What Security Is and Isnt

What Security Is and Isn t

Computer security is unlike other forms of security. Products such as locks, safes, and steel doors give clear ratings on what types of attacks they can withstand and how long they can withstand them. Most IT security products do not come configured in such a manner. These devices state only that they will prevent, block, drop, or protect from specific risks. Technology has failed to offer one complete perfect solution. Sure, you will find vast quantities of security technologies advertised in all the latest glossy security magazines and at security trade shows, but simply throwing money at products isn't the real solution. Security is not technology.

Misconfiguration, improper installation, and poor management are other causes of poor security. I have seen IT workers and managers involved in poor practices. I'll never forget the time a government agency showed me a firewall that was supposed to be protecting the internal network. The problem was that it wasn't even hooked to the network. It was configured in loop back mode. Security is not the administration.

Policies are another item pointed to when someone speaks of security. Many organizations don't have a well-defined security policy. Others have policies but they are poorly written or no one follows them because there are no consequences built in to the policy. After all, it's just a paper document. Policies are not security.

By now, you may be wondering what I think security is. Security is a process. Yes, security requires technology, people, and policies; however, that is not enough. Security is a process that requires input from the entire organization to be effective. It involves work on a proactive basis, such as patching vulnerable systems and monitoring audit files and IDS systems' activity logs. Security also requires support from senior management; it includes risk analysis, good implementation, employee training, patch management, and periodic vulnerability assessments. Figure 1.1 outlines the flow of this process.

Figure 1.1. The risk assessment process.


Introduction to Assessing Network Vulnerabilities

Foundations and Principles of Security

Why Risk Assessment

Risk-Assessment Methodologies

Scoping the Project

Understanding the Attacker

Performing the Assessment

Tools Used for Assessments and Evaluations

Preparing the Final Report

Post-Assessment Activities

Appendix A. Security Assessment Resources

Appendix B. Security Assessment Forms

Appendix C. Security Assessment Sample Report

Appendix D. Dealing with Consultants and Outside Vendors

Appendix E. SIRT Team Report Format Template





Inside Network Security Assessment. Guarding your IT Infrastructure
Inside Network Security Assessment: Guarding Your IT Infrastructure
ISBN: 0672328097
EAN: 2147483647
Year: 2003
Pages: 138
Similar book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net