The sad truth is, the task of securing an IT system can never be complete. As Bruce Schneier, chief technology officer of Counterpane Internet Security Inc., warned in his book "Secrets and Lies," systems have four devastating properties that combine to make vigilance a permanent concern: theyre complex; interactive; emergent with unpredictable behaviors; and bug-ridden.
And systems today are actively threatened, compounding the hazards created by the other four traits.
Administrators can install layer after layer of protection, but theyre not really doing their jobs if the result is an error-prone environment. They cant simply deploy every available security tool; its their job to assess the balance between degree of protection on the one hand and likelihood of consistent and correct use of systems on the other.
Security Best Practices|
Integrate security considerations into all project proposals.
Prioritize assets based on their value, and focus detection efforts accordingly.
Determine required response times for various classes of IT breach; ensure that business arrangements reflect these needs.
Allow managers to access metrics.
Educate (and continue to educate) technology and end-user staff about safe- computing and physical-security guidelines.
Use interlocking security systems to protect key resources.
Harden systems by installing updates, removing every possible component not used in normal operation, changing system defaults, installing security software and performing penetration tests.
Use available automated tools for vulnerability scans.
Know the IT infrastructure and how it behaves under normal circumstances so abnormal activities are noticeable.
Source: eWEEK Labs
One of the strongest weapons is the growing awareness of security issues among even casual IT users. The challenge for security service providers, for security product vendors and for enterprise general managers is to translate users awareness into meaningful behavior change.
Check out eWEEK.coms Security Center at http://security.eweek.com
for security news, views and analysis. Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: