Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 273
  • Last Modified:

Security Guidelines

being a fresh graduate in Computer Engineer. I have recently joined the the security section in a company.

I have been asigned several projects and have to advise on the security issues. Frankly speaking since am new i find it difficult to comment on certain security issues.

Any guidelines / step which are common to each project ?

i.e use should use 3 tier layer, encrption ...etc

I feel lost .
1 Solution
In regards to security I have found a multi-phase approach to work well:

Secure the Perimeter
Secure the Interior
Resolution once threat is detected

Many people look at securing only from people entering their systems from the outside, funny enough that the monies lost due to internal security problems outweigh the other by Hundreds of millions per year for businesses.

Also security goes beyond the 7 layers of the OSI, I have many datacenters that do not provide authentification into the physical premise. Walk in, grab the hardrive, walk out with customer data.

Also you need to worry about the corporate culture that the securit y mesures will impact.

Good Luck.
Rich RumbleSecurity SamuraiCommented:
Best practices are always your corner stone, and perhaps equally if not more important is security policies. Check out the SANS institute's policy page: http://www.sans.org/resources/policies/

Best practices are typically:
1) Never run as Admin or Root unless necessary. (goes double for winblows)
2) Only allow the minimum amount of access, be it port's, file rights, or physical acess.
3) Change passwords often, and store other vital information off site if possible.
4) Keep up2date with patches and hotfixes for your software and hardware.
5) Audit yourself, starting with your log's, your firewall acl's and your source code.

Those typically apply to most organizations/groups. Each environment is different, I can't tell you that a 3-tier model is the best, or that you should employ a DMZ or proxies... it's really up to the security team to work that out between themselves. To accomplish the best practices above, you may very well have to implement a DMZ to fulfill one or more of the goals, or use proxies etc...

Encryption is definatly a must for any security outfit, the type of encryption you use is also a decision to be left to you as there are many variables at play. Do you require file/folder/disk encryption? A secure tunnel to administer a pc/server? I recommend SSH where you can, or SSL if it's more web oriented, and pgp for email, disk, file and folder encryption.

Security isn't at program, it's a process, security isn't a destination it's a journey.
K.I.S.S. Keep It Simple Stupid. The simpler a solution more times than not, the better.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

cancer_66Author Commented:
Thanks you all for your help and contribution.

can you please explain this in more depth what do u mean by|:-

2) Only allow the minimum amount of access, be it port's, file rights, or physical acess.
3) Change passwords often, and store other vital information off site if possible.

Minimum Access, no need for everybody to see everything. They come to work not play. Segment the network, i.e. have finanace/accounting on their own subnet. Also have in the past encrypted complete databases, so even if someone does get thru, they will have a hell of a time figuring out what they have. Force password changes every x days, say every 60 days.

I have found in the past IT security professionals are usually not well liked by the seat of the pants managers (always a good indicator you are doing your job right).
Rich RumbleSecurity SamuraiCommented:
What I was meaning was this:
Minimum amount of access, means not letting anyone run as admin/root user of their own machine, also if most users do not need  access to certain shares, do not allow them any access whatsoever, be it read/list contents etc... Not necessarially segmenting them in a different subnet, although that could be one answer to the access issue- but not always. Set your Firewall's to allow only what i needed, you don't want to leave port's 135-139 and 445 open to the rest of the world, your just asking for it then. If you don't want a certain subnet to access those port's also, you don't really need a DMZ or different subnet, you could use firewall rules, such as those in M$ IPSEC Firewall, or linux IPTABLES firewall. If you don't want users to be able to physically access a server/pc, place it in a locked room, seperate building like a colocation facility.

Change passwords often is up to your discression, but my recommendation is have everyone change their pass's every 90 days (that's maximum). This goes for the admin/root users also. Store things like back-up tapes, written down passwords, financial data hard copies, off-site probably with a company that has a large fire-safe for your data. A company like IronMountain comes to mind http://www.ironmountain.com/Index.asp they are all over the country.

What is boils down to is this- If there is vital or sensitive info that user's should not be able to accidently, or purposely get access to, it should be protected as best you can. To do that, typically means using ACL (access list) to block persons that should not have access. If the ACL is on a file or folder, or on a firewall, even a locked door is a generic ACL that a user has no rights to.

I hope that helps :)

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now