Security Guidelines
being a fresh graduate in Computer Engineer. I have recently joined the the security section in a company.
I have been asigned several projects and have to advise on the security issues. Frankly speaking since am new i find it difficult to comment on certain security issues.
Any guidelines / step which are common to each project ?
i.e use should use 3 tier layer, encrption ...etc
I feel lost .
I have been asigned several projects and have to advise on the security issues. Frankly speaking since am new i find it difficult to comment on certain security issues.
Any guidelines / step which are common to each project ?
i.e use should use 3 tier layer, encrption ...etc
I feel lost .
Best practices are always your corner stone, and perhaps equally if not more important is security policies. Check out the SANS institute's policy page: http://www.sans.org/resources/policies/
Best practices are typically:
1) Never run as Admin or Root unless necessary. (goes double for winblows)
2) Only allow the minimum amount of access, be it port's, file rights, or physical acess.
3) Change passwords often, and store other vital information off site if possible.
4) Keep up2date with patches and hotfixes for your software and hardware.
5) Audit yourself, starting with your log's, your firewall acl's and your source code.
Those typically apply to most organizations/groups. Each environment is different, I can't tell you that a 3-tier model is the best, or that you should employ a DMZ or proxies... it's really up to the security team to work that out between themselves. To accomplish the best practices above, you may very well have to implement a DMZ to fulfill one or more of the goals, or use proxies etc...
Encryption is definatly a must for any security outfit, the type of encryption you use is also a decision to be left to you as there are many variables at play. Do you require file/folder/disk encryption? A secure tunnel to administer a pc/server? I recommend SSH where you can, or SSL if it's more web oriented, and pgp for email, disk, file and folder encryption.
Security isn't at program, it's a process, security isn't a destination it's a journey.
K.I.S.S. Keep It Simple Stupid. The simpler a solution more times than not, the better.
-rich
Best practices are typically:
1) Never run as Admin or Root unless necessary. (goes double for winblows)
2) Only allow the minimum amount of access, be it port's, file rights, or physical acess.
3) Change passwords often, and store other vital information off site if possible.
4) Keep up2date with patches and hotfixes for your software and hardware.
5) Audit yourself, starting with your log's, your firewall acl's and your source code.
Those typically apply to most organizations/groups. Each environment is different, I can't tell you that a 3-tier model is the best, or that you should employ a DMZ or proxies... it's really up to the security team to work that out between themselves. To accomplish the best practices above, you may very well have to implement a DMZ to fulfill one or more of the goals, or use proxies etc...
Encryption is definatly a must for any security outfit, the type of encryption you use is also a decision to be left to you as there are many variables at play. Do you require file/folder/disk encryption? A secure tunnel to administer a pc/server? I recommend SSH where you can, or SSL if it's more web oriented, and pgp for email, disk, file and folder encryption.
Security isn't at program, it's a process, security isn't a destination it's a journey.
K.I.S.S. Keep It Simple Stupid. The simpler a solution more times than not, the better.
-rich
ASKER
Thanks you all for your help and contribution.
can you please explain this in more depth what do u mean by|:-
2) Only allow the minimum amount of access, be it port's, file rights, or physical acess.
3) Change passwords often, and store other vital information off site if possible.
can you please explain this in more depth what do u mean by|:-
2) Only allow the minimum amount of access, be it port's, file rights, or physical acess.
3) Change passwords often, and store other vital information off site if possible.
Minimum Access, no need for everybody to see everything. They come to work not play. Segment the network, i.e. have finanace/accounting on their own subnet. Also have in the past encrypted complete databases, so even if someone does get thru, they will have a hell of a time figuring out what they have. Force password changes every x days, say every 60 days.
I have found in the past IT security professionals are usually not well liked by the seat of the pants managers (always a good indicator you are doing your job right).
I have found in the past IT security professionals are usually not well liked by the seat of the pants managers (always a good indicator you are doing your job right).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Secure the Perimeter
Secure the Interior
Resolution once threat is detected
Many people look at securing only from people entering their systems from the outside, funny enough that the monies lost due to internal security problems outweigh the other by Hundreds of millions per year for businesses.
Also security goes beyond the 7 layers of the OSI, I have many datacenters that do not provide authentification into the physical premise. Walk in, grab the hardrive, walk out with customer data.
Also you need to worry about the corporate culture that the securit y mesures will impact.
Good Luck.