The Top Ten of Security • Ten best practices for securing your network. • Ten best security web sites. • Eight certifications. “Best Practices” • ‘Best Practices’ are recognized measures you can take to secure your computers. • If you don’t use these ‘Best Practices’ and your systems are used against someone else as in a DDOS attack, you could be liable. • Using industry Best Practices can protect you from lawsuits. Best Practices 1. Educate users and use strong passwords – Users need to know the rules and the reasons for them 2. Use anti-virus software – it works (update at least once a week) 3. Never accept default installations – default settings are always the weakest – change default password. 4. Don’t run unnecessary services – web server, ftp, telnet, SMTP Best Practices (con’t) 5. Install security patches immediately. 6. Back up your data and protect against power surges 7. Limit who you trust – give each user only the level of access they need to accomplish their tasks and no more. 8. Enable logging and review the logs regularly Best Practices (con’t) 9. Expect protection to fail. Firewalls, routers, IDS, access control mechanisms often fail without warning. Have layers of protection. Have a plan B and C. 10. Manage user accounts. Disable or delete unneeded accounts immediately. They are fertile ground for crackers. Ten Best Security Web Sites 1. www.cert.org – Computer Emergency Response Team at Carnegie Mellon – Current vulnerabilities,background info 2. http://online.securityfocus.com – Like a library of information 3. http://rr.sans.org – The “reading room” for SANS, a large computer security training organization. Web Sites 4. www.antionline.com – “Hackers know the weaknesses in your system, shouldn’t you?” 5. www.ciac.org – – Computer Incident Advisory Capability U.S. Dept of Energy 6. www.theregister.co.uk – Good for getting a different viewpoint Web Sites 7. www.cerias.purdue.edu/hotlist – Portal to many other good web sites 8. www.infosecuritymag.com/ – Online magazine 9. www.secinf.net – Network Security Library 10. http://csrc.nist.gov/ – Computer security resource center of the national institute of standards and technology Top (8) Security Certifications 1. CISSP – Certified information systems security professional – general security knowledge – www.isc2.org 2. SSCP – Systems security certified practitioner – more technical than cissp 3. CISA – Certified information systems auditor – www.isaca.org 4. CPP – Certified Protection Professional – security management – www.asisonline.org 5. GIAC – Global information assurance certification – multilevel certification by SANS – www.giac.org 6. Security Certified Network Architect/ Network Professional – www.securitycertified.net/certifications.htm 7. Cisco certifications – proficiency with Cisco products – www.cisco.com 8. Microsoft certifications – proficiency with Microsoft products – www.microsoft.com