Re: Best practices for a small business's security

From: Byron Sonne (blsonne_at_rogers.com)
Date: 12/30/03

  • Next message: Lard van den Berg: "Re: compromised network" 
    Date: Mon, 29 Dec 2003 21:16:52 -0500
To: bob martin <bobmartin_613@hotmail.com>, security-basics@securityfocus.com

    > I am looking for best practices or an outline to follow for helping a
    > small company to secure their business. I've found many resources on
    > the technical aspects, but am hoping for suggestions for websites or
    > books covering the business aspects as well. Any help would be much
    > appreciated.

    Greetings,

    Here's some, based on my opinion, YMMV:

    (1) hire a good admin, they're worth the money. Don't be too concerned
    about what they look like, hygiene, social skills, or whatever; skills
    talk, bullsh**t walks. People are your #1 resource and most important asset.

    (2) Keep things clean, simple and segregated. A single server should do
    only a single job. A firewall is only a firewall, web only web, mail
    only mail, etc. If your firewall gets compromised and you have your
    databases, financial records, webservers, etc on the same box you're in
    for a heap of trouble.

    (3) Avoid Microsoft products whenever possible (I'd normally say at all
    costs, but I'm feeling generous tonight) especially the server products.
    You can do everything you really need to with little, if any, Microsoft
    products. All this active content and html/whatever enabled mail =
    HORRIBLE SECURITY RISKS.

    (4) Use as much free/open-source software as possible. I ALWAYS get
    answers and solutions to my problems a heck of a lot more quicker from
    mailing lists, users groups and websites for these products than
    commercial ones. And it typically doesn't cost a dime. Paid commercial
    support usually comes from some droid typing questions into a knowledge
    base and getting answers (after you've been shuffled around the phone a
    few times). With open-source, the answers usually come from the
    developers themselves and power users. I can vouch for this; I monitor a
    multitude of mailing lists for my own edification and also to help
    others out. ***Whether advice is free or paid for has nothing to do with
    quality***

    (5) Backups, backups, backups! So your network and servers get hacked
    and trashed, or swallowed in a mudslide or earthquake. So what?
    rebuild/wipe everything, reinstall, and if you've setup your structure
    right and kept good documentation, you shouldn't suffer too much
    downtime or loss of profits.

    (6) Don't use the latest and greatest software and hardware if you don't
    really have to (other than upgrading to eliminate security issues). Do
    your research and stick to what works, not the stuff that is bleeding
    edge that everyone tells you "that you gotta have". My rule of thumb is
    one or two down from the most recent/top-shelf product. Don't buy what
    you see on TV or read in the trade rags. Talk to the real people down in
    the trenches; admins at other companies in your line of business are
    great resources. Never trust sales people; verify everything.

    (7) Don't trust consulting or opinion firms like Gartner (sp?) et al. My
    suspicions are that they are paid, by other firms, to tell people what
    to use. If all your friends jumped off a tall building, would you do it
    too? Research and verify.

    (8) Documentation. It doesn't have to be long or ISO compliant, but it
    should be useful. Too much is as bad as too little.

    (9) If you have the choice between 2 products, one which is cheap and
    one which costs a bit more but is more flexible, go with the more
    flexible one. Security is also about being able to respond quickly and
    flexibly to changing needs.

    Regards,
    Byron Sonne

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Lard van den Berg: "Re: compromised network"