The concept of Network Security can be pretty daunting. There are lots of rules and regulations that talk about security, how to enforce security, and what you should or shouldn’t do. Well, my brain is pretty full of stuff that is important, like passwords and account numbers, and not so important, like the name of Pink Floyd’s keyboard player, so I have to simplify everything I have to remember. I’ve had to do this for network security too.
Here are the six simple rules I use when I’m thinking about security. I based my rules off every regulation I’ve ever read, (And I’ve read too many!) and something I found online by Marcus Ranum and Fred Avolio called the Seven Tenants of Good Security.
1. Keep it Simple! – Simple is better than complex if the same result is achieved. The methods and mechanisms used to implement security, the way a device is managed and used, and the security paradigm embraced by a security policy should all be simple because simple is usually more transparent and if something breaks its normally easier and cheaper to fix.
2. Document your security processes! – Make a security policy. This is where you keep all your security rules that talk about password changes, money handling, etc. this will be your businesses security bible.
3. Make sure you have reports! – A security device should be configured to gather as much data as is possible and this data must be examined for compromises on a scheduled basis. A local business recently lost thousands of credit card numbers because they weren’t checking their security logs!
4. Make the user accountable! – User identification is vitally important if users are to be allowed to use security systems. Each user should have their own login and logins should never be shared. Most security breaches occur through user account hacks. If a violation does occur the issue can be tracked to the hacked account and the security hole can be closed.
5. Be Flexible! – A security device or process should be configurable to implement an organization’s security policy. It must also be flexible to change as the organization’s security policy changes.
6. Don’t be afraid to test REGULARLY! – The methods and algorithms used to implement security should be tested and reevaluated on a regular basis. If a policy needs to change or it isn’t working for you then this is the time to change it.
Questions? Comments? Let me hear them?