When looking at security as a whole, we should stop worrying so much about all the types of new technology criminals can come up with and start thinking about security best practices that when followed, will help to keep an organization safe. If you get the basics right every new threat that comes out your security measures will adapt to the highly dynamic nature of information warfare and allow you to defend yourself effectively. I Kevin Day’s book “Inside a security mind” he states seven basic steps which i thought were very good to start with a basis.
First : of all think in terms of zones. Zoning is the process in which you define and isolate different subjects and objects based on their unique security requirements. Group resource together that have a similar security profile. Although people think of zones in a network-centric manner, it doesn’t have to be. It could apply to applications, physical areas and even employee interactions with others as a defense against social engineering tactics. The trick is separating zones in such a way so that we can maintain higher levels of security by protecting resources from zones of lesser security controls.
Two : Create choke-points. Choke-points have been a key part of security practices in warfare. A chokepoint is a tight area of control wherein all inbound and outbound access is forced to traverse. Kings of medieval times understood that if you could funnel the enemy through tight doorways it makes it much easier to pour down fiery oils on them. chokepoints also grant us the advantages of:
- Security focus – We can focus on particular areas of control.
- Ease of monitoring – It is much easier to watch our enemies when there is only a few places to look
- Ease of control – It is much easier to implement good security mechanisms when only dealing with a limited space
- Cost reduction – By filtering access at chokepoints, we will only need to implement one control device at the chokepoint rather than having separate controls for every object. This reduces the time and materials required for the implementation and maintenance of security measures.
- Exposure reduction – By focusing on just a few choke-points of access, we introduce fewer opportunities for error and exposure than if we enforce security controls in multiple areas.
Third: Layered Security No single device is without flaws. layered defenses are crucial to repel intruders and ensure that any one weakness on its own will not let an attacker in (or out for that matter).
Four : Understand Relational Security The security of any object is dependant on the security of its related objects, and if we fail to see these relationships, we will be unable to properly address security.
Five : Understanding Secretless Security The best security solutions are those that rely as little as possible on secrecy for protection. Secretless authentication With the dismal failure of secret-based solutions such as passwords over the years, many organizations are now turning to alternate approaches to safeguard authentication. Advanced authentication no longer bases itself on just what you know, but typically also include something you have and/or something you are. This is why two factor authentication is surging in the enterprise space right now. It is much easier, for example, to fake someone’s password at an authentication prompt than it is to fake their eye pattern during a retinal scan.
Six : Dividing Responsibilities No system is perfect, and no security device is unbreakable. (No matter how many vendors claim their’s is… even when offering rewards to hack it) At a minimum we should have something monitoring and protecting the security of our main security devices.
Seven: Failing Securely Everything is subject to failure, no matter how robust or expensive it is. Such failures often lead to lost productivity and potential security issues. As such, potential failure scenarios should be considered before any new implementation. When programming an application, failures should be made to lock down security. When a network architecture is designed, failures should not result in bypassing security as is commonly done
They you have it start with the basics and from there onwards adapt to suit what ever new threats that might come along .