https://www.jpsdomain.org/tags/best_practices/index.html Hugo en-us https://www.jpsdomain.org/infosec/rulebasebp/index.html Mon, 01 Jan 0001 00:00:00 +0000 https://www.jpsdomain.org/infosec/rulebasebp/index.html Old Content This content is old! It’s still useful, but it’s old, and there may be bit rot, newer/better tools or ways to do things. Sanity check and do your research. This is the companion page for my Firewall Rule Base Best Practices document. I have listed all the resources I would otherwise have put at the bottom of the document. In this way, I hope to keep them current, and to add new material when I find it without having to revise the original document. If I have written it correctly, it should need little revision as time passes and technology changes. We’ll see. https://www.jpsdomain.org/infosec/principles/index.html Mon, 01 Jan 0001 00:00:00 +0000 https://www.jpsdomain.org/infosec/principles/index.html JP’s Security Principles I firmly believe in the following Security Principles: 100% security is impossible. 99% security may be possible, but is too expensive in terms of effort, money, time and productivity. The goal is reasonable and adequate security with reasonable and sustainable effort. How you define “reasonable” depends on the value of the information you are protecting. It is not reasonable to spend $10,000 to protect $5,000 worth of information. You need to understand what you are protecting, and the realistic threats you are facing. Security through obscurity is no security at all. The best Security is provided by a defense in depth: Prevention Hardening Least Privilege Separation of duties Strong, published, security policies, with End User awareness Strong change management policies and procedures Protection Firewalls, etc. Anti-Virus & Active Content filtering BCP/DR (Business Continuity Planning/Disaster Recovery) Strong authentication methods (especially for Remote Access) Detection (and Assessment) Monitoring (logs/network/everything), IDS, etc. Security/vulnerability assessments Compliance audits Response (and Correction) CIRT (Computer Incident Response Team) Correct environment based on incidents, assessments, audits and changed circumstances Update policies, procedures and guidelines based on incidents, assessments, audits and changed circumstances Security is a never-ending circular process, there are no silver bullets, and it is fundamentally not a technical problem that may be “solved” with point products. Some frequently misused or misunderstood terms: Policy, et al. Policy A high-level statement of enterprise beliefs, goals, and objectives and the general means for their attainment for a specified subject area. They should not be technology specific, and they should change rarely. Standard Mandatory activities, actions, rules and regulations designed to provide policies with the support structure and specific directions they require to be meaningful and effective. They are often expensive to administer and should be used judiciously. Standards may or may not be technology specific and may or may not change frequently. Standard Standards are documented agreements containing technical specifications or other precise criteria to be used consistently as rules, guidelines, or definitions of characteristics, to ensure that materials, products, processes and services are fit for their purpose. (Source: ISO; http://www.iso.ch/iso/en/aboutiso/introduction/index.html) Guideline More general statements designed to achieve the policy’s objectives by providing a framework within which to implement procedures. Where standards are mandatory, guidelines are recommendations. Guidelines may change more often than policy’s, but less often than procedures. Procedure Spell out the specifics of how the policy and the supporting standards and guidelines will actually be implemented in an operating environment. These are often step-by-step instructions, and are usually technology (e.g. OS) specific. They may change often, as new technologies are introduced. The source of the above definitions, except as noted is, Information Security Policies and Procedures: A Practitioner’s Reference, by Thomas R. Peltier, with additions relating to frequency of changes by me.