When we talk about implementing basic security measures, one could think “And what are those?” And if that question would be asked, it would be a very, very difficult question to answer. If User is an system administrator, an IT security manager in a company, or just a regular information security enthusiast, recommended to read, as it addresses some of the most important issues in implementation of basic security measures in an IT environment.
Security Measures
When we talk about implementing basic security
measures, one could think “And what are those?” And if that question would be
asked, it would be a very, very difficult question to answer. If User is an
system administrator, an IT security manager in a company, or just a regular
information security enthusiast, recommended to read, as it addresses some of
the most important issues in implementation of basic security measures in an IT
environment.
Information security breaches have been rapidly
rising over the past decade at an alarming level. For this reason, more and
more IT companies have realized that securing their businesses is not something
they should do, but something they have to do. The losses we read about in
everyday news are too scary to let IT security of User’s company be just the
way it is – none! they can’t do it once and for all, but rather by employing
basic security measures and following some rules and policies User define for
their organization. Here we are going to point out some of the steps which need
to be taken if one want to do good for his/her company by implementing a
serious and comprehensive security process. We will not focus on only one
operating system (i.e. Linux), but rather point out general information on the
subject.
According to the Internet Security Alliance (IS
Alliance), there are about ten good security practices as a place to start.
These ten practices include different kinds of information security, such as
policy, process, people, and technology, all of which are necessary for
deployment of a successful security process. With these techniques adopted, we
can say we are moving towards our goal – ensuring the security of critical
information assets. It is proven that through adopting commonly accepted, good
security practices, every organization can begin to successfully manage their
security risks. So, let’s take a look over these ten practices.
General Management
Policy
Risk Management
Security Architecture & Design
User Issues
System & Network Management
Authentication & Authorization
Monitor & Audit
Physical Security
Continuity Planning & Disaster Recovery
We will cover each of these practices only
generally, as I think there is quite enough information over these on the
Internet, covered in detail.
General Management
In a perfect world (like the one we’re not
living in), every company should have a predefined, straight and ready to implement
attitude over the security in the company. It is considered an advantage to
recognize a problem even before a problem becomes an emergency.
On the other hand, if that is not the case,
following and researching these suggestions should help every IT manager in
successfully implementing basic security measures and by doing that, ensure
their organization has done the basic efforts to defend themselves from the
dark side of the cyberspace.
IT security managers must establish an
appropriate information and Internet security policy and an auditing process.
Security in their company must be seen as an essential part of their business
survivability. Also, security processes must be an everyday activity, not
something you do once and forget about it, as security itself is such subject
that it is changing not even daily but hourly.
There are legal authorities whose job is to
process complies if something goes wrong and their security forts fail to
respond properly, and management must be aware of these bodies.
Policy
Security policy must provide written rules that
are saying how computer systems should be configured and how organization’s
employees should conduct business before they use information technology.
Policies have to be well controlled, and they will be the baseline for
implementation. If we do not have a policy, there will be no plan upon which an
organization can design and implement an effective security program.
You have to ask yourself about most important
security policies, and what is their role in helping achieving business
objectives. There are a number of sub policies, which we will not cover here,
as this article is about implementing only basic security measures.
Risk Management
Ask yourself - how does your organization
identify critical information assets and risks to those assets? What are the
potential financial impacts of a successful attack against these assets? Do you
have any insurance policies to mitigate and transfer potential losses for your
information security risks?
Risk management is about conducting an
information security risk evaluation that identifies critical information
assets (i.e. systems, networks or data), threats to critical assets, assets
vulnerabilities and risks. You should identify the adverse impacts when risks
to critical assets are realized, and quantity the financial impact to the
greatest extent possible. Do have a risk mitigation plan resulting from the
evaluation, and ensure there is a regular review and management of the risks to
critical information assets.
Security Architecture &
Design
You should know the primary components of your
organization’s security architecture. How does your security architecture help
your business exactly? Know what assets to secure the most and know why.
User Issues
This practice involves a few sub practices as
well, such as Accountability and Training and Adequate Expertise. Regarding
Accountability and Training, User should establish accountability for user
actions, train for accountability and enforce it, as reflected in organizational
policies and procedures. When we say users, we mean all the users with active
accounts, in example employees, partners, suppliers, and vendors.
