Many organizations would be fairly immune to (and better prepared to deal with) some of the newest security issues if they followed security best practices.
The first problem, of course, is determining what exactly security best practices are and how to implement them. Ask a group of 10 security experts the same question and you will probably receive 10 different answers.
But in general, security best practices are a consensus of approaches, architectures, and solutions that protect your network, systems, and data.
How is this consensus built? Usually, professional organizations form groups that develop standards, requirements, frameworks, and checklists to support best practices. The SANS (System Administration, Networking, and Security) Institute (www.sans.org) is an excellent example of this approach: their SCORE (Security Consensus Operational Readiness Evaluation) project is developing consensus-based security audit checklists for a variety of systems, including Windows NT, 2000, Linux, Unix, Cisco, handheld devices, and firewalls. You can download these checklists at www.sans.org/SCORE.
The Open Web Application Security Project (OWASP) (www.owasp.org), meanwhile, is helping advance security of Web applications and Web servers, one of the major vulnerabilities in any organization. OWASP's first project, a Web application security requirements document, is due out shortly. Other projects in the works include a security testing framework and Web Scarab, an open-source Web application security testing tool. I anxiously await the public release of Web Scarab, as it could be a much-needed addition to any security administrator's toolbox.
The National Security Agency is also getting into the game, publishing a number of unclassified Security Recommendation Guides for Windows NT, Windows 2000, and Cisco routers, available at http://nsa2.www.conxion.com. For Windows 2000, they provide Security Configuration Templates for the Security Configuration Editor as well as almost 20 documents covering topics ranging from Windows 2000 routing to DNS, DHCP, and Terminal Services. The Cisco router guide weighs in at 240 pages, and is a very detailed, useful document for securely configuring Cisco routers.
Not ready to trudge through a 240-page document? Have no fear! The Center for Internet Security (CIS) (http://www.cisecurity.org) has taken the NSA document and developed the Cisco IOS Router Benchmark and Audit Tool. This free Perl-based tool -- for UNIX/Linux only -- reads the router configuration file and compares it to the best practices defined in the NSA Router Security Configuration Guide. The result is an HTML document of "problem lines" that highlights where your router policy fails against the standard and gives you a numerical score representing your security level.
The CIS also has benchmark tools for Windows and Solaris, and a Linux version is on the way. The Cisco router tool will soon run on Windows and provide further configuration analysis.
Identifying, defining, implementing, and auditing security best practices can be difficult and time-consuming. These are some of the more useful guidelines I have seen. I will revisit this topic from time to time so if you have any guidelines or tools you find invaluable, let me know!
Mandy Andress (firstname.lastname@example.org) covers security for the InfoWorld Test Center, a Computerworld sister publication..