Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
security [2007/10/12 09:23] a |
security [2014/01/10 12:13] (current) zagi [Links] |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Security ====== | ====== Security ====== | ||
- | **New articles in this section:** | + | ===== How to Suck at Information Security ===== |
- | ^ article ^ description ^ | + | Original document at [[http:// |
- | | [[linux:grsec|Linux GrSecurity]] | Patching kernel with Grsec kernel | + | |
- | | [[linux: | + | |
+ | === Security Policy and Compliance === | ||
- | for more see [[:security: | + | * Ignore regulatory compliance requirements. |
+ | * Assume the users will read the security policy because you've asked them to. | ||
+ | * Use security templates without customizing them. | ||
+ | * Jump into a full-blown adoption of frameworks such as ISO 27001/27002 before you're ready. | ||
+ | * Create security policies you cannot enforce. | ||
+ | * Enforce policies that are not properly approved. | ||
+ | * Blindly follow compliance requirements without creating overall security architecture. | ||
+ | * Create a security policy just to mark a checkbox. | ||
+ | * Pay someone to write your security policy without any knowledge of your business or processes. | ||
+ | * Translate policies in a multi-language environment without consistent meaning across the languages. | ||
+ | * Make sure none of the employees finds the policies. | ||
+ | * Assume that if the policies worked | ||
+ | * Assume that being compliant means you're secure. | ||
+ | * Assume that policies don't apply to executives. | ||
+ | * Hide from the auditors. | ||
+ | |||
+ | === Security Tools === | ||
+ | |||
+ | |||
+ | * Deploy a security | ||
+ | * Tune the IDS to be too noisy, or too quiet. | ||
+ | * Buy security products without considering the maintenance and implementation costs. | ||
+ | * Rely on anti-virus and firewall products without having additional controls. | ||
+ | * Run regular vulnerability scans, but don’t follow through on the results. | ||
+ | * Let your anti-virus, IDS, and other security tools run on " | ||
+ | * Employ multiple security technologies without understanding how each of them contributes. | ||
+ | * Focus on widgets, while omitting to consider the importance of maintaining accountability. | ||
+ | * Buy expensive product when a simple and cheap fix may address 80% of the problem. | ||
+ | |||
+ | === Risk Management === | ||
+ | |||
+ | |||
+ | * Attempt to apply the same security rigor to all IT assets, regardless of their risk profiles. | ||
+ | * Make someone responsible for managing risk, but don't give the person any power to make decisions. | ||
+ | * Ignore the big picture while focusing on quantitative risk analysis. | ||
+ | * Assume you don't have to worry about security, because your company is too small or insignificant. | ||
+ | * Assume you're secure because you haven’t been compromised recently. | ||
+ | * Be paranoid without considering the value of the asset or its exposure factor. | ||
+ | * Classify all data assets as "top secret." | ||
+ | |||
+ | === Security Practices === | ||
+ | |||
+ | |||
+ | * Don't review system, application, | ||
+ | * Expect end-users to forgo convenience in place of security. | ||
+ | * Lock down the infrastructure so tightly, that getting work done becomes very difficult. | ||
+ | * Say " | ||
+ | * Impose security requirements without providing the necessary tools and training. | ||
+ | * Focus on preventative mechanisms while ignoring detective controls. | ||
+ | * Have no DMZ for Internet-accessible servers. | ||
+ | * Assume your patch management process is working, without checking on it. | ||
+ | * Delete logs because they get too big to read. | ||
+ | * Expect SSL to address all security problems with your web application. | ||
