i'd venture to say ... 95% of security is just people management ...
and 5% is implementing a techie solution
reading is good ..but should be 5% of your time ...
and even better, go to informal security meetings ( user group meetings )
- you cannot make it too strict to restrict productivity
- you cannot leave it wide open so tom-dick-n-harry can see break into
hr's salary PC and repost everybody's salary and benefits
- who is gonna get fired when a security breach occurs ???
- 90% of all security issues is internal ... not from outside the internet
.. on and on .. fun stuff
knowing what is important and what is NOT is something that will be different
for each environment you're trying to secure
- i start from ..
i assume a [cr/h]acker has root access in your firewall ... now protect your
network and machines or whatever your "job" is
- if you're comfortable .. than you're reasonably confident of what you're
doing and what the [cr/h]acker can do to your other boxes and data
i disallow laptops, i disallow dhcp, i disallow wireless, ...
in addition to disallowing ftp/telnet/ppp/vpn/...
- and others disallow cell phones ( with or without pic sending capabilities )
- and at a minimum... have 3 different backup servers of your important data