Staying on Top of Security | Security+ Study Guide

The landscape of security is changing at a very fast pace. You, as a security professional, are primarily responsible for keeping current on the threats and changes that are occurring. As a security professional, you are also responsible for ensuring that systems are kept current and up-to-date. The following briefly summarizes the areas that you must be concerned about:

Operating Systems Updates Make sure that all scheduled maintenance, updates, and service packs are installed on all of the systems in your environment. Many manufacturers are releasing security updates on their products to deal with newly discovered vulnerabilities.

For example, Novell, Microsoft, and Linux manufacturers offer updates on their websites. In some cases, you can have the operating system automatically notify you when an update becomes available. This will help busy administrators remember to keep their systems current.

Applications Updates Make sure that all applications are kept to the most current levels. Older software may contain vulnerabilities that were not detected until after they released. New software may have recently discovered vulnerabilities, as well as yet-to-be-discovered ones. Apply updates to your application software when they are released. This will help minimize the impact of attacks on your systems.

One of the biggest exploitations that occur today involves applications programs such as e-mail clients and word processing software. The manufacturers of these products are regularly releasing updates to attempt to make them more secure. Like operating system updates, these should be checked regularly and applied.

Update Network Devices Most newer network devices can provide high levels of security, or they can be configured to block certain types of traffic and IP addresses. Make sure that logs are reviewed and, where necessary, ACLs are updated to prevent attackers from disrupting your systems. These network devices are also frequently updated to counter new vulnerabilities and threats. Network devices should have their BIOS updated when the updates become available. This will allow for an ever-increasing level of security in your environment.

Cisco, 3Com, and other network manufacturers regularly offer network updates. These can frequently be applied online or by web-enabled systems. These devices are your front line of defense. You want to make sure that they are kept up-to-date.

Keep Policies, Procedures, and Standards Current A policy that is out-of-date may be worse than no policy. Be aware of any changes in your

organization and in the industry that make existing policies out-of-date. Many organizations set a review date as part of their policy-creation procedures. Periodically review your documentation to verify that your policies are still effective and current.

Personal Development Remember that you are one of the most precious commodities of your organization. Like any precious commodity, you need to keep yourself current. Stay abreast of current trends in the industry, new threats, and other issues that may affect your business. This will ensure that your skills are always honed. You will feel more confident about your ability to deal with situations—and so will your company. Attend seminars, subscribe to relevant periodicals, and continue to grow in your knowledge and skills. This is your best bet to ensure your career growth. Professional societies and associations are an invaluable way to gain knowledge about an industry and its trends. Networking will also help you build a list of people whom you can call for advice or assistance when you encounter an unusual problem or situation. It is very likely that someone has already experienced what you are encountering. You can learn from their experiences, and you won't have to repeat their mistakes. Take your career seriously.

In addition to the different areas you need to focus on, you must also stay current on security trends, threats, and tools available to help you provide security. The volume of threats is increasing, as are the measures, methods, and procedures that are being used to counter them. This section will help you find places to keep current. Some of these sources are governmental. Many informational sources are available through corporations, schools, and associations concerned with security-related issues.

A great deal of information exists on the Internet to help you find out what is happening in the security field. Fortunately, most of them are available through either the Web or newsgroup mailing lists. This section identifies some of the sources of information available for your use. This list is not intended to be comprehensive, as many of these sources contain links to other sources of information. You must keep abreast of what is happening in the field, as well as the current best practices of the systems and applications you support. You are basically going to be functioning as a clearinghouse and data repository for your company's security. Make it a point to become a walking encyclopedia on security issues. It will help you improve your credibility, and it will demonstrate your expertise in the field. Both of these aspects enhance your career opportunities and equip you to be a leader in the field.

Websites

Several websites actively track security issues. This list provides you with the major providers of security information on the Web. Many of these organizations also provide newsletters and mailings to announce changes or security threats:

CERT Coordination Center The CERT/CC is a federally sponsored partnership in conjunction with Carnegie Mellon University to provide Internet security expertise. CERT offers a wide variety of information about current threats and best practices in security. The website is www.cert.org.

National Infrastructure Protection Center (NIPC) The NIPC is a government agency concerned with protecting the infrastructure of the United States. This includes Internet and other technology areas. NIPC provides a wide variety of information, including international threats and terrorist concerns. The website is www.nipc.gov.

