Security Guidelines

Posted on 2004-11-26
Last Modified: 2010-04-11
being a fresh graduate in Computer Engineer. I have recently joined the the security section in a company.

I have been asigned several projects and have to advise on the security issues. Frankly speaking since am new i find it difficult to comment on certain security issues.

Any guidelines / step which are common to each project ?

i.e use should use 3 tier layer, encrption ...etc

I feel lost .
Question by:cancer_66
    LVL 12

    Expert Comment

    In regards to security I have found a multi-phase approach to work well:

    Secure the Perimeter
    Secure the Interior
    Resolution once threat is detected

    Many people look at securing only from people entering their systems from the outside, funny enough that the monies lost due to internal security problems outweigh the other by Hundreds of millions per year for businesses.

    Also security goes beyond the 7 layers of the OSI, I have many datacenters that do not provide authentification into the physical premise. Walk in, grab the hardrive, walk out with customer data.

    Also you need to worry about the corporate culture that the securit y mesures will impact.

    Good Luck.
    LVL 51

    Expert Comment

    LVL 38

    Expert Comment

    by:Rich Rumble
    Best practices are always your corner stone, and perhaps equally if not more important is security policies. Check out the SANS institute's policy page:

    Best practices are typically:
    1) Never run as Admin or Root unless necessary. (goes double for winblows)
    2) Only allow the minimum amount of access, be it port's, file rights, or physical acess.
    3) Change passwords often, and store other vital information off site if possible.
    4) Keep up2date with patches and hotfixes for your software and hardware.
    5) Audit yourself, starting with your log's, your firewall acl's and your source code.

    Those typically apply to most organizations/groups. Each environment is different, I can't tell you that a 3-tier model is the best, or that you should employ a DMZ or proxies... it's really up to the security team to work that out between themselves. To accomplish the best practices above, you may very well have to implement a DMZ to fulfill one or more of the goals, or use proxies etc...

    Encryption is definatly a must for any security outfit, the type of encryption you use is also a decision to be left to you as there are many variables at play. Do you require file/folder/disk encryption? A secure tunnel to administer a pc/server? I recommend SSH where you can, or SSL if it's more web oriented, and pgp for email, disk, file and folder encryption.

    Security isn't at program, it's a process, security isn't a destination it's a journey.
    K.I.S.S. Keep It Simple Stupid. The simpler a solution more times than not, the better.

    Author Comment

    Thanks you all for your help and contribution.

    can you please explain this in more depth what do u mean by|:-

    2) Only allow the minimum amount of access, be it port's, file rights, or physical acess.
    3) Change passwords often, and store other vital information off site if possible.

    LVL 12

    Expert Comment

    Minimum Access, no need for everybody to see everything. They come to work not play. Segment the network, i.e. have finanace/accounting on their own subnet. Also have in the past encrypted complete databases, so even if someone does get thru, they will have a hell of a time figuring out what they have. Force password changes every x days, say every 60 days.

    I have found in the past IT security professionals are usually not well liked by the seat of the pants managers (always a good indicator you are doing your job right).
    LVL 38

    Accepted Solution

    What I was meaning was this:
    Minimum amount of access, means not letting anyone run as admin/root user of their own machine, also if most users do not need  access to certain shares, do not allow them any access whatsoever, be it read/list contents etc... Not necessarially segmenting them in a different subnet, although that could be one answer to the access issue- but not always. Set your Firewall's to allow only what i needed, you don't want to leave port's 135-139 and 445 open to the rest of the world, your just asking for it then. If you don't want a certain subnet to access those port's also, you don't really need a DMZ or different subnet, you could use firewall rules, such as those in M$ IPSEC Firewall, or linux IPTABLES firewall. If you don't want users to be able to physically access a server/pc, place it in a locked room, seperate building like a colocation facility.

    Change passwords often is up to your discression, but my recommendation is have everyone change their pass's every 90 days (that's maximum). This goes for the admin/root users also. Store things like back-up tapes, written down passwords, financial data hard copies, off-site probably with a company that has a large fire-safe for your data. A company like IronMountain comes to mind they are all over the country.

    What is boils down to is this- If there is vital or sensitive info that user's should not be able to accidently, or purposely get access to, it should be protected as best you can. To do that, typically means using ACL (access list) to block persons that should not have access. If the ACL is on a file or folder, or on a firewall, even a locked door is a generic ACL that a user has no rights to.

    I hope that helps :)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now