Donald Pipkin's Security Tips for the Week of December 23rd
Security Tip for Friday, December 27th, 2002Security Just Has to be Good Enough
Security is a "good enough" proposition, based on the financial value of the assets being protected and the risk that a financial loss will occur. Keeping this in mind can help keep you from overbuilding your security solution. An appropriate security solution requires that you have a thorough understanding of the value the information and the processing has on the business, and the impact its loss can cause. Understanding the business is equally as important as understanding the technology in the creation of a security architecture.
Security Tip for Thursday, December 26th, 2002Evaluate Insurance for Loss Avoidance
Cyber crime insurance is starting to become available from a number of insurance companies. These policies offer financial protection from specific losses. Currently, most of them are focused on electronic commerce sites and losses from external denial of service attacks. Where these policies address a segment of your business, they should be carefully examined and evaluated to determine if the coverage and the associated risk reduction that they provide are economical, based on the premiums. Insurance should not be forgotten as a very viable part of your complete security solution.
Security Tip for Wednesday, December 25th, 2002Monitor for Unknown Systems Connected to the Network
The appearance of unknown systems connected to the network can indicate that an unauthorized person has attached a system to the network for malicious reasons, or it can be that someone has upgraded a system or replaced a network card. With employee turnover and the common use of contractors, intruders can gain unchallenged access to company offices where they can attach systems to gather information or from which to launch attacks. A strong asset management system and policies that require registration of systems attached to the company network can help manage the corporate resources and reduce physical system intrusions.
Security Tip for Tuesday, December 24th, 2002Perform a Security Drill
Schedule the next disaster recovery drill to be based on an electronic attack instead of a natural disaster. Test your response procedures when your network is flooded and critical systems have been breached causing you to be uncertain of the integrity of your online information. Can you fall back to offline procedures for critical processes while systems are restored? Can you disinfect all the PCs in the corporation while the network is flooded? Are there out-of-band procedures? Today, these soft disasters have to be evaluated, planned for and tested.
Security Tip for Monday, December 23rd, 2002Implement Base-line Security Everywhere
A minimum base-line security standard should be established and enforced on all systems. It should define the minimum file permissions and the restrictions applied to privileged users in accordance with defined policies. Bastille can be used on Unix systems to create and implement this base-line standard. It can be run in a non-interactive mode to set a pre-defined set of security policies on a system. Systems should be reviewed to ensure that they remain in compliance with the security base line.