National Institute of Standards and Technology (NIST) NIST is the governmental agency involved in the creation of use and standards. These standards are generally adopted by governmental agencies, and they are used as the basis for other standards. NIST has an organization specifically addressed to computer issues. This group is the Computer Security Response Center (CSRC). The CSRC/NIST maintains a database of current vulnerabilities and other useful information. The website is www.csrc.nist.gov.

Center for Education and Research in Information Assurance and Security (CERIAS) CERIAS is an industry-sponsored center at Purdue University that is focused on technology and related issues. CERIAS provides news and information on technology threats. The website is www.cerias.purdue.edu.

National Security Institute (NSI) The NSI is a clearinghouse of information relating to security. This site offers a wealth of information on many different aspects of physical and information security. The website is www.nsi.org.

Symantec Corporation Symantec is a leading provider of antivirus software. Their website lists current threats, provides research abilities, and provides information on information security. The website is www.symantec.com.

McAfee Corporation McAfee is a leading provider of antivirus software. Their site provides information and updates for their software. The website is www.mcafee.com.

European Institute for Computer Antivirus Research (EICAR) EICAR is an association of European corporations, schools, and educators that are concerned with information security issues. The website is www.eicar.org.

True Secure True Secure is a managed security organization that has been involved in security since 1989. Their site provides a number of whitepapers, technical briefings, and other information relevant to the computer security field. The website is www.truesecure.com.

SANS Institute The SysAdmin, Audit, Network, Security Institute is a research and educational institute. SANS offers seminars, research, and other information relating to the security field. The website is www.sans.org.

Computer Security Institute (CSI) CSI is a professional organization that offers national conferences, membership publications, and information on computer security issues. CSI is one of the oldest societies in this area. The website is www.gocsi.com.

Trade Publications

Numerous trade publications exist that address issues relating to security at different levels of difficulty. Some of these publications provide good sources of overview information and case studies; others go into the theoretical aspects of security. If you don't understand an article or paper, trade publications are good places to start in furthering your education. Remember that one of the most valuable jobs you perform is to consult for your organization on current issues in the field. Below is a brief list of trade publications you may find useful in your quest for knowledge and websites where you can subscribe:

Information Week Information Week addresses management and other issues of information technology. This magazine provides updates in the field of technology. The website is www.informationweek.com.

2600 The Hacker Quarterly This interesting little magazine provides tips and information on computer security issues. Don't let the name fool you. It is a wealth of information on current issues in security. The website is www.2600.com.

Microsoft Certified Professional Magazine MCP Magazine is intended for certified Microsoft professionals. This magazine provides a wealth of technical articles, as well as general interest articles for computer professionals. The website is www.mcpmag.com.

Windows and .NET Magazine Windows and .Net Magazine primarily focuses on issues relating to Microsoft operating systems. This magazine does present a number of general interest and security articles, and it is one of the more technical magazines on Microsoft products. The website is www.winnetmag.com.

Certification Magazine Certification Magazine covers the broad field of certification. This magazine also does features on the pros and cons of various certifications, and it contains articles related to the computer profession. The website is www.certmag.com.

CIO Magazine CIO magazine is a monthly publication that specializes in IT management issues. This magazine periodically offers security-related articles. It is oriented toward IT management, and the presentations tend to be high level. The website is www.cio.com.

Info World Info World deals with PC issues from an IT management perspective. This magazine offers regular articles on security and related topics. The website is www.infoworld.com.

CSO Magazine CSO magazine's first issue was launched in September 2002. This magazine is focused at security executives. The website is www.csoonline.com.

Information Security Magazine Information Security Magazine is a monthly magazine that focuses on computer security issues. Their website is www.infosecuritymag.com.

Real World Scenario: Security Awareness Program

You have just been appointed to the security department of your IT organization. The organization needs to implement a new set of plans and standards for computer security. You have been asked to create a way to communicate this to the organization. What could you recommend to accomplish this?

You might consider creating a security-awareness seminar for everyone in the organization. This seminar would ideally address the following areas of the organization:

Importance of security
Responsibilities of people in the organization
Policies and procedures
Usage policies
Account and password-selection criteria
Social engineering prevention

Additionally, you would want to develop training programs for management to address the needs of the department heads and managers. Your organization may need to investigate to determine if additional training is needed for network administrators and development personnel.