Simple, obvious facts and observations about computer and network security

   http://loop.interop-comdex.com/comments/199_0_1_0_C/

1) Make your default policy deny all
    a) permit only what is necessary
2) Offer as few public services as possible.
      (Note: this doesn't mean push everything through port 80)
    a) lock down those services.
    b) log usage of those services.
    c) put error detection into service-specific places on those services.
       (you can even call it "intrusion detection": intrusions are merely a
       subset of error conditions)
    c) make certain your internet-facing machines have exterior lock-downs,
       to mitigate the damage of individual service/server failure
3) Know what's going on in your network
    a) know who normally talks to whom
    b) know your security policy
    c) log usage of your network
    d) become familiar with normal usage for your network
    e) look in your logs for policy violation indications
4) Internally compartment your network
    a) run mission critical systems behind screening routers or
       firewalls, on separate networks, with no unnecessary services
    b) audit all traffic between mission critical systems and non-critical
       systems
    c) if someone can walk into your facility, plug into a network port,
       get an IP address,
       and ping your mission critical machines, your network is a security
       incident waiting to happen
    d) if someone can walk into your facility and plug into a network port
       without you knowing about it, your network is a security incident in
       progress
5) Block or strip dangerous incoming attachments by S/MIME type at the
   gateway to your network
6) Know what goes out through your firewall
    a) if you don't know how much spyware is installed on your desktops,
       your network is 0wned
    b) if you don't know how much IRC traffic is leaving your firewall
       you're 0wned (why on earth would you let IRC out
       through your firewall?)
7) If you don't understand the difference between layer 7 security and
   "stateful inspection" - learn
8) Don't waste your time patching if you're running code on an
       internet-facing system that has a history of needing patches
       every week: you're running the wrong code
9) Put mobile users on a separate network
10) Antivirus software is good
    a) updating it 4X / day is not necessary
    b) updating it 1X / week works fine when combined with stripping
       attachments
11) It's very likely that
    a) your users can work effectively without every new chat, P2P/file
       sharing, collaboration, remote-control, virtual office and sales tool
    b) that same tool is either not secure, or not as secure as advertised
12) Don't waste your time educating your users about a policy that you
       expect them to follow. If you expect them to follow it make sure
       that they have no choice; that it's the only way that works.
13) Don't outsource security; outsourcing is an admission that you are
       ignorant and that your management is clueless - or that your clueless
       management think you're ignorant