An Information Security Place

I am going to combine my security tip of the day with my series of advice for security admins and managers.  So here goes:

I can sum up this advice post in two words: due diligence.  It is obvious that due diligence is necessary in all aspects of security and other areas, but lets go over a few examples:

• Due diligence in your security solutions:  As a security manager, I get calls from vendors wanting me to buy their security products on a daily basis.  Many of them are big guys like Cisco.  Many are smaller shops like StillSecure (no offense Alan).  Now, the name recognition that comes with Cisco instantly draws me to them.  Cisco has a major role in my network (no surprise), so the familiarity with their product makes me instantly pay attention.  And I know as a busy security manager that I could probably buy their product without looking around and doing my DUE DILIGENCE and get a decent product that my boss is not going to gripe about.  But that goes back to the ol’ “good enough” discussion between Alan Shimel and Michael Wright.  Cisco does make some fine products, but they are simply not the best when it comes to security.  What I should do is take the time to look at other solutions, and then determine what the best solution is for my business.
• Due diligence in keeping your security measures up to date: Let’s look at an example.  Take the good ol’ IDS.  Many people proclaimed the death of the IDS years ago.  But I believe with the surge of SIM / SEM products out there, the IDS can be used in conjunction with an IPS to give some really good info as to what is happening in your network.  Of course, you have to tune your IDS, and you have to maintain signatures.  And you have to make sure your SIM / SEM is setup to alert on current attacks and maintained to recognize any new attacks or new devices in your network.  This type of due dilignece needs to be applied across the board.
• Due diligence in procedures: Policies are easy.  Procedures are a bear.  But they are infintely more important than policies because they define how the policies are applied.  Without procedures, policies are essentially worthless.

Practicing due diligence will make your network secure and your career successful.  Getting a reputation for being anal can sometimes be a bad thing, but in security it is an endearing term.

Vet

I am going to sponge off of Michael’s tip at MCWResearch for my tip of the day.  Michael gives some good advice for configuring and managing firewalls (Michael must be old-school security, since firewalls aren’t needed anymore – right….).

He specifically talks about egress filtering, which is something many companies do not take use in their security.  Michael talks about specifically blocking certain ports, but I think you should go a step further and have default deny on all traffic incoming AND outgoing, then open ports as needed.  It makes sense, but many people do not think outbound needs to be filtered.  But as Michael pointed out, allowing IRC is inviting bots to start popping up on your network, and then the bots continue to report back to the IRC server.  They establish the connection, so no inbound port needs to be open for the attack.

Additionally, I suggest Websense or something similiar to block specific protocol access (again, default deny and allow as needed).  This can be another layer that can protect against web proxies and anonymizers and the like so your users can’t try to get around your firewall.

Vet