BASIC SECURITY PRINCIPLES

Posted by The Beyand | 3:07 AM | 0 comments »

Weve assembled the following principles during our combined years of security
assessment consulting against all varieties of networks, systems, and technologies. We
do not claim to have originated any of these; they are derived from our observation and
discussion of security at large organizations as well as statements of others that weve
collected over the years. Some of these principles overlap with specific recommendations
we make in this book, but some do not. In fact, we may violate some of these principles
occasionally to illustrate the consequences of bad behaviorso do as we say, not as we
do! Remember that security is not a purely technical solution, but rather a combination
of technical measures and processes that are uniquely tailored to your environment. In
his online newsletter, security expert Bruce Schneier perhaps stated this most eloquently:
fiSecurity is a process, not a product.fl

Hold Everyone Accountable for Security

Lets face it, the number of thoughtful security experts in the world is not going to scale
to cover all of the activities that occur on a daily basis. Distribute accountability for
security across your organization so that it is manageable. We love the following tagline
borrowed from the security group at a large biotechnology firm: fiPeople are the ultimate
intrusion detection system.fl

Block or Disable Everything that Is Not Explicitly Allowed

We will repeat this mantra time and again in this book. With some very obscure exceptions,
no known methods exist for attacking a system remotely with no running services. Thus,
if you block access to or disable services outright, you cannot be attacked.
This is small consolation for those services that are permitted, of coursefor example,
application services such as Internet Information Services (IIS) that are necessary to run
a web application. If you need to allow access to a service, make sure you have secured
it according to best practices.
Since they are most always unique, applications themselves must be secured with
good ol fashioned design and implementation best practices, such as Microsofts Security
Development Lifecycle (SDL) framework. (See fiReferences and Further Reading.fl)

Always Set a Password, Make It Reasonably Complex,
and Change It Often

Passwords are the bane of the security worldthey are the primary form of authentication
for just about every product in existence, Windows included. Weak passwords are the
primary way in which we defeat Windows networks in professional penetration testing
engagements.Always set a password (never leave it blank), and make sure its not easily
guessed. (See Chapter 5 for some Windows-specific tips.) Use multifactor authentication
if feasible. (Modern versions of Windows are fairly easy to integrate with smart cards, for
example.)

0 comments

Post a Comment

Subscribe to: Post Comments (Atom)