When we talk about implementing basic security measures, one could think “And what are those?” And if that question would be asked, it would be a very, very difficult question to answer. If you are a system administrator, an IT security manager in your company, or just a regular information security enthusiast, I recommend you to read this paper, as it addresses some of the most important issues in implementation of basic security measures in an IT environment.
Information security breaches have been rapidly rising over the past decade at an alarming level. For this reason, more and more IT companies have realized that securing their businesses is not something they should do, but something they have to do. The losses we read about in everyday news are too scary to let IT security of your company be just the way it is – none! You can’t do it once and for all, but rather by employing basic security measures and following some rules and policies you define for your organization. In this article, we are going to point out some of the steps which need to be taken if you want to do good for your company by implementing a serious and comprehensive security process. We will not focus on only one operating system (i.e. Linux), but rather point out general information on the subject.
According to the Internet Security Alliance (ISAlliance), there are about ten good security practices as a place to start. These ten practices include different kinds of information security, such as policy, process, people, and technology, all of which are necessary for deployment of a successful security process. With these techniques adopted, we can say we are moving towards our goal – ensuring the security of critical information assets. It is proven that through adopting commonly accepted, good security practices, every organization can begin to successfully manage their security risks. So, let’s take a look over these ten practices.
We are going to divide these ten practices as follows:
- General Management
- Risk Management
- Security Architecture & Design
- User Issues
- System & Network Management
- Authentication & Authorization
- Monitor & Audit
- Physical Security
- Continuity Planning & Disaster Recovery
We will cover each of this practices only generally, as I think there is quite enough information over these on the Internet, covered in detail.
In a perfect world (like the one we’re not living in), every company should have a predefined, straight and ready to implement attitude over the security in the company. It is considered an advantage to recognize a problem even before a problem becomes an emergency. On the other hand, if that is not the case, following and researching these suggestions should help every IT manager in successfully implementing basic security measures and by doing that, ensure their organization has done the basic efforts to defend themselves from the dark side of the cyberspace.
IT security managers must establish an appropriate information and Internet security policy and an auditing process. Security in their company must be seen as an essential part of their business survivability. Also, security processes must be an everyday activity, not something you do once and forget about it, as security itself is such subject that it is changing not even daily but hourly. There are legal authorities whose job is to process complies if something goes wrong and their security forts fail to respond properly, and management must be aware of these bodies.
Security policy must provide written rules that are saying how computer systems should be configured and how organization’s employees should conduct business before they use information technology. Policies have to be well controlled, and they will be the baseline for implementation. If we do not have a policy, there will be no plan upon which an organization can design and implement an effective security program. You have to ask yourself about most important security policies, and what is their role in helping achieving business objectives. There are a number of sub policies, which we will not cover here, as this article is about implementing only basic security measures.
Ask yourself – how does your organization identify critical information assets and risks to those assets? What are the potential financial impacts of a successful attack against these assets? Do you have any insurance policies to mitigate and transfer potential losses for your information security risks? Risk management is about conducting an information security risk evaluation that identifies critical information assets (i.e. systems, networks or data), threats to critical assets, assets vulnerabilities and risks. You should identify the adverse impacts when risks to critical assets are realized, and quantity the financial impact to the greatest extent possible. Do have a risk mitigation plan resulting from the evaluation, and ensure there is a regular review and management of the risks to critical information assets.
Security Architecture & Design
You should know the primary components of your organization’s security architecture. How does your security architecture help your business exactly? Know what assets to secure the most and know why.
This practice involves a few sub practices as well, such as Accountability and Training and Adequate Expertise. Regarding Accountability and Training, you should establish accountability for user actions, train for accountability and enforce it, as reflected in organizational policies and procedures. When I say users, I mean all the folks with active accounts, in example employees, partners, suppliers, and vendors. Regarding Adequate Expertise, you should ensure that there is adequate in-house expertise or explicitly outsourced expertise for all supported technologies, including the secure operation of those technologies. You have to know whom to call if you have problems with your operating system, laptop, and access to new project data, passwords, security applications, or custom applications that have been developed internally? And that’s not all; you should know whom to call when your corporate firewall blocks access to a service that you need, or something similar to that.
