Key areas:
 | Procedural Security |
| Logical Security |
| Physical Security |
| Firewall Security |
| Intranet Security |
Procedural Security
Written plan - describe what you are doing for security and what you will do if it fails. Identify the following:
| "Who" is responsible, has access, does not have access. |
| "Where" machines are, backups are kept, information is kept. |
| "When" things are to checked/reviewed, how often passwords are changed. |
| "What" - physical, logical, software procedures and how they are implemented. |
| Risks and mitigation. |
Security plan "titles":
| Physical Security Plan: descriptions of assets, physical areas to be protected, potential threats, description of defenses. |
| Disaster Recover Plan: describe means to acquire replacement resources. |
Backups
| Create "day-zero" (first backup); |
| Create periodic backups as required (daily, weekly, etc.). |
| Make incremental backups. |
| Keep multiple backup sets. |
| Keep backups to ensure redundancy - time frame will vary. |
| Store backups in a remote location for added security. |
Enforce Passwords -
| Password expiration - expire on a reasonable period. |
| Password length - at least 5 characters, no blanks. |
| Password uniqueness - no password reuse, have system remember last 3/4 passwords. |
| Password changing - users should passwords upon first access. |
| Account lockout - lockout account access for 15 minutes on 3 failed attempts. |
Use Log Files - Activate and use "access" log files to track user interaction.
Auditing - track access to a file or directory by a user.
Third-Party Tools - security analysis tools by third parties that create summary and graphical reports as well as apply heuristic techniques to identify security breaches.
Logical Security
| Directory Structure - know and manage the directories used by your system, have rules for how common directories are used (e.g., cgi-bin, etc.). |
| Program Use - monitor programs that are used/not used (e.g., FTP, mail, etc.). Disable/remove redundant, unused programs. |
Physical Security
| Gateways - use gateways (a machine or software between the web server and external world) to validate users and messages. |
| Physical Access - limit who can get to and use the machine. Use secure facilities, locks, and other devices to protect hardware. |
| Secure Machines - outside access to the Internet is on a separate machine (not the LAN server). |
| Geographic Security - use machines that are physically separated. |
Protecting computer hardware and systems means considering:
| Environment considerations: fire, smoke, dust, earthquake, explosion, temperature extremes, rodents and pests, electrical noise, lightening surges, vibration, humidity, and water. |
| Accidents: e.g., food and water on the keyboard, CPU, etc. |
| Physical Access: raised floors/ceilings, cabling ducts, air duct access, glass walls. |
| Vandalism: including direct or indirect (e.g., stealing a computer or disrupting power) activities, theft, and terrorism. |
| Access to unattended terminals and computers: who has access, vulnerability of the network. |
| Personnel: work history, criminal records, knowledge. |
Firewall Security
| Any set of tools/procedures that protect your system from unwanted intrusion. |
| Variety of easy-to use consumer oriented software tools such as Zone Alarm to higher end commercial products. |
| Typically implemented as a gateway (see above). |
| Proxy Servers can also be used for this purpose. |
Types of firewalls
| Packet filtering: router with filters that determine which packets can cross over a network boundary. Standard with most routers, they are typically easy to program. |
| Proxy: provides intermediaries for various servers to control access (e.g. HTTP, SMTP). |
| Network Address Translation (NAT): allows users to "hide" behind a single web address (e.g., Net 10, 10.0.0.0- to 10.255.255.255). |
| Virtual Private Networks (VPN): allows outside computer to "tunnel" through the firewall and appear as if inside it. Typical for corporate servers and share file systems. |
Intranet Security
| Limit access to a specific group of users (employees, members, etc.). |
| Can include hardware and software controls for access. |
| May include use of gateways |
| Secure access connections and program-based security. |
| Access is often managed via IP address validation. |
