Security Proesses
PREVENTION

Limit Privilege. Don't give any user more privileges than he
absolutely needs to do his job. Just as you wouldn't give a random
employee the keys to the CEO's office, don't give him a password to
the CEO's files.

Secure the Weakest Link. Spend your security budget securing the
biggest problems and the largest vulnerabilities. Too often, computer
security measures are like planting an enormous stake in the ground
and hoping the enemy runs right into it. Try to build a broad
palisade.

Use Choke Points. By funneling users through choke points (think
firewalls), you can more carefully secure those few points. Systems
that bypass these choke points, like desktop modems, make security
much harder.

Provide Defense in Depth. Don't rely on single solutions. Use multiple
complementary security products, so that a failure in one does not
mean total insecurity. This might mean a firewall, an intrusion
detection system and strong authentication on important servers.

Fail Securely. Design your networks so that when products fail, they
fail in a secure manner. When an ATM fails, it shuts down; it doesn't
spew money out its slot.

Leverage Unpredictability. You know your network; your attacker
doesn't. This is your big advantage. Make his job harder by disguising
things, adding honey pots and booby traps, etc.

Enlist the Users. Security can't work if the users aren't on your
side. Social engineering attacks are often the most damaging of any
attack, and can only be defended against with user education.

Embrace Simplicity. Keep things as simple as absolutely
possible. Security is a chain; the weakest link breaks it. Simplicity
means fewer links.

DETECTION AND RESPONSE

Detect Attacks. Watch the security products. Look for signs of
attack. Too often, valuable alerts from firewalls, servers and even
IDSes are simply ignored.

Respond to Attackers. It's not enough to simply detect attacks. You
need to close vulnerabilities when attackers find them, investigate
incidents and prosecute attackers. We need to build a world where
criminals are treated as such.

Be Vigilant. Security requires continuous monitoring; it's not enough
to read a weekly report. Read about new attacks as soon as
possible. Install all security patches and upgrades immediately.

Watch the Watchers. Audit your own processes. Regularly.