====== Security ====== ===== How to Suck at Information Security ===== Original document at [[http://isc.sans.org/diary.html?storyid=5644]]. The following list presents common information security mistakes and misconceptions, so you can avoid making them. === Security Policy and Compliance === * Ignore regulatory compliance requirements. * Assume the users will read the security policy because you've asked them to. * Use security templates without customizing them. * Jump into a full-blown adoption of frameworks such as ISO 27001/27002 before you're ready. * Create security policies you cannot enforce. * Enforce policies that are not properly approved. * Blindly follow compliance requirements without creating overall security architecture. * Create a security policy just to mark a checkbox. * Pay someone to write your security policy without any knowledge of your business or processes. * Translate policies in a multi-language environment without consistent meaning across the languages. * Make sure none of the employees finds the policies. * Assume that if the policies worked for you last year, they'll be valid for the next year. * Assume that being compliant means you're secure. * Assume that policies don't apply to executives. * Hide from the auditors. === Security Tools === * Deploy a security product out of the box without tuning it. * Tune the IDS to be too noisy, or too quiet. * Buy security products without considering the maintenance and implementation costs. * Rely on anti-virus and firewall products without having additional controls. * Run regular vulnerability scans, but don’t follow through on the results. * Let your anti-virus, IDS, and other security tools run on "auto-pilot." * Employ multiple security technologies without understanding how each of them contributes. * Focus on widgets, while omitting to consider the importance of maintaining accountability. * Buy expensive product when a simple and cheap fix may address 80% of the problem. === Risk Management === * Attempt to apply the same security rigor to all IT assets, regardless of their risk profiles. * Make someone responsible for managing risk, but don't give the person any power to make decisions. * Ignore the big picture while focusing on quantitative risk analysis. * Assume you don't have to worry about security, because your company is too small or insignificant. * Assume you're secure because you haven’t been compromised recently. * Be paranoid without considering the value of the asset or its exposure factor. * Classify all data assets as "top secret." === Security Practices === * Don't review system, application, and security logs. * Expect end-users to forgo convenience in place of security. * Lock down the infrastructure so tightly, that getting work done becomes very difficult. * Say "no" whenever asked to approve a request. * Impose security requirements without providing the necessary tools and training. * Focus on preventative mechanisms while ignoring detective controls. * Have no DMZ for Internet-accessible servers. * Assume your patch management process is working, without checking on it. * Delete logs because they get too big to read. * Expect SSL to address all security problems with your web application. * Ban the use of external USB drives while not restricting outbound access to the Internet. * Act superior to your counterparts on the network, system admin, and development teams. * Stop learning about technologies and attacks. * Adopt hot new IT or security technologies before they have had a chance to mature. * Hire somebody just because he or she has a lot of certifications. * Don't apprise your manager of the security problems your efforts have avoided. * Don't cross-train the IT and security staff. === Password Management === * Require your users to change passwords too frequently. * Expect your users to remember passwords without writing them down. * Impose overly-onerous password selection requirements. * Use the same password on systems that differ in risk exposure or data criticality. * Impose password requirements without considering the ease with which a password could be reset. ===== Links ===== * [[http://www.securityfocus.com/infocus/1864|Five common Web application vulnerabilities]] * [[http://www.freeotfe.org/|A free "on-the-fly" transparent disk encryption program for MS Windows 2000/Windows XP]] * [[http://www.rootkit.nl/projects/rootkit_hunter.html|Rootkit Hunter]] * [[http://www.hardened-php.net/|Hardened-PHP Project Homepage]] * [[http://yolinux.com/TUTORIALS/LinuxTutorialInternetSecurity.html|Linux securiy tips]] * [[http://www.ossec.net/|OSSEC HIDS - Open Source HIDS]] * [[http://www.first.org/resources/guides/|FIRST Best Practice Guide Library (BPGL)]] * [[http://www.bastille-unix.org/|Bastille linux]] * {{facebook_privacy_and_security_guide.pdf|Facebook Privacy & Security Guide}} * [[http://www.fbpurity.com/ Facebook Purity - greasemonkey script]] * [[https://www.howsmyssl.com/| Check your browser for SSL/TLS]] ---- * Caida Presentations http://www.caida.org/outreach/presentations/ * CERT Coordination Center * http://www.cert.org/nav/index_green.html * http://www.cert.org/octave/ * http://www.cert.org/csirts/ * Center for Internet Security Benchmarking tools * http://www.cisecurity.org/ * Cisco's Safe Documentation * http://www.cisco.com/en/US/netsol/.../networking_solutions_package.html * Team Cymru Document List * http://www.cymru.com/Documents/index.html * Federal Agency Security Practices * http://csrc.nist.gov/fasp/ * First * http://www.first.org/resources/guides * NSA Guides * http://www.nsa.gov/snac/ * OWASP Guide to Building Secure Web Applications * http://www.owasp.org/documentation/guide/guide_downloads.html * Oreilly's Onlamp * http://www.onlamp.com/security/ * Internet Security Alliance Common Sense Guides * http://www.isalliance.org * Microsoft Security Guidance Center * http://www.microsoft.com/security/guidance * http://www.microsoft.com/security/guidance/worldwide * http://www.microsoft.com/technet/security/guidance/default.mspx * Nanog's Security Curriculum * http://www.nanog.org/ispsecurity.html * RFC 2350 - Expectations for Computer Security Incident Response * http://www.faqs.org/rfcs/rfc2350.html * RFC 2196 - Site Security Handbook * http://www.faqs.org/rfcs/rfc2196.html * RFC 2827 - Network Ingress Filtering * http://www.faqs.org/rfcs/rfc2827.html * RFC 2504 - Users' Security Handbook * http://www.faqs.org/rfcs/rfc2504.html * SANS Reading Room * http://www.sans.org/rr/ * Sun blueprints * http://www.sun.com/blueprints/browsesubject.html * Sun System Administration Best practice * http://www.sun.com/bigadmin/features/articles/bestpractices.html