Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
security [2007/10/12 09:23]
a
security [2014/01/10 12:13] (current)
zagi [Links]
Line 1: Line 1:
 ====== Security ====== ====== Security ======
  
-**New articles in this section:** +===== How to Suck at Information Security ===== 
-^ article ^ description ^ +Original document at [[http://isc.sans.org/diary.html?storyid=5644]]. The following list presents common information security mistakes and misconceptions, so you can avoid making them.
-[[linux:grsec|Linux GrSecurity]] | Patching kernel with Grsec kernel security patch | +
-| [[linux:iptables|Linux firewalling]] | the title should be a good description |+
  
 +=== Security Policy and Compliance ===
  
-for more see [[:security:sidebar]] on your left or [[security:comment|leave comment]]+    * Ignore regulatory compliance requirements. 
 +    * Assume the users will read the security policy because you've asked them to. 
 +    * Use security templates without customizing them. 
 +    * Jump into a full-blown adoption of frameworks such as ISO 27001/27002 before you're ready. 
 +    * Create security policies you cannot enforce. 
 +    * Enforce policies that are not properly approved. 
 +    * Blindly follow compliance requirements without creating overall security architecture. 
 +    * Create a security policy just to mark a checkbox. 
 +    * Pay someone to write your security policy without any knowledge of your business or processes. 
 +    * Translate policies in a multi-language environment without consistent meaning across the languages. 
 +    * Make sure none of the employees finds the policies. 
 +    * Assume that if the policies worked for you last year, they'll be valid for the next year. 
 +    * Assume that being compliant means you're secure. 
 +    * Assume that policies don't apply to executives. 
 +    * Hide from the auditors. 
 + 
 +=== Security Tools === 
 + 
 + 
 +    * Deploy a security product out of the box without tuning it. 
 +    * Tune the IDS to be too noisy, or too quiet. 
 +    * Buy security products without considering the maintenance and implementation costs. 
 +    * Rely on anti-virus and firewall products without having additional controls. 
 +    * Run regular vulnerability scans, but don’t follow through on the results. 
 +    * Let your anti-virus, IDS, and other security tools run on "auto-pilot." 
 +    * Employ multiple security technologies without understanding how each of them contributes. 
 +    * Focus on widgets, while omitting to consider the importance of maintaining accountability. 
 +    * Buy expensive product when a simple and cheap fix may address 80% of the problem. 
 + 
 +=== Risk Management === 
 + 
 + 
 +    * Attempt to apply the same security rigor to all IT assets, regardless of their risk profiles. 
 +    * Make someone responsible for managing risk, but don't give the person any power to make decisions. 
 +    * Ignore the big picture while focusing on quantitative risk analysis. 
 +    * Assume you don't have to worry about security, because your company is too small or insignificant. 
 +    * Assume you're secure because you haven’t been compromised recently. 
 +    * Be paranoid without considering the value of the asset or its exposure factor. 
 +    * Classify all data assets as "top secret." 
 + 
 +=== Security Practices === 
 + 
 + 
 +    * Don't review system, application, and security logs. 
 +    * Expect end-users to forgo convenience in place of security. 
 +    * Lock down the infrastructure so tightly, that getting work done becomes very difficult. 
 +    * Say "no" whenever asked to approve a request. 
 +    * Impose security requirements without providing the necessary tools and training. 
 +    * Focus on preventative mechanisms while ignoring detective controls. 
 +    * Have no DMZ for Internet-accessible servers. 
 +    * Assume your patch management process is working, without checking on it. 
 +    * Delete logs because they get too big to read. 
 +    * Expect SSL to address all security problems with your web application. 
 +    * Ban the use of external USB drives while not restricting outbound access to the Internet. 
 +    * Act superior to your counterparts on the network, system admin, and development teams. 
 +    * Stop learning about technologies and attacks. 
 +    * Adopt hot new IT or security technologies before they have had a chance to mature. 
 +    * Hire somebody just because he or she has a lot of certifications. 
 +    * Don't apprise your manager of the security problems your efforts have avoided. 
 +    * Don't cross-train the IT and security staff. 
 +=== Password Management === 
 + 
 +    * Require your users to change passwords too frequently. 
 +    * Expect your users to remember passwords without writing them down. 
 +    * Impose overly-onerous password selection requirements. 
 +    * Use the same password on systems that differ in risk exposure or data criticality. 
 +    * Impose password requirements without considering the ease with which password could be reset. 
 + 
 + 
 +===== Links =====
  
----- 
    * [[http://www.securityfocus.com/infocus/1864|Five common Web application vulnerabilities]]    * [[http://www.securityfocus.com/infocus/1864|Five common Web application vulnerabilities]]
    * [[http://www.freeotfe.org/|A free "on-the-fly" transparent disk encryption program for    * [[http://www.freeotfe.org/|A free "on-the-fly" transparent disk encryption program for
Line 19: Line 86:
    * [[http://www.first.org/resources/guides/|FIRST Best Practice Guide Library (BPGL)]]    * [[http://www.first.org/resources/guides/|FIRST Best Practice Guide Library (BPGL)]]
    * [[http://www.bastille-unix.org/|Bastille linux]]    * [[http://www.bastille-unix.org/|Bastille linux]]
 +   * {{facebook_privacy_and_security_guide.pdf|Facebook Privacy & Security Guide}}
 +   * [[http://www.fbpurity.com/ Facebook Purity - greasemonkey script]]
 +   * [[https://www.howsmyssl.com/| Check your browser for SSL/TLS]]
 ---- ----
  
