
Posts: 16777178
Location: California

Offline

PostPosted: Tue Jun 24, 2003 4:14 am    Post subject: Reply with quote

I can't emphasize enough how important it is to have a plan from the start - I've seen places that had serious rag-tag networks that were patched here and propped up there, and they finally decided to revitalize it and put security up near the top of the priorities.. but by that point, it's fix one thing - it breaks something else, fix that and then something else doesn't work... takes 4 times longer because of all the unexpected and unnecessary troubleshooting / problem solving... and then when you're all done, how secure are you with the integrity of that network? I always get nervous when I think about those - it's too easy to miss soimething...
Back to top
View user's profile Send private message Send e-mail
b4rtm4n
Trusted SF Member
Trusted SF Member


Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con

Offline

PostPosted: Tue Jun 24, 2003 9:58 am    Post subject: Reply with quote

Plan, plan, plan, and plan some more.

Theres an old saying "an ounce of prevention is worth a pound of cure".

In it security a few hundred spent on planning can save thousands spent fixing the problems later.
Back to top
View user's profile Send private message Send e-mail
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Tue Jun 24, 2003 10:18 am    Post subject: Reply with quote

Indeed the average break in can cost hundreds of thousands in data recovery, reputation etc..

It's very important to plan, have layers and don't be afraid to spend a little on security measures (no need to go crazy like the salesmen want you to), but plan, define what you need and implement it.

Security is an onion, the more layers the better, and they don't all have to cost a fortune..(and as the article mentions, they shouldn't all be technological solutions).
Back to top
View user's profile Send private message Visit poster's website
thllgo
Just Arrived
Just Arrived


Joined: 28 Aug 2003
Posts: 0
Location: Laurel MD

Offline

PostPosted: Thu Oct 09, 2003 5:20 pm    Post subject: Reply with quote

Hello,

I'm not sure I agree with Mr. Bronson's last point

"It's a good idea to keep news of security incidents within your company. Sharing knowledge in a community works for some technical areas, but publicizing such information might expose you as a target. "

Would it not be better to share such information to allow the community in general to see how large the problem truely is. If everyone were to keep this info quiet those in charge of the money may simply ask why should I spend all this money on security, the hard data of companies falling victim doesn't show that bad a picture?

Without hard data it's difficult to measure a threat.
Back to top
View user's profile Send private message
Sgt_B
Trusted SF Member
Trusted SF Member


Joined: 28 Oct 2002
Posts: 16777215
Location: Chicago, IL US

Offline

PostPosted: Thu Oct 09, 2003 5:29 pm    Post subject: Reply with quote

Quote:
If everyone were to keep this info quiet those in charge of the money may simply ask why should I spend all this money on security, the hard data of companies falling victim doesn't show that bad a picture?

Tell that to the company's stock holders. Smile
Telling the world you've been hacked is not a good idea. First it brings your company to the attention of blackhats as a viable target. One that may have more holes than the one they just found.
Second, and maybe more important, is the company's reputation would suffer. Customers and stock holders may lose faith in the company (especially if its e-commerce) and may sell their stock, or stop using the company's services.

Yeah it may help to provide "hard facts", but I don't think my company's reputation is worth it.
Back to top
View user's profile Send private message Visit poster's website
thllgo
Just Arrived
Just Arrived


Joined: 28 Aug 2003
Posts: 0
Location: Laurel MD

Offline

PostPosted: Thu Oct 09, 2003 5:35 pm    Post subject: Reply with quote

Good point. It could be rather problematic, particularly for a company that provides e-services. Could not a system be established where a company can submit the info anonymously?
Back to top
View user's profile Send private message
Sgt_B
Trusted SF Member
Trusted SF Member


Joined: 28 Oct 2002
Posts: 16777215
Location: Chicago, IL US

Offline

PostPosted: Thu Oct 09, 2003 5:38 pm    Post subject: Reply with quote

Probably...set one up for us!
Smile
Back to top
View user's profile Send private message Visit poster's website
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Thu Oct 09, 2003 5:38 pm    Post subject: Reply with quote

thllgo wrote:
Good point. It could be rather problematic, particularly for a company that provides e-services. Could not a system be established where a company can submit the info anonymously?


This is how statistics are currently gathered, anonymous surveys.

The results are published infrequently (amount of attacks, monetary loss etc.)

You can find references to these reports in most Security books.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register