Security Guidelines

being a fresh graduate in Computer Engineer. I have recently joined the the security section in a company.

I have been asigned several projects and have to advise on the security issues. Frankly speaking since am new i find it difficult to comment on certain security issues.

Any guidelines / step which are common to each project ?

i.e use should use 3 tier layer, encrption ...etc

I feel lost .
cancer_66Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joel_SiskoCommented:
In regards to security I have found a multi-phase approach to work well:

Secure the Perimeter
Secure the Interior
Resolution once threat is detected

Many people look at securing only from people entering their systems from the outside, funny enough that the monies lost due to internal security problems outweigh the other by Hundreds of millions per year for businesses.

Also security goes beyond the 7 layers of the OSI, I have many datacenters that do not provide authentification into the physical premise. Walk in, grab the hardrive, walk out with customer data.

Also you need to worry about the corporate culture that the securit y mesures will impact.

Good Luck.
0
Rich RumbleSecurity SamuraiCommented:
Best practices are always your corner stone, and perhaps equally if not more important is security policies. Check out the SANS institute's policy page: http://www.sans.org/resources/policies/

Best practices are typically:
1) Never run as Admin or Root unless necessary. (goes double for winblows)
2) Only allow the minimum amount of access, be it port's, file rights, or physical acess.
3) Change passwords often, and store other vital information off site if possible.
4) Keep up2date with patches and hotfixes for your software and hardware.
5) Audit yourself, starting with your log's, your firewall acl's and your source code.

Those typically apply to most organizations/groups. Each environment is different, I can't tell you that a 3-tier model is the best, or that you should employ a DMZ or proxies... it's really up to the security team to work that out between themselves. To accomplish the best practices above, you may very well have to implement a DMZ to fulfill one or more of the goals, or use proxies etc...

Encryption is definatly a must for any security outfit, the type of encryption you use is also a decision to be left to you as there are many variables at play. Do you require file/folder/disk encryption? A secure tunnel to administer a pc/server? I recommend SSH where you can, or SSL if it's more web oriented, and pgp for email, disk, file and folder encryption.

Security isn't at program, it's a process, security isn't a destination it's a journey.
K.I.S.S. Keep It Simple Stupid. The simpler a solution more times than not, the better.
-rich
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

cancer_66Author Commented:
Thanks you all for your help and contribution.

can you please explain this in more depth what do u mean by|:-

2) Only allow the minimum amount of access, be it port's, file rights, or physical acess.
3) Change passwords often, and store other vital information off site if possible.

0
Joel_SiskoCommented:
Minimum Access, no need for everybody to see everything. They come to work not play. Segment the network, i.e. have finanace/accounting on their own subnet. Also have in the past encrypted complete databases, so even if someone does get thru, they will have a hell of a time figuring out what they have. Force password changes every x days, say every 60 days.

I have found in the past IT security professionals are usually not well liked by the seat of the pants managers (always a good indicator you are doing your job right).
0
Rich RumbleSecurity SamuraiCommented:
What I was meaning was this:
Minimum amount of access, means not letting anyone run as admin/root user of their own machine, also if most users do not need  access to certain shares, do not allow them any access whatsoever, be it read/list contents etc... Not necessarially segmenting them in a different subnet, although that could be one answer to the access issue- but not always. Set your Firewall's to allow only what i needed, you don't want to leave port's 135-139 and 445 open to the rest of the world, your just asking for it then. If you don't want a certain subnet to access those port's also, you don't really need a DMZ or different subnet, you could use firewall rules, such as those in M$ IPSEC Firewall, or linux IPTABLES firewall. If you don't want users to be able to physically access a server/pc, place it in a locked room, seperate building like a colocation facility.

Change passwords often is up to your discression, but my recommendation is have everyone change their pass's every 90 days (that's maximum). This goes for the admin/root users also. Store things like back-up tapes, written down passwords, financial data hard copies, off-site probably with a company that has a large fire-safe for your data. A company like IronMountain comes to mind http://www.ironmountain.com/Index.asp they are all over the country.

What is boils down to is this- If there is vital or sensitive info that user's should not be able to accidently, or purposely get access to, it should be protected as best you can. To do that, typically means using ACL (access list) to block persons that should not have access. If the ACL is on a file or folder, or on a firewall, even a locked door is a generic ACL that a user has no rights to.

I hope that helps :)
-rich
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.