Home page logo

basics logo Security Basics mailing list archives

Re: Best practices for a small business's security
From: Byron Sonne <blsonne () rogers com>
Date: Mon, 29 Dec 2003 21:16:52 -0500

I am looking for best practices or an outline to follow for helping a small company to secure their business. I've found many resources on the technical aspects, but am hoping for suggestions for websites or books covering the business aspects as well. Any help would be much appreciated.


Here's some, based on my opinion, YMMV:

(1) hire a good admin, they're worth the money. Don't be too concerned about what they look like, hygiene, social skills, or whatever; skills talk, bullsh**t walks. People are your #1 resource and most important asset.

(2) Keep things clean, simple and segregated. A single server should do only a single job. A firewall is only a firewall, web only web, mail only mail, etc. If your firewall gets compromised and you have your databases, financial records, webservers, etc on the same box you're in for a heap of trouble.

(3) Avoid Microsoft products whenever possible (I'd normally say at all costs, but I'm feeling generous tonight) especially the server products. You can do everything you really need to with little, if any, Microsoft products. All this active content and html/whatever enabled mail = HORRIBLE SECURITY RISKS.

(4) Use as much free/open-source software as possible. I ALWAYS get answers and solutions to my problems a heck of a lot more quicker from mailing lists, users groups and websites for these products than commercial ones. And it typically doesn't cost a dime. Paid commercial support usually comes from some droid typing questions into a knowledge base and getting answers (after you've been shuffled around the phone a few times). With open-source, the answers usually come from the developers themselves and power users. I can vouch for this; I monitor a multitude of mailing lists for my own edification and also to help others out. ***Whether advice is free or paid for has nothing to do with quality***

(5) Backups, backups, backups! So your network and servers get hacked and trashed, or swallowed in a mudslide or earthquake. So what? rebuild/wipe everything, reinstall, and if you've setup your structure right and kept good documentation, you shouldn't suffer too much downtime or loss of profits.

(6) Don't use the latest and greatest software and hardware if you don't really have to (other than upgrading to eliminate security issues). Do your research and stick to what works, not the stuff that is bleeding edge that everyone tells you "that you gotta have". My rule of thumb is one or two down from the most recent/top-shelf product. Don't buy what you see on TV or read in the trade rags. Talk to the real people down in the trenches; admins at other companies in your line of business are great resources. Never trust sales people; verify everything.

(7) Don't trust consulting or opinion firms like Gartner (sp?) et al. My suspicions are that they are paid, by other firms, to tell people what to use. If all your friends jumped off a tall building, would you do it too? Research and verify.

(8) Documentation. It doesn't have to be long or ISO compliant, but it should be useful. Too much is as bad as too little.

(9) If you have the choice between 2 products, one which is cheap and one which costs a bit more but is more flexible, go with the more flexible one. Security is also about being able to respond quickly and flexibly to changing needs.

Byron Sonne


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]