Security Basics: Where to Start

If your organization is like most others, securing your infrastructure is one of its top priorities. However, it's often difficult to know where to begin. The following tips should help you define the security needs for operating systems within your organization.

1. Don't be narrow-minded -- think big. When you're considering what to secure and how to secure it, you need to take a step back and get a good look at the big picture. Which systems are the most critical? What data do you need to protect? What are your internal and external threats? What security do you need for different operating systems, such as Windows, Unix and Linux? What government or corporate regulations must you follow? Take time to talk with business-process owners and management to understand what infrastructure components are important to their success.

Once you have broadened your perspective on all potential security problems, you'll be less likely to set policies or purchase tools that will solve only a portion of the problems and leave you without the ability to protect multiple systems or integrate with other security infrastructures.

2. Create and maintain a security policy. Every organization should have a security policy that does the following:

  • Describes the elements that constitute IT security within the organization.

  • Explains to all employees the need for IT security and its importance to the organization's critical tasks.

  • Specifies various categories of IT data, equipment and processes that are subject to the security policy.

  • Indicates in broad terms the IT security responsibilities of various employee functions.

  • Outlines appropriate levels of security through standards and guidelines.

  • Understands the different operating systems deployed within your organization and aligns your IT resource expertise with them.

When addressing a security policy for specific operating systems, administrators should consult online security resources such as:

3. Prioritize your efforts. Once the elements of a security policy have been put in place, it's important to prioritize your efforts in securing your infrastructure. To accomplish this, you need to address external-facing systems such as Web servers, mail servers and firewalls. These devices are more exposed to random and targeted attacks.

Next, address CRM, database and other internal application servers that are mission-critical to your business. The operating system shouldn't be a prioritization criterion; you should focus on the server's importance to your business processes.

Finally, finish with the desktops. Even though this may be the lowest priority, these systems can't be overlooked. Users can change configurations or install software that exposes your company to attack. By simply visiting Web sites, users can inadvertently pick up spyware or back doors that can be just as damaging as a direct attack on your Web server. Security needs to be hardened throughout the entire infrastructure so your organization isn't "crunchy on the outside" but "soft on the inside."

4. Focus efforts on prevention more than detection. If an ounce of prevention is worth a pound of cure, why do many IT organizations spend their time and resources trying to identify attacks that have already happened rather than securing against attacks before they occur? The Slammer worm, which targeted Microsoft operating systems running SQL Server or SQL Desktop Edition, is a perfect example. Everyone knew about the vulnerability, and there was a fix, but many network administrators didn't deploy it until the attack had already hit. Try to focus your efforts as much as possible on proactively defending and preventing against an attack vs. mopping up after one.

Carl E. Banzhof is chief technology officer at Citadel Security Software Inc. in Dallas.

Special Report

Tips From Security Experts

Stories in this report:

Related:

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon