According to the New Oxford Dictionary, security is defined as “The state of being free from danger or threat”. I’m not quite sure I agree. There are three separate concepts that are a part of the blanket term of “security”. There is risk, threat and vulnerability. They are separate concepts, but are co-dependent. Say you have an attacker who wants to gain access to your data, obviously the threat. However, the threat only exists if there is a vulnerability at which the attacker can exploit. You are now at risk because that vulnerability is exploitable (I might be stealing this structure from CompTIA’s Security+, which is a great introduction to security). Now that we have established our terminology, let’s get down to business.
Over the next couple weeks, I will be continuing this theme, as it has become one of the mainline failures in business procedures. The point I would like to stress the most is that security is not a static, one-time-fix-all procedure that falls on the to-do list somewhere between grocery shopping and exercising. “Being secure” is not having an excessively long password, or changing that password all the time. Being Secure is a way of life. Having a strong password that you change on a regular basis is a great part of what we call “Best Practices”, but it is only the beginning.
What are “Best Practices”?
BP are a group of set standards by which all actions that could affect a business governed by. Say for instance you create a new user for your server. Do you enforce password complexity? What are the default permissions that user has? These are very important questions, as an untrusted user with privileged access can reek all manner of havoc on your server.
The challenge I have for you is ask yourself, what are your best practices? What standards do you have in place?
If you have any questions about best practices, password policies or other suggestions, go ahead and email me at firstname.lastname@example.org. I’d love to hear from you!
See you again soon!