Regarding Adequate Expertise, you should ensure
that there is adequate in-house expertise or explicitly outsourced expertise
for all supported technologies, including the secure operation of those
technologies. one have to know whom to call if User have problems with
operating system, laptop, and access to new project data, passwords, security
applications, or custom applications that have been developed internally? And
that’s not all; should also know whom to call when corporate firewall blocks
accessory a service that User need, or something similar to that.
System & Network
Management
This practice is built from few smaller
practices, which are all very important.
Those are Access Control, Software Integrity,
Secure Asset Configuration and Backups.
We are going to cover them only generally here.
Establish a range of security controls to
protect assets residing on systems and networks. Consider use of access
controls at your network, and use of data encryption technologies (VPN too) as
required.
Use removable storage media for critical data
so that it can be physically secured. Do regular checks and verify the
integrity of installed software. Do regular checks for viruses, worms, Trojans
and other malicious software or unauthorized software. Also, regularly compare
all file and directory cryptographic checksums with a securely stored,
maintained, and trusted baseline.
Provide procedures and mechanisms to ensure the
secure configuration of all deployed assets throughout their life cycle of
installation, operation, maintenance, and retirement. This means one should
apply patches to correct security and functionality problems, and establish
standard, minimal essential configuration for each type of computer and
service.
Keep network topology up to date, and provide
some levels of logging. Before ap-plying patches, consider the security
implications for every change to systems and net-works.
Perform vulnerability assessments on a periodic
basis, and address vulnerabilities when they are identified. Mandate a regular
schedule of backups for both software and data, which means to validate
software and data before and after backup, and making sure the ability to
restore from backups.
Authentication &
Authorization
Protect critical assets when providing network
access to users working remotely and to third parties such as contractors and
service providers. Should use network-, system-, file-, and application-level
access controls and restrict access to authorized times and tasks, as required.
Also, consider using data encryption and virtual private network technologies,
if it is required.
Monitor & Audit
Use appropriate monitoring, auditing, and
inspection facilities and assign responsibility for reporting, evaluating, and
responding to system and network events and conditions. This means that regular
use of system and network monitoring tools and examine the results they produce;
also use filtering and analysis tools and examine the results they produce, and
learn how to response to events that warrants a response action.
Also, making sure employees are aware of whom
to contact when they notice suspicious behavior. System administrators should
be advised to up to date on the latest threats and attacks, and provide them
with recourses on solutions over this problem.
Physical Security
Physical security is as important as network
security. It is one of the most frequently forgotten forms of security because
the issues that physical security encompasses - the threats, practices, and
protections available - are different for practically every different site.
The real danger in having a computer stolen
isn’t the loss of the system’s hardware but the value of the loss of the data
that was stored on the computer’s disks. As with legal files and financial
records, if not having a backup - or if the backup is stolen with the computer
- the data lost may well be irreplaceable.
Even if there is a backup, it still needs to
spend valuable time setting up a replacement system. Finally, there is always
the chance that stolen information itself, or even the mere fact that
information was stolen, will be used against.
There are several measures that need to be
protected for the computer system against physical threats. Many of them will
simultaneously protect the system from dangers posed by nature, outsiders, and
inside saboteurs. So, it is suggested to use physical access controls (e.g.,
badges, biometrics, keys), where required.
Also, use password-controlled electronic locks
for workstations, servers, and laptops that are enabled upon login and after
specified periods of inactivity. Control access to all your critical hardware
assets (e.g., routers, firewalls, servers, mail hubs).
Continuity Planning and
Disaster Recovery
Hopefully, by following this tips mentioned
above, hope systems or networks will never be stolen or damaged. But if that
happens, you should have a plan for immediately securing temporary computer
equipment and for loading your backups onto the new systems. This plan is known
as disaster recovery.
One should establish a plan for rapidly
acquiring new equipment in the event of theft, fire, or equipment failure.
Figure indicates the popular Information system security measures.
As the above figure illustrates, security
management is a complex and challenging task. Information System security
managers must acquire and integrate a variety of security tools and methods to
protect a company’s IT resources.