How to Suck at Information Security
Original document at http://isc.sans.org/diary.html?storyid=5644. The following list presents common information security mistakes and misconceptions, so you can avoid making them.
Security Policy and Compliance
- Ignore regulatory compliance requirements.
- Assume the users will read the security policy because you've asked them to.
- Use security templates without customizing them.
- Jump into a full-blown adoption of frameworks such as ISO 27001/27002 before you're ready.
- Create security policies you cannot enforce.
- Enforce policies that are not properly approved.
- Blindly follow compliance requirements without creating overall security architecture.
- Create a security policy just to mark a checkbox.
- Pay someone to write your security policy without any knowledge of your business or processes.
- Translate policies in a multi-language environment without consistent meaning across the languages.
- Make sure none of the employees finds the policies.
- Assume that if the policies worked for you last year, they'll be valid for the next year.
- Assume that being compliant means you're secure.
- Assume that policies don't apply to executives.
- Hide from the auditors.
- Deploy a security product out of the box without tuning it.
- Tune the IDS to be too noisy, or too quiet.
- Buy security products without considering the maintenance and implementation costs.
- Rely on anti-virus and firewall products without having additional controls.
- Run regular vulnerability scans, but don’t follow through on the results.
- Let your anti-virus, IDS, and other security tools run on “auto-pilot.”
- Employ multiple security technologies without understanding how each of them contributes.
- Focus on widgets, while omitting to consider the importance of maintaining accountability.
- Buy expensive product when a simple and cheap fix may address 80% of the problem.
- Attempt to apply the same security rigor to all IT assets, regardless of their risk profiles.
- Make someone responsible for managing risk, but don't give the person any power to make decisions.
- Ignore the big picture while focusing on quantitative risk analysis.
- Assume you don't have to worry about security, because your company is too small or insignificant.
- Assume you're secure because you haven’t been compromised recently.
- Be paranoid without considering the value of the asset or its exposure factor.
- Classify all data assets as “top secret.”
- Don't review system, application, and security logs.
- Expect end-users to forgo convenience in place of security.
- Lock down the infrastructure so tightly, that getting work done becomes very difficult.
- Say “no” whenever asked to approve a request.
- Impose security requirements without providing the necessary tools and training.
- Focus on preventative mechanisms while ignoring detective controls.
- Have no DMZ for Internet-accessible servers.
- Assume your patch management process is working, without checking on it.
- Delete logs because they get too big to read.
- Expect SSL to address all security problems with your web application.
- Ban the use of external USB drives while not restricting outbound access to the Internet.
- Act superior to your counterparts on the network, system admin, and development teams.
- Stop learning about technologies and attacks.
- Adopt hot new IT or security technologies before they have had a chance to mature.
- Hire somebody just because he or she has a lot of certifications.
- Don't apprise your manager of the security problems your efforts have avoided.
- Don't cross-train the IT and security staff.
- Require your users to change passwords too frequently.
- Expect your users to remember passwords without writing them down.
- Impose overly-onerous password selection requirements.
- Use the same password on systems that differ in risk exposure or data criticality.
- Impose password requirements without considering the ease with which a password could be reset.
- Caida Presentations http://www.caida.org/outreach/presentations/
- CERT Coordination Center
- Center for Internet Security Benchmarking tools
- Cisco's Safe Documentation
- Team Cymru Document List
- Federal Agency Security Practices
- NSA Guides
- OWASP Guide to Building Secure Web Applications
- Oreilly's Onlamp
- Internet Security Alliance Common Sense Guides
- Microsoft Security Guidance Center
- Nanog's Security Curriculum
- RFC 2350 - Expectations for Computer Security Incident Response
- RFC 2196 - Site Security Handbook
- RFC 2827 - Network Ingress Filtering
- RFC 2504 - Users' Security Handbook
- SANS Reading Room
- Sun blueprints
- Sun System Administration Best practice