The Top Ten of Security

• Ten best practices for securing your network.

• Ten best security web sites.

• Eight certifications.

“Best Practices”

• ‘Best Practices’ are recognized measures you can take to secure your computers.

• If you don’t use these ‘Best Practices’ and your systems are used against someone else as in a DDOS attack, you could be liable.

• Using industry Best Practices can protect you from lawsuits.

Best Practices

1. Educate users and use strong passwords– Users need to know the rules and the reasons for

them

2. Use anti-virus software – it works (update at least once a week)

3. Never accept default installations – default settings are always the weakest – change default password.

4. Don’t run unnecessary services – web server, ftp, telnet, SMTP

Best Practices (con’t)

5. Install security patches immediately.6. Back up your data and protect against

power surges7. Limit who you trust – give each user only

the level of access they need to accomplish their tasks and no more.

8. Enable logging and review the logs regularly

Best Practices (con’t)

9. Expect protection to fail. Firewalls, routers, IDS, access control mechanisms often fail without warning. Have layers of protection. Have a plan B and C.

10. Manage user accounts. Disable or delete unneeded accounts immediately. They are fertile ground for crackers.

Ten Best Security Web Sites

1. www.cert.org– Computer Emergency Response Team at

Carnegie Mellon– Current vulnerabilities,background info

2. http://online.securityfocus.com– Like a library of information

3. http://rr.sans.org– The “reading room” for SANS, a large computer

security training organization.

Web Sites

4. www.antionline.com– “Hackers know the weaknesses in your

system, shouldn’t you?”

5. www.ciac.org– Computer Incident Advisory Capability– U.S. Dept of Energy

6. www.theregister.co.uk– Good for getting a different viewpoint

Web Sites

7. www.cerias.purdue.edu/hotlist– Portal to many other good web sites

8. www.infosecuritymag.com/– Online magazine

9. www.secinf.net– Network Security Library

10. http://csrc.nist.gov/– Computer security resource center of the national

institute of standards and technology

Top (8) Security Certifications

1. CISSP – Certified information systems security professional – general security knowledge – www.isc2.org

2. SSCP – Systems security certified practitioner – more technical than cissp

3. CISA – Certified information systems auditor – www.isaca.org

4. CPP – Certified Protection Professional – security management – www.asisonline.org

5. GIAC – Global information assurance certification – multilevel certification by SANS – www.giac.org

6. Security Certified Network Architect/ Network Professional – www.securitycertified.net/certifications.htm

7. Cisco certifications – proficiency with Cisco products – www.cisco.com

8. Microsoft certifications – proficiency with Microsoft products – www.microsoft.com