Re: Best practices for a small business's security

[Byron Sonne <blsonne () rogers com>]

> I am looking for best practices or an outline to follow for helping a 
> small company to secure their business.  I've found many resources on 
> the technical aspects, but am hoping for suggestions for websites or 
> books covering the business aspects as well.  Any help would be much 
> appreciated.

Greetings,

Here's some, based on my opinion, YMMV:

(1) hire a good admin, they're worth the money. Don't be too concerned 
about what they look like, hygiene, social skills, or whatever; skills 
talk, bullsh**t walks. People are your #1 resource and most important asset.

(2) Keep things clean, simple and segregated. A single server should do 
only a single job. A firewall is only a firewall, web only web, mail 
only mail, etc. If your firewall gets compromised and you have your 
databases, financial records, webservers, etc on the same box you're in 
for a heap of trouble.

(3) Avoid Microsoft products whenever possible (I'd normally say at all 
costs, but I'm feeling generous tonight) especially the server products. 
You can do everything you really need to with little, if any, Microsoft 
products. All this active content and html/whatever enabled mail = 
HORRIBLE SECURITY RISKS.

(4) Use as much free/open-source software as possible. I ALWAYS get 
answers and solutions to my problems a heck of a lot more quicker from 
mailing lists, users groups and websites for these products than 
commercial ones. And it typically doesn't cost a dime. Paid commercial 
support usually comes from some droid typing questions into a knowledge 
base and getting answers (after you've been shuffled around the phone a 
few times). With open-source, the answers usually come from the 
developers themselves and power users. I can vouch for this; I monitor a 
multitude of mailing lists for my own edification and also to help 
others out. ***Whether advice is free or paid for has nothing to do with 
quality***

(5) Backups, backups, backups! So your network and servers get hacked 
and trashed, or swallowed in a mudslide or earthquake. So what? 
rebuild/wipe everything, reinstall, and if you've setup your structure 
right and kept good documentation, you shouldn't suffer too much 
downtime or loss of profits.

(6) Don't use the latest and greatest software and hardware if you don't 
really have to (other than upgrading to eliminate security issues). Do 
your research and stick to what works, not the stuff that is bleeding 
edge that everyone tells you "that you gotta have". My rule of thumb is 
one or two down from the most recent/top-shelf product. Don't buy what 
you see on TV or read in the trade rags. Talk to the real people down in 
the trenches; admins at other companies in your line of business are 
great resources. Never trust sales people; verify everything.

(7) Don't trust consulting or opinion firms like Gartner (sp?) et al. My 
suspicions are that they are paid, by other firms, to tell people what 
to use. If all your friends jumped off a tall building, would you do it 
too? Research and verify.

(8) Documentation. It doesn't have to be long or ISO compliant, but it 
should be useful. Too much is as bad as too little.

(9) If you have the choice between 2 products, one which is cheap and 
one which costs a bit more but is more flexible, go with the more 
flexible one. Security is also about being able to respond quickly and 
flexibly to changing needs.

Regards,
Byron Sonne

---------------------------------------------------------------------------
----------------------------------------------------------------------------