+ | * Ban the use of external USB drives while not restricting outbound access to the Internet. | ||
+ | * Act superior to your counterparts on the network, system admin, and development teams. | ||
+ | * Stop learning about technologies and attacks. | ||
+ | * Adopt hot new IT or security technologies before they have had a chance to mature. | ||
+ | * Hire somebody just because he or she has a lot of certifications. | ||
+ | * Don't apprise your manager of the security problems your efforts have avoided. | ||
+ | * Don't cross-train the IT and security staff. | ||
+ | === Password Management === | ||
+ | |||
+ | * Require your users to change passwords too frequently. | ||
+ | * Expect your users to remember passwords without writing them down. | ||
+ | * Impose overly-onerous password selection requirements. | ||
+ | * Use the same password on systems that differ in risk exposure or data criticality. | ||
+ | * Impose password requirements without considering the ease with which a password could be reset. | ||
+ | |||
+ | |||
+ | ===== Links ===== | ||
- | ---- | ||
* [[http:// | * [[http:// | ||
* [[http:// | * [[http:// | ||
Line 19: | Line 86: | ||
* [[http:// | * [[http:// | ||
* [[http:// | * [[http:// | ||
+ | * {{facebook_privacy_and_security_guide.pdf|Facebook Privacy & Security Guide}} | ||
+ | * [[http:// | ||
+ | * [[https:// | ||
---- | ---- | ||
- | Caida Presentations | ||
- | http:// | ||
- | |||
- | CERT Coordination Center | ||
- | http:// | ||
- | http:// | ||
- | http:// | ||
- | |||
- | Center for Internet Security Benchmarking tools | ||
- | http:// | ||
- | |||
- | Cisco' | ||
- | http:// | ||
- | Team Cymru Document List | + | * Caida Presentations http:// |
- | http://www.cymru.com/Documents/index.html | + | * CERT Coordination Center |
+ | | ||
+ | * http:// | ||
+ | * http:// | ||
- | Federal Agency | + | * Center for Internet |
- | http://csrc.nist.gov/fasp/ | + | |
- | First | + | * Cisco' |
- | http://www.first.org/resources/guides | + | |
- | JANET | + | * Team Cymru Document List |
- | A Suggested Charter for System and Network Administrators | + | * http:// |
- | NSA Guides | + | * Federal Agency Security Practices |
- | http://www.nsa.gov/snac/ | + | |
- | OWASP Guide to Building Secure Web Applications | + | * First |
- | http://www.owasp.org/documentation/guide/ | + | |
- | Oreilly' | + | * NSA Guides |
- | http://www.onlamp.com/security/ | + | |
- | Internet Security Alliance Common Sense Guides | + | * OWASP Guide to Building Secure Web Applications |
- | http://www.isalliance.org | + | |
- | Microsoft Security Guidance Center | + | * Oreilly' |
- | http://www.microsoft.com/ | + | |
- | Same site in Brazilian/ | + | |
- | Simplified Chinese, Spanish and Traditional Chinese | + | |
- | http:// | + | |
- | Microsoft TechNet Security Guidance | + | |
- | http:// | + | |
- | Nanog' | + | * Internet |
- | http://www.nanog.org/ | + | |
- | RFC 2350 - Expectations for Computer | + | * Microsoft |
- | http://www.faqs.org/rfcs/rfc2350.html | + | |
- | RFC 2196 - Site Security Handbook | + | |
- | http://www.faqs.org/rfcs/rfc2196.html | + | |
- | RFC 2827 - Network Ingress Filtering | + | |
- | http://www.faqs.org/rfcs/rfc2827.html | + | |
- | RFC 2504 - Users' Security Handbook | + | |
- | http:// | + | |
- | SANS Reading Room | + | * Nanog' |
- | http://www.sans.org/rr/ | + | |
- | Sun blueprints | + | * RFC 2350 - Expectations for Computer Security Incident Response |
- | http://www.sun.com/blueprints/browsesubject.html | + | |
+ | * RFC 2196 - Site Security Handbook | ||
+ | * http:// | ||
+ | * RFC 2827 - Network Ingress Filtering | ||
+ | * http:// | ||
+ | * RFC 2504 - Users' Security Handbook | ||
+ | * http:// | ||
- | Sun System Administration Best practice | + | * SANS Reading Room |
- | http:// | + | * http:// |
+ | * Sun blueprints | ||
+ | * http:// | ||
+ | | ||
+ | |