Staying Up-to-Date on Security Issues

Appendix F describes some of the best practices for securing your Web server. However, you must thoroughly appreciate the single most important best practice: staying up-to-date on security news. Security is an ever-changing landscape. When new vulnerabilities are found in any software you use, regardless of vendor, you must take swift action. So keep current. If you're not up-to-date, you run the risk of being attacked as information about vulnerabilities and fixes spreads.

The following are some of the best places to go on the Web to stay current with security issues:

• www.microsoft.com/security The source for all Microsoft security-related information
• www.ntsecurity.net Another useful source of Microsoft-related security information
• www.sans.com A superb source for security best practices and education
• www.cert.org Carnegie Mellon University's CERT Coordination Center, a great clearinghouse of security information
• www.hackernews.com Need we say more?
• xforce.iss.net An updated list of vulnerabilities maintained by Internet Security Systems

You should also consider subscribing to a number of security-related newsletters:

• Microsoft security alerts: www.microsoft.com/technet/security/notify.asp
• CERT alerts: mailto:cert-advisory-request@cert.org
• BugTraq from Aleph1 (probably the best source for day-to-day security issues): www.securityfocus.com
• BugTraq for Windows NT and Windows 2000, maintained by Russ Cooper: www.ntbugtraq.com
• The SANS digest: www.sans.org/digest.htm
• Security Alert for Enterprise Resources (SAFER): safer.siamrelay.com

Finally, a word of advice for the truly paranoid: if you have a Windows CE Pocket PC or handheld device, you should consider using Microsoft Mobile Channels or AvantGo (www.avantgo.com) to stay on top of security issues. You can easily keep current by keeping the latest Web pages on your PC companion. For example, one of us uses AvantGo to keep the latest Microsoft and CERT security pages on his Hewlett-Packard Pocket PC. He's been known to read them during meetings—it's more productive than playing games!