The Top Ten of Security

The Top Ten of Security
• Ten best practices for securing your
• Ten best security web sites.
• Eight certifications.
“Best Practices”
• ‘Best Practices’ are recognized measures
you can take to secure your computers.
• If you don’t use these ‘Best Practices’ and
your systems are used against someone else
as in a DDOS attack, you could be liable.
• Using industry Best Practices can protect
you from lawsuits.
Best Practices
1. Educate users and use strong passwords
Users need to know the rules and the reasons for
2. Use anti-virus software – it works (update at
least once a week)
3. Never accept default installations – default
settings are always the weakest – change default
4. Don’t run unnecessary services – web server,
ftp, telnet, SMTP
Best Practices (con’t)
5. Install security patches immediately.
6. Back up your data and protect against
power surges
7. Limit who you trust – give each user only
the level of access they need to
accomplish their tasks and no more.
8. Enable logging and review the logs
Best Practices (con’t)
9. Expect protection to fail. Firewalls,
routers, IDS, access control mechanisms
often fail without warning. Have layers of
protection. Have a plan B and C.
10. Manage user accounts. Disable or delete
unneeded accounts immediately. They are
fertile ground for crackers.
Ten Best Security Web Sites
– Computer Emergency Response Team at
Carnegie Mellon
– Current vulnerabilities,background info
– Like a library of information
– The “reading room” for SANS, a large computer
security training organization.
Web Sites
“Hackers know the weaknesses in your
system, shouldn’t you?”
Computer Incident Advisory Capability
U.S. Dept of Energy
Good for getting a different viewpoint
Web Sites
Portal to many other good web sites
Online magazine
Network Security Library
Computer security resource center of the national
institute of standards and technology
Top (8) Security Certifications
1. CISSP – Certified information systems security
professional – general security knowledge –
2. SSCP – Systems security certified practitioner –
more technical than cissp
3. CISA – Certified information systems auditor –
4. CPP – Certified Protection Professional –
security management –
5. GIAC – Global information assurance
certification – multilevel certification by SANS –
6. Security Certified Network Architect/ Network
Professional –
7. Cisco certifications – proficiency with Cisco
products –
8. Microsoft certifications – proficiency with
Microsoft products –