DEC
20, 2002 By Donald
Pipkin . Article is provided courtesy of Prentice
Hall PTR .
Take a tip from
Don Pipkin, writer of "Halting the Hacker," as he shares
a daily nugget of his knowledge of information security.
Invest a minute of your day to learn something new about
protecting your information assets.
Other articles
by Donald
Pipkin .
Security Just
Has to be Good Enough
Security is a
"good enough" proposition, based on the financial value
of the assets being protected and the risk that a financial
loss will occur. Keeping this in mind can help keep
you from overbuilding your security solution. An appropriate
security solution requires that you have a thorough
understanding of the value the information and the processing
has on the business, and the impact its loss can cause.
Understanding the business is equally as important as
understanding the technology in the creation of a security
architecture.
Security
Tip for Thursday, December 26th, 2002
Evaluate
Insurance for Loss Avoidance
Cyber crime insurance
is starting to become available from a number of insurance
companies. These policies offer financial protection
from specific losses. Currently, most of them are focused
on electronic commerce sites and losses from external
denial of service attacks. Where these policies address
a segment of your business, they should be carefully
examined and evaluated to determine if the coverage
and the associated risk reduction that they provide
are economical, based on the premiums. Insurance should
not be forgotten as a very viable part of your complete
security solution.
Security
Tip for Wednesday, December 25th, 2002
Monitor
for Unknown Systems Connected to the Network
The appearance
of unknown systems connected to the network can indicate
that an unauthorized person has attached a system to
the network for malicious reasons, or it can be that
someone has upgraded a system or replaced a network
card. With employee turnover and the common use of contractors,
intruders can gain unchallenged access to company offices
where they can attach systems to gather information
or from which to launch attacks. A strong asset management
system and policies that require registration of systems
attached to the company network can help manage the
corporate resources and reduce physical system intrusions.
Security
Tip for Tuesday, December 24th, 2002
Perform
a Security Drill
Schedule the
next disaster recovery drill to be based on an electronic
attack instead of a natural disaster. Test your response
procedures when your network is flooded and critical
systems have been breached causing you to be uncertain
of the integrity of your online information. Can you
fall back to offline procedures for critical processes
while systems are restored? Can you disinfect all the
PCs in the corporation while the network is flooded?
Are there out-of-band procedures? Today, these soft
disasters have to be evaluated, planned for and tested.
Security
Tip for Monday, December 23rd, 2002
Implement
Base-line Security Everywhere
A minimum base-line
security standard should be established and enforced
on all systems. It should define the minimum file permissions
and the restrictions applied to privileged users in
accordance with defined policies. Bastille can be used
on Unix systems to create and implement this base-line
standard. It can be run in a non-interactive mode to
set a pre-defined set of security policies on a system.
Systems should be reviewed to ensure that they remain
in compliance with the security base line. |
