Security problems will be with us forever, but the rate always seems to accelerate. Microsoft has just issued its 52nd security advisory this year -- that's one every five days. The Slapper worm is causing problems on Apache servers, dispelling the fug of invulnerability open source has with some people, and after five months in the wild the Klez email attack is still hale and healthy.
Following the rules below will keep your company systems in very good shape, immune to the vast majority of security problems. Ignore these, and the first you'll know about a major problem is when it's on the six o'clock news -- or if you're very unlucky, when you're on the six o'clock news. Remember: these are difficult times for IT jobseekers.
For all of the below items, make time to do them properly. Everyone has things that have to be done yesterday, and the chances are slim of missing a real problem by skipping something on the list now and again. That's the problem with security: it demands constant attention, in return for which nothing much happens. If you don't have the capacity for repetitive, detailed tasks, then find someone who has. And as many security attacks depend for their effectiveness on having a large pool of insecure systems, keeping your systems secure is a communal responsibility.
- Stay in touch. Email is your friend. At the very least, subscribe to the Bugtraq mailing list from Security Focus, which is busy but essential. You will hear about problems here first, although it's a broadly focussed list and you'll also hear about things that don't directly affect you. That's good -- airline pilots call this 'situational awareness', and say it saves lives by bringing up problems before they get bad -- but if you really don't have time then choose one of Security Focus' more tightly defined groups. Also see the CERT Coordination Center, and the Internet Storm Center, for up to date reports on threats.
- Email is also your enemy. Use an email filtering system to check and remove virus infected incoming attachments, dangerous scripts or HTML content. Make sure the users know what the rules are, especially if you also remove 'inappropriate' content by looking for keywords -- this can cause bad feelings and encourage people to find alternative, unprotected ways to get email into and out of the organisation.
- In general, keep users informed about the whys and wherefores of security that affects them, and listen to their concerns. Provide clear, logical security policies, and be prepared to discuss and even change them according to the needs of the users. Even foolproof security can be undone by a determined employee armed with a modem and a mission: making people feel part of the security process encourages their acceptance of the rules. Most security problems are people, rather than technology, related, but disproportionate effort is spent on the technology.
- Have a regular firewall audit. Over time, firewalls become leaky -- someone needs a port opened temporarily for a particular application, and it never gets closed. A good scheme is to schedule a monthly review of the firewalls rule lists, and to have an independent security analyst check it every six months. The reason for every open port should be understood and defensible.
- Keep your operating system and major software updated. When a patch is published, make it a priority to apply it. This absolutely applies to OS updates and service packs as well, even those without immediate security implications, as they may be a requirement for future security fixes. Timetable a weekly window for reviewing the week's security alerts and fixes, to make sure they've been acted upon. If you don't know what patches have been applied in the past -- do an audit and be sure. Do it!
- Put anti-virus software on every computer, and keep it up to date. If a user can touch it, a user can infect it. Floppy disks, CD-Rs, files downloaded from home pages, the modem plugged into the phone extension: the number of ways infected code can enter a computer via user action only increases with time. The worst case scenario -- a trojan horse that spreads around the LAN and breaks through the firewall from inside -- can happen in minutes. AV software and user discipline are the only guards against this, and only AV software is under your control
- Read your logs. Many problems become apparent before they become pressing through unusual network activity, firewall reports or host logs. Review these regularly, and keep up to date with automated tools to help you analyse what can be an overwhelming cascade of information.