- Supporting Security for Unix Systems
- Develop a Security Policy
- Dedicate Resources to Security
- Monitor Security Mailing Lists
3. Dedicate Resources to Security
Security, unfortunately, isn't free. It requires people and time, training, and resources. All of those can be spelled M-O-N-E-Y. Most systems administrators work full schedules already: What gets dropped to make time for security? Adequate security requires time to examine logs, time to patch and update systems, time to keep up with goings-on in the field of computer security, and time to investigate detected incidents.
Anthony Santoni, administrator at Orisis.neta Linux-based Maryland Web hosting companysays that his company has an administrator dedicated to security. He says, "Although all our admins are very security conscious, to ask the system administrator to double as the security administrator is to invite burn-out. What employers who do this need to ask themselves is 'What gets sacrificed?'" Santoni estimates that about thirty percent of their administration time is spent on security-related tasks; if your organization is just beginning to implement security, what are the consequences of giving thirty percent more work to your employees?
Training is also critical. Security is not a reflex: Crackers are tricky, and security is often counterintuitive. Understanding the details is crucial for systems security. Threats change and admins need to keep up. This ain't cheap. Furthermore, security is inconvenient. If your employees don't know why their passwords need to be protected, they need to be trained.
Equipment may also be necessary for security. This includes firewalls, network monitoring software, a secure machine for reading logs, backup drives and media, advanced authentication technologies like biometric authentication and one-time password systems, and uninterruptible power supplies. Uninterruptible power supplies? If you've got an e-brokerage at your site, you'd better believe it. Santoni says, "I normally feel that firewalls are the most useful piece of security hardware because they serve as a front-line defense and access control center for your internal network, but I also know first-hand the value of a good UPS."