Security Action Plan

When we do not follow appropriate testing, we open ourselves to security risk.

Security is about more than just technology. Sure, you have to use secure products, but building an environment where data is safe means ongoing diligence, both in the use of technical best practices and in confronting social engineering threats through changes in individual and group behavior. With this in mind, I decided to organize a security conference at the Boise, Idaho, headquarters of my company, Washington Group International, a construction and engineering firm. We brought in industry experts, featured speakers, panels and discussion groups. Here are the lessons that emerged:

Ensure that visitors are escorted in and out of the building. It is too easy to walk into a place of business, sit down and get on the network.

Do not give out log-in and password data to anyone. Default accounts should not be used. Passwords for administrators need to be sophisticated and include a variety of alphanumeric characters. Special characters are also recommended.

Follow strict procedures when employees are terminated to prevent them from gaining unauthorized access.

With the introduction of features, there is a risk of introducing security flaws. When we push for an immediate implementation and do not follow appropriate testing, we open ourselves to security risk.

Dont give hackers too much credit. They often use old exploits. Keep current with your security patches.

Its a good idea to keep news of security incidents within your company. Sharing knowledge in a community works for some technical areas, but publicizing such information might expose you as a target.

In addition to anti-virus software for your laptops, add a laptop firewall. Each laptop that connects remotely to your network becomes a WAN end point. It is common practice to use VPN technology to access company applications remotely, but even with a secure connection, you are still vulnerable to individuals gaining access to your machine.

Segment your network. When intruders get into a server, they should not be able to access your entire environment. Locate key servers in a secure, isolated environment.

Intrusion detection is important but can create too many false positives. A carefully planned implementation can keep you from being inundated.

Encrypt sensitive data in your LAN, not just over the Internet.

Have external vulnerability tests performed once a year and internal tests done more often.

The bottom line: Plan security from the beginning so you dont have to wonder why you didnt in the first place. ´

Gary Bronson is director of IT enterprise operations for Washington Group International and an eWEEK Corporate Partner. He can be reached at Send your comments to free_