System & Network Management
This practice is built from few smaller practices, which are all very important. Those are: Access Control, Software Integrity, Secure Asset Configuration and Backups. We are going to cover them only generally here. Establish a range of security controls to protect assets residing on systems and networks. Consider use of access controls at your network, and use of data encryption technologies (VPN too) as required. Use removable storage media for critical data so that it can be physically secured. Do regular checks and verify the integrity of installed software. Do regular checks for viruses, worms, Trojans and other malicious software or unauthorized software. Also, regularly compare all file and directory cryptographic checksums with a securely stored, maintained, and trusted baseline.
Provide procedures and mechanisms to ensure the secure configuration of all deployed assets throughout their life cycle of installation, operation, maintenance, and retirement. This means you should apply patches to correct security and functionality problems, and establish standard, minimal essential configuration for each type of computer and service. Keep your network topology up to date, and provide some levels of logging. Before you apply your patches, consider the security implications for every change to systems and networks. Perform vulnerability assessments on a periodic basis, and address vulnerabilities when they are identified. Mandate a regular schedule of backups for both software and data, which means you have to validate software and data before and after backup, and make sure you have the ability to restore from backups.
Authentication & Authorization
Protect critical assets when providing network access to users working remotely and to third parties such as contractors and service providers. You should use network-, system-, file-, and application-level access controls and restrict access to authorized times and tasks, as required. Also, consider using data encryption and virtual private network technologies, if it is required.
Monitor & Audit
Use appropriate monitoring, auditing, and inspection facilities and assign responsibility for reporting, evaluating, and responding to system and network events and conditions. This means that you regularly use system and network monitoring tools and examine the results they produce; also use filtering and analysis tools and examine the results they produce, and learn how to response to events that warrants a response action. Also, make sure your employees are aware of whom to contact when they notice suspicious behaviour. Advice your system administrators to be up to date on the latest threats and attacks, and provide them with recourses on solutions over this problems.
Physical security is as important as network security. It is one of the most frequently forgotten forms of security because the issues that physical security encompasses – the threats, practices, and protections available – are different for practically every different site. The real danger in having a computer stolen isn’t the loss of the system’s hardware but the value of the loss of the data that was stored on the computer’s disks. As with legal files and financial records, if you don’t have a backup – or if the backup is stolen with the computer – the data you have lost may well be irreplaceable. Even if you do have a backup, you will still need to spend valuable time setting up a replacement system. Finally, there is always the chance that stolen information itself, or even the mere fact that information was stolen, will be used against you. There are several measures that you can take to protect your computer system against physical threats. Many of them will simultaneously protect the system from dangers posed by nature, outsiders, and inside saboteurs. So, we suggest you to use physical access controls (e.g., badges, biometrics, keys), where required. Also, use password-controlled electronic locks for workstations, servers, and laptops that are enabled upon login and after specified periods of inactivity. Control access to all your critical hardware assets (e.g., routers, firewalls, servers, mail hubs).
Continuity Planning and Disaster Recovery
Hopefully, by following this tips I mentioned above, I hope your systems or networks will never be stolen or damaged. But if that happens, you should have a plan for immediately securing temporary computer equipment and for loading your backups onto the new systems. This plan is known as disaster recovery. You should establish a plan for rapidly acquiring new equipment in the event of theft, fire, or equipment failure. You should also test this plan by renting (or borrowing) a computer system and trying to restore your backups, as I mentioned before.
 Simson Garfinkel & Gene Spafford | Practical UNIX & Internet Security Second Edition | ISBN: 1-56592-148-8 | O’REILLY, April 1996.
 Julia H. Allen; Edward F. Mikoski, Jr.; Kevin M. Nixon; Donald L. Skillman | COMMON SENSE GUIDE FOR SENIOR MANAGERS, Top Ten Recommended Information Security Practices 1st Edition | Internet Security Alliance, July 2002.
 Multiple Authors | Internet Security Professional Reference, Second Edition | ISBN: 156205760x | Macmillan Computer Publishing, July 1997.
 Hal Tipton and Micki Krause | Handbook of Information Security Management | ISBN: 0849399475 | CRC Press LLC, January 1998.
 Aron Hsiao | Linux Security Basics | ISBN: 0-672-32091-6 | Sams Publishing, 2001.