Security Method and Technique Digital Ebola Security is a word that most corperations fear. They would like to sweep it under the rug, and rightly so. Security costs money, security costs time, and security brings skeletons out of closets that people would rather remained shut. Not to mention, that highly specialized security engineers are hard to find. It's more then training; it's a knack. You are either good or your not. Even the good can be compromised; the posing parties will be compromised everytime. Justification of security, should not be a hard task. Millions of dollars of present revenue can be lost due to a breach. Billons of dollars of FUTURE revenue can be lost to that same breach. In the digital world, you have to protect your investments, you clients investments, and all data associated with each. The blood of the security world, is information. The person that has the information, will win the battle. A properly secured network can go from properly secured to blantantly open in the matter of minutes. This is why it is important to take any information you can get, no matter the source. Once aquired, the information can be double checked for its authenticity, and acted upon. My personal methodolgy is the "Less is More" set of methods. Your security policy should be written custom against the set of users or tasks that will be utilizing the resources. You give exactly enough for the set tasks to be completed and nothing more. Default installations, will result in a compromise. Default policies, will result in a compromise. The only way is to customize each service or resource for the job. This methodolgy is a hard one; you at once notice the fine line between security and usability. The more flexible the system is to it's users, the more vulnerable it is to its attackers. It is important that such things be included in the policy as password management techniques, password scheming techniques, and password transport should ALWAYS be held in encrypted media when being sent over the wire. Sending it thru email or writing it on the whiteboard can result in a breach. Employees should not have their day to day activities hampered as to how they should utilize resources. Instead, they should be trained on the dangers and be taught to look for signs of digital agression, or inconsistencies. They should be taught the whys of the security policies, and the only hampering they should have to suffer through, should be the use of the right tools to keep themselves in check with the security policy. In the end, this works better, because the employee can use that knowledge and common sense to avoid problems. Keep in mind, this ties right in with password control, the human factor is responsible for 3/4 of all breaches. At no point should censorship be included with the policy, as you turn your employees into sheep that follow directions; if any other aspect was missed in the policy, then you are still compromised. If trained, the employee is no longer a sheep, they can actually aid you in security knowledge, because they are utilizing resources firsthand. There are many technical tricks and methods that can be incorperated into your security policy. The first thing most overlooked, is not technical at all; inventory control. Most companies do not have good inventory control, and this is one of the most crucial things to have. You must know what the machine is, how it is configured, what services are running, and who has access to it. Patch revisions need to be noted, along with a set of identifiers that are machine specific. IP, MAC Address, and a physical serial number, are very important pieces of information. If you don't know what you have on your network, you don't know what to fix if there is a new exploit or advisory released. The security policy in itself should also contain guidelines for each operating system or piece of equipment. What the acceptable configurations are, and how they should be used. This, of course takes alot of time, and alot of meetings. Everyone involved has to agree. It is important to secure each OS on a individule basis. In a large network, this is next to impossible. This is why the OS guidelines are needed. In addition to having a secure OS, you should also consider writing IDS requirements into the policy. Host-based IDS is a very useful item to have, just in case the unthinkable happens. Secure logging mechanisms and kernel monitoring are essential to tracking down the source of the breach. There are many good free software packages in the industry that accomplish this. On the network side of things, there should be a Network Based IDS. This gives you a perspective on what kind of traffic is running across your network, and gives the ability in most instances, to trend attack patterns. This aids your research in some ways, because if you start seeing alot of scans on a certain port, chances are that something new has been released, and you are going to have to patch. I will also touch lightly on firewalls; a firewall is NOT security. Firewalls are icing on the cake. A lot of companies depend on firewalls to protect them, and often there are ways to either circumvent the firewall (UDP can yield interesting results) or maybe there is another access point that is more vulnerable (vpn, dial-in). The point, is to keep track of everyone authorized to enter the network, and to keep track of all access points, not just the front door. And, remember, sometimes the front door can be kicked in. If a attacker breaches, and you have secured the hosts behind the firewall, and you are running vlans.. there is not going to be anything to do. They will be dead in the water, and your company does secure business for another day. I hope this writing can be of some use to someone. It is not EVERYTHING, but it is alot of things I consider important to security. I find that companies tend to overlook these things, and it has become quite a pet peeve.