-Caida Presentations 
-http://www.caida.org/outreach/presentations/ 
- 
-CERT Coordination Center 
-http://www.cert.org/nav/index_green.html 
-http://www.cert.org/octave/ 
-http://www.cert.org/csirts/ 
- 
-Center for Internet Security Benchmarking tools 
-http://www.cisecurity.org/ 
- 
-Cisco's Safe Documentation 
-http://www.cisco.com/en/US/netsol/.../networking_solutions_package.html 
  
-Team Cymru Document List +   * Caida Presentations http://www.caida.org/outreach/presentations/ 
-http://www.cymru.com/Documents/index.html+   * CERT Coordination Center 
 +      http://www.cert.org/nav/index_green.html 
 +      * http://www.cert.org/octave/ 
 +      * http://www.cert.org/csirts/
  
-Federal Agency Security Practices +   * Center for Internet Security Benchmarking tools 
-http://csrc.nist.gov/fasp/+      http://www.cisecurity.org/
  
-First +   * Cisco's Safe Documentation 
-http://www.first.org/resources/guides+      http://www.cisco.com/en/US/netsol/.../networking_solutions_package.html
  
-JANET +   * Team Cymru Document List 
-A Suggested Charter for System and Network Administrators+      * http://www.cymru.com/Documents/index.html
  
-NSA Guides +   * Federal Agency Security Practices 
-http://www.nsa.gov/snac/+      http://csrc.nist.gov/fasp/
  
-OWASP Guide to Building Secure Web Applications +   * First 
-http://www.owasp.org/documentation/guide/guide_downloads.html+      http://www.first.org/resources/guides
  
-Oreilly's Onlamp +   * NSA Guides 
-http://www.onlamp.com/security/+      http://www.nsa.gov/snac/
  
-Internet Security Alliance Common Sense Guides +   * OWASP Guide to Building Secure Web Applications 
-http://www.isalliance.org+      http://www.owasp.org/documentation/guide/guide_downloads.html
  
-Microsoft Security Guidance Center +   * Oreilly's Onlamp 
-http://www.microsoft.com/security/guidance +      http://www.onlamp.com/security/
-Same site in Brazilian/Portuguese, French, German, Italian, Japanese, Korean, +
-Simplified Chinese, Spanish and Traditional Chinese +
-http://www.microsoft.com/security/guidance/worldwide +
-Microsoft TechNet Security Guidance +
-http://www.microsoft.com/technet/security/guidance/default.mspx+
  
-Nanog'Security Curriculum +   * Internet Security Alliance Common Sense Guides 
-http://www.nanog.org/ispsecurity.html+      http://www.isalliance.org
  
-RFC 2350 - Expectations for Computer Security Incident Response +   * Microsoft Security Guidance Center 
-http://www.faqs.org/rfcs/rfc2350.html +      http://www.microsoft.com/security/guidance 
-RFC 2196 - Site Security Handbook +      http://www.microsoft.com/security/guidance/worldwide 
-http://www.faqs.org/rfcs/rfc2196.html +      http://www.microsoft.com/technet/security/guidance/default.mspx
-RFC 2827 - Network Ingress Filtering +
-http://www.faqs.org/rfcs/rfc2827.html  +
-RFC 2504 - Users' Security Handbook +
-http://www.faqs.org/rfcs/rfc2504.html+
  
-SANS Reading Room +   * Nanog's Security Curriculum 
-http://www.sans.org/rr/ +      http://www.nanog.org/ispsecurity.html
  
-Sun blueprints +   * RFC 2350 - Expectations for Computer Security Incident Response 
-http://www.sun.com/blueprints/browsesubject.html+      http://www.faqs.org/rfcs/rfc2350.html 
 +   * RFC 2196 - Site Security Handbook 
 +      * http://www.faqs.org/rfcs/rfc2196.html 
 +   * RFC 2827 - Network Ingress Filtering 
 +      * http://www.faqs.org/rfcs/rfc2827.html  
 +   * RFC 2504 - Users' Security Handbook 
 +      * http://www.faqs.org/rfcs/rfc2504.html
  
-Sun System Administration Best practice +   * SANS Reading Room 
-http://www.sun.com/bigadmin/features/articles/bestpractices.html +      * http://www.sans.org/rr/  
 +   * Sun blueprints 
 +      * http://www.sun.com/blueprints/browsesubject.html 
 +   Sun System Administration Best practice 
 +      http://www.sun.com/bigadmin/features/articles/bestpractices.html 
security.1192173831.txt.gz · Last modified: 2009/05/25 00:34 (external edit)
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready