Slashdot Mirror

The author's slanted raving is over the top. I could just as easily read about some Linux newbie's nightmare experience trying to get all of his hardware to work or how they had to rebuild the kernel after applying some new module to their system.

My main gripe with how things are is that all new PC's should be delivered fully patched as of their configuration date. And since Microsoft has switched to their license subscription model they should ship out CD's to all licensed customers with all rollup security packs available. Just like a TechNet subscription operates for previewing beta products. I don't mean a user calls into Microsoft to request a CD. It's their place to send them out. Just like an auto company would mail out recall notices.

And they laid out some bad trouble. Virus writers DO do this, even if the marketshare is small. Remember Ramen?
And of cours there's the Lion worm, etc..

It doesn't take a lot of computers to cause trouble, and no platform is wormsafe. Windows is prolific, of course, which doesn't help, but it's also got so many ways in. That's the real catalyst.

Rule for ANY operating system; When the default install is weak, you'll see worms. The big catalyst for Ramen and Lion (I hate to say it) was in my observations default RedHat installs that had tonnes of services on by default.

If you plug a Windows box directly into a high-speed Internet connection without updating everything first, the probability that you will be ownz0r3d rapidly approaches 1.

From the SANS Infosec reading room, Windows XP: Surviving the first day (PDF). A little dated but good information for the not in the loop crowd.

If you plug a Windows box directly into a high-speed Internet connection without updating everything first, the probability that you will be ownz0r3d rapidly approaches 1.

From the SANS Infosec reading room, Windows XP: Surviving the first day (PDF). A little dated but good information for the not in the loop crowd.

Give credit here but this is how I got it working on 2000:

[quote] For windows get winpcap [polito.it]
then get ethereal for windows [ethereal.com]
and get windump [polito.it]

SANS.org has all the info: Packet capture apps [sans.org][/quote]

For windows get winpcap
then get ethereal for windows
and get windump

SANS.org has all the info: Packet capture apps

While this sounds like a nice idea theory, and is certainly plausible, I'm actually starting to doubt it, and "stealing email addresses" is kind of required for a mass mailing worm, is it not? When this idea really hit the big time with MyDoom, I implemented a simple script to take all the IPs that had sent me a trojan via email and drop them into a local DNSBL. I also wrote a couple of SpamAssassin rules to raise a flag should one of these IPs be referenced in a spam, either by hostname in the body or in the headers.

Well, we are now nearing three months after MyDoom and I have yet to see that flag from SpamAssassin (aside from in further copies of the worm), which seems somewhat unlikely if they are really intended for mass mailing spam. So, given that spammers are probably not this patient, are these worms are being used for some other purpose than spamming? For example rather than sending spam, perhaps they are being used to host the sites mentioned in spam with those obviously disposable hostnames. Or maybe they are just a plain old bot net to scratch some disgruntled coder's personal itch.

The third possibility is that the apparent turf war between the Netsky and Bagle worm varients is real. Obviously there is latency between a PC being infected and contact being established with that PC for whatever purpose the trojan author has in mind. During that time it's entirely possible the machine could be patched or compromised by a competing trojan/worm. "Lather, rinse, repeat..." as the saying goes.

Then again, there does appear to be a new worm on the loose that is scanning for pretty much all of the exploit and backdoor ports of recent worms so perhaps the next chapter of this sorry saga is beginning.

SANs has security-related white papers over here.

However, I think

1. it is pretty much just security related and
2. you have to take their course to contribute your paper (doing one is part of the course requirements, IIRC).

I totally agree, I've been running multiple linux servers and desktops here at my employers for 4 years and have only had one server compromised in all that time. And that server was setup by someone other than myself. I took SANS courses while enlisted as a Unix Sysadmin in Air Intelligence for the AirForce. Those SANS courses really helped me spot things I normally would have missed, and I was able to use that experience in my career after the Airforce.

The proposed design asserts that man-in-the-middle (MITM) attacks can be eliminated by using SSL. However, SSL suffers from man in the middle vulnerabilities; see Netscape's SSL documentation and this paper from the SANS institute.

I think I was hoping for an algorithm with the handshaking complexity of Kerberos or SSL, because unfortunately a good security algorithm typically requires that level of sophistication, I would assert. Perhaps the design was aiming for a simpler starting point, with furthe refinement in the future; if so, it has met the goal nicely.

I'm surprised that no one has mentionned SANS yet.

A search for "forensics" on their home page brings up a list of many System Forensics tracks held at previous and upcoming conferences.

SANS training is not exactly affordable (unless your employer is paying!), but is well recognized and (in my experience) of excellent quality.

From Internet Storm Center (emphasis mine):

A new worm, named Doomjuice and MyDoom.C by various AV vendors, was identified. It spreads by exploiting the backdoor left by MyDoom.A and MyDoom.B. After infecting a system, it leaves a copy of the Mydoom.A source in a file named 'sync-src-1.00.tbz'. Doomjuice is also set to perform a DDOS against www.microsoft.com.

You're proposing a browser that's not even out of beta for corporate use? I wouldn't consider that a particularly good idea

Oh really.

Why You Should Switch to FireFox

"Further improvements to IE will require enhancements to the underlying OS"

Secunia Internet Explorer System Compromise Vulnerabilities. Solution: "Use another product"

The Twenty Most Critical Internet Security Vulnerabilities IE: Number four.

"we are not aware of any vendor-supplied patches for this issue"

Patch for 'critical' IE vulnerability doesn't work

IE full of holes, unsafe: Security experts

AMS Vice President and CTO: Mozilla Firebird is a Tier 1, Best of Breed Open Source Application

I don't care if it's a beta. Firebird/FireFox/Whatever is simply a better product than IE in every conceivable way - with the pertinent exception of branding, but including stability and security. So what exactly makes its use at a corporate level a "bad idea?"

Slashdot hasn't posted my story yet....

We detected MyDoom.B around 15:00 GMT today - ClamAV (opensource rules), McAfee 4319 DATs didn't.

Preliminary analysis at Internet Storm Centre.

Most AV vendors have new patterns out now.

Phil

All of that being said, no technology area is devoid of security flaws. Look at the recent attention given to H.323 standard vulnerabilities due to default ASN.1 parsing. That affects many vendors and product lines. Today I read an ISC diary entry detailing a couple of exploits that affect non-Windows environments. Apache, OpenSSH, QMail, Sendmail, etc. have all had their share of recently announced flaws.

Of course Open Source Software *should* be more secure since many eyes can review the code as it is maintained and updated. But the fact that nevertheless there are significant flaws and exploits in this area further proves my point. Microsoft is the largest software company on the planet so of course they have a target on their back. There are no doubt many third party organizations dedicated to doing nothing but trying to break Windows in order to submit security reports. Of course there are anonymous black hats doing the same but for other obvious reasons.

If the same manpower and effort was dedicated to breaking Linux and OSS applications (which currently have much less exposure and market share) I am sure that even more holes would be poked into what most folks on this board defend as being the silver bullet against corporate greed, monopolistic tyranny, and gaping security holes.

Well when Microsquish made the switch to akamai recently for their software update hosting they broke many users ability to update and gave no release on how to fix it. Yes sure, it was just an issue of changing the default url to httpS instead of http and accepting the new certificate, but how many joe blows are going to know that? And no, an obscure technet article referenced by a letter and a number does not count as a release, especially in a service as important as software update has become for M$.

Even if SUS works properly, what is the purpose of needing to reboot every system that is updated. Can't this be taken care of with minimal (3-6 seconds) downtime while a service resets?

We all know by it's very nature Linux is more secure than microsoft. The sheer number of vulnerabilities available is not neccessarily a good measure of the actual security of the system. The measure is properly the number of vulnerabilities successfully taken advantage of easily and massively.

Let me sound off for a second here on the major issues I personally have with MS:
CODERED
NIMDA
MIMAIL
BUGBEAR
KLEZ
NACHI
BLASTER

Good security practices, updating regularly and keeping up to date virus protection is an important part of stopping the above garbage from getting on your network. EVEN then, the affects of the above will still cause you downtime since your provider will have to scramble to deal with all the there-after DDoS.

The following is reason enough to be extra wary of any microsoft product security wise. Believe it or not, Nachi apparently SAVED M$ ass when it came to MS-Blaster. The number of source addresses scanning for 135 dropped by nearly 80% in these first weeks of 2004. AND there are STILL code red systems out there attaching to my Apache server occasionally. I sure don't see a massive SSH/Apache Code Red/Nimda style worm topping the bandwidth charts.

The duece you say, imagine that the web browser with 70% market share doesn't have a massive network-screeching-to-a-halt worm spreading with free reign?

Who cares anymore, it's been 8 years GNU/Linux+Apache+SSH has proven itself the most secure and reliable system for Web-Serving and MySQL+PHP is fast overtaking MsSQL+ASP as the most popular method of dynamic content distribution.

Once I start seeing massive changes to the netcraft survey, then I'll believe Microsoft has done enough to curb their Virus problems. The proof is in the puddin so to speak.

Who cares what he posts, the first comment is a link to goatse modded +5. Really infomative here is Sans reading room Now go mod me as +5 or do I need to have a disgusting sig juvenile losers think is funny?

"the feature was never designed to help protect your document or file from a user with malicious intent."

LOL! So all this time, microsoft hasn't even been trying! Oooohhh, gotcha!

I suggest the Xp Survival Guide from SANS.

Try this instead.

http://www.sans.org/rr/papers/index.php?id=1298

<disclaimer>I'm not a lawyer.</disclaimer>

This same topic was part of SANS NewsBites

I wrote to them:

Re: SANS NewsBites Vol. 5 Num. 44

> --Trojan Defense Successful Three Times in UK Courts
> (28 October 2003)
> Three cases in UK courts have set a significant precedent for
> prosecuting those accused of cyber crimes. In all three cases,
> defendants' attorneys successfully argued that their clients' computers
> had been hijacked by Trojan horse programs and therefore the defendants
> were not responsible for the alleged crimes. While some view the
> precedent as a safeguard against convicting innocent people, others are
> concerned that it gives cyber criminals a blanket defense. The Trojan
> defense has not yet been used in the US court system.
> computerworld
The Register (UK)
> [Editor's Note (Schultz): I fear that this will become the
> universally-used defense in cybercrime cases. Juries are not likely to
> know enough to see past this type of alibi.]

Actually the problem will be if _prosecutors_ can't get past the Trojan defense. Juries are routinely forced to learn the technical details of a criminal situation, whether it's a pyramid scheme or a poisoning. A prosecutor has to educate the jury and then convince the jury that the defendant is guilty of cognizant action (or inaction). It's the cognizant inaction part that will most likely break through the Trojan defense.

An analogy is as old as law itself: if I have a dog known to get out of its pen and bite the neighbors, then unless I try to do something about it I'm liable for the damages the dog does.

Another analogy: if I ask you to carry an envelope over to the mailbox, and don't tell you it contains anthrax, then you act legally by placing the envelope in the mailbox. I commit the crime, even if I don't specifically ask you to carry anything but just arrange for it to happen. Knowledge is the key, coupled with the choice to act or not to act.

If the prosecutor can't show that the defendent knew his computer was doing illegal things, then the jury should acquit. If he did know about the illegal activity, the prosecutor still has to show intentional action or inaction. That's how it works for dogs and owners, for letters and mailboxes, and that's how it's supposed to work for computer networks, too.

Actually, I'm not aware of any in-the-wild viruses for Linux. If you know of any please let me know.

There are a few worms, I know (eg this one).

(OK, so I'm getting fed up of people who should know better not distinguishing between viruses and worms).

• ACL`s on the filesystem, usefull in real life where groupa full acces, groupb none just doesn`t cut it
• ACL`s on individual configuration options in the registry! Got a newbie admin you dont want messing with one of the settings of any single application (say crypto strength negotiation)
• A system for small to medium networks to actually get a central database of users into those ACL`s on every machine on the net
• A central place where all security relavant choices to be made can be set with adequate documentation (securit

• ACL`s on the filesystem, usefull in real life where groupa full acces, groupb none just doesn`t cut it
• ACL`s on individual configuration options in the registry! Got a newbie admin you dont want messing with one of the settings of any single application (say crypto strength negotiation)
• A system for small to medium networks to actually get a central database of users into those ACL`s on every machine on the net
• A central place where all security relavant choices to be made can be set with adequate documentation (securit

If this is at all like the previous editions of the same title, then I recommend you Skip this Computer Book.

Get a decent book about computer abuse/misuse:

Hacking Exposed, 4th edition
Hackers Beware, by Eric Cole
Counterhack, by Ed Skoudis

These books are written by computer security professionals who may their living both doing computer security and teaching computer security (SANS and Foundstone).

Steal This Computer Book seems to be aimed at too young to know they are getting ripped off kids and computer novices. So don't buy this book if you are over 10.

Still, that makes it two remote root holes in the default install now I believe...

If you took place in the survey or are a "member" of any of the supporting orgs, then you can download it. The link provided is not the only one. I went to SANS Surveys to download my copy.

(I am not a paying member of any of those orgs, btw.)

Can also be downloaded from SANS here.

Right. Let's see how many people are patching against those vulnerabilities. That "Linux is invulnerable" attitude is preventing many from even thinking about security holes in Linux. I see a major wake-up call coming...

the user base for Linux is inherently more systems-savvy and internet-knowledgable

One thing you failed to mention is that many of the distributions are being released for users who are not "systems-savvy". Grab a camera, ask a newbie how to configure iptables/ipchains to secure some of their ports and have a kodak moment with that odd expression. Regardless of how savvy users are, there is a risk with most OS's. OpenBSD makes a point of trying to reduce that risk from an out of box install with their coding methodology. Un*x's in general have a more secure platform from an install because of the efforts engineers put into securing things. However, things with the free Un*x OS's are changing daily. Linux has a higher risk, in my opinion, of potential problems due to the vast number of programs and features being added constantly. Every new program added could have potential security holes. It is nice to see some developers making that a focus when they code, but that still does not reduce the risk. There could easily be a worm or virus created that does damage to systems and there have been worms released with those effects. Does anyone at all recall the "Ramen" internet worm which entered systems through ftp if I'm recalling correctly. The problem is issues with the code. A skilled programmer could look for a place to overrun the buffer on various server daemons and potentially create the same havoc. Keeping up to date, watching security advisories, and installing fixes as soon as holes are found is the one way to reduce the risk of these problems. Another thing that is important is to reduce the number of things that run as root or have root access. Run daemons as "nobody" instead of root. Educating yourself about security problems and their actual causes is important. I hate to seem like I am putting a message in for places to take classes, but there are a number of places to get security courses from.

Educate yourselves to the real concerns and problems with security and join in the efforts to keep these attacks from being common place in the Un*x world.

Never, huh?

Basically, the last time that a major non-Windows worm threatened the stability of internet was back when the majority of computers on the Internet weren't running Windows. There have been numerous worms since then for UNIX & Linux, but their market penetration has been low enough not to seriously hurt the whole internet. This is not as good of a thing as you indicate.

Never, huh?

Basically, the last time that a major non-Windows worm threatened the stability of internet was back when the majority of computers on the Internet weren't running Windows. There have been numerous worms since then for UNIX & Linux, but their market penetration has been low enough not to seriously hurt the whole internet. This is not as good of a thing as you indicate.

Never, huh?

Basically, the last time that a major non-Windows worm threatened the stability of internet was back when the majority of computers on the Internet weren't running Windows. There have been numerous worms since then for UNIX & Linux, but their market penetration has been low enough not to seriously hurt the whole internet. This is not as good of a thing as you indicate.

Look here for more info: SANS Certification Papers.

If we stay in the line of how the msblaster exploit works and assume a similar situation on *nix then yeah, but the methodology is obviously totally different. The NIS r* trick works on the "in this shell you can only run these" principal while the AD trick works on the "on this system you can't run these". The r* approach would not prevent forked non-r* execution shells from running the worm. I'm certainly not insinuating that NIS and r* are a replacement for AD, it isn't, but in this very specific case, it would provide a similar benefit.

Internet Storm Center

Microsoft Bulletin

Note this is marked "Critical" now...

http://isc.sans.org/diary.html?date=2003-08-11

reading through the the search warrant used for searching his house carefully leaves room for another story

FBI agent from the national infrastructure protection squad investigates defacements.

The agent (who specializes in weapons of mass distruction investigations like "the bombing of the United States Embassy in Tanzania, Atlantic Olympic bombing, and the latest New York City World Trade Center bombing" (When I grow up I wanna write my own history books to)) notes the defaced pages link to raisethefist.com, then he notes "On or about May 3, 2001, I conducted a review of publicly available information on the Internet website RAISETHEFIST.COM and learned that it was an anarchist website [No shit sherlock], This website contained numerous organized webpages, which contained anti-government (primarily the United States), anti-capitalism, and militant messages that promoted communism and advocated violence. This website had a section for the UNITED GRAFFITI FRONT, also known as UGF, which had the motto, "spraypaint as weaponry against the corporate lies."" No bombs and not even any weapons of mass destruction... but this officer kept searching not becouse of the contents of raisethefist scare him, but becouse of the defacements cracking and bragging on irc about of this kid.

Now note the order of the items to be seized part of the warrant, first all computers, exploits and crypto stuff, then the bomb making stuff

So the whole bomb making part of raisethefist.com was mostly a pretence for getting a search warrant to investigate the U.C.A defacements and the irc bragging of cracking DoD systems (for which simply wasnt enough proof even while the kid was stupid and made his troop.cgi script report back on its progress of messing with dod systems to his home dsl connection....) And then in court when no real evidence has been found linking this kid with the defacements and cracking (irc logs and hearsay as evidence...aparently good for a warrant, probably not for a conviction), they interview him claim they will just call him a terrorist and get it over with, the kid freakes out scared of the patriot act and goes for a plea bargain, which the judge doesn`t like and ignores end of story.

One sad paranoid script kiddie who may have needed help less for a year, After that if you got what it takes (like " Intelligence in alien based technology ( anti-matter ...etc.. ) ") just sign up for the u.c.a. And join the exciting life of using the time tested method of changing the world by copy-and-pasting bomb recipies and smashing star bucks windows.... or perhaps just redrawing that red star at the left side of the raiseyourfist.com so it doesn`t look like a childrens drawing..... reading up on politics before pretending you understand them and getting some fresh air.....

For those of you who aren't familiar with Bastille, check out it site at Bastille Linux site They have links for Redhat, Debian distors as well as HP-UX and Mac OS X.
There is also some info out at Bastille-Linux Scripts to Secure Linux and HP-UX

This is known as a covert channel. Depending on what is going on this is useful or a security risk. For example, an employee could smuggle out data from a network possibly under the radar of most IDSes and the eyes of net admins. Replace employee with political prisioner, or spy, or whathave you.

It can be interesting and it improves ones ability to read, write, and understand code.

Doing so in a public forum can create reputation capital for ones consulting services or products. In some cases may lead to employment.

Some folks are truly motivated by the desire to see vendors patch their software. This is sometimes a result as well.

The companies involved in the OIS have already established their reputation. They aren't doing this for fun. It is to their advantage to prevent others from competing with them. The idea here is to keep interesting research and discussions closed while charging naive corporations thousands of dollars to attend talks which provide little to no real information.

Look the goal here is to make money and that is noble and good. In order to do this people shouldn't just give away all of their hard work and research. The problem here is that these guys are protecting their bottom line under the guise of Internet Safety. It is a bit disgusting but I think might be irrelevant in the long run. Since SecurityFocus is part of this plan though I bet the mailing lists over there will be short lived. Oh well nothing lasts forever.

Dave Aitel makes some rather lucid observations.

"In order for an IDS to be effective, or in some high-bandwidth cases, even usable, detailed network and business context must be applied to the IDS. In a nutshell, IDSs are not as plug-and-play as firewalls or other security applications."

This hits the nail right on the proverbial head. So many articles in the security industry focus on "IDS failures". If you don't know your network, servers, routers, and what they should be doing, you can't implement IDS effectively.

Very important topic, Im glad this point so often missed made it into this book. Should be a good read.

The first couple days covered TCP/IP packet composition and attacks. There were then a couple of days about installing and using Snort (taught by Marty Roesch, creater of Snort). Really taught how to use and get value out of your IDS, including a lot of real world examples from people who use it in sites attacked a lot more frequently than mine.

Highly Recommended.
http://www.sans.org

IMHO any information security professional needs to develop a professional paranoia, being thoughtful of potential risks and failures, and understand what might go wrong.

Reading Bruce Schneier's Secrets and Lies is a really good start in this area. It is a not very technical book, written at the level suitable for an IT manager. This is also useful to help explains risks, vulnerabilities, and failures to IT Management.

The ever so ugly covered Hacking Exposed, which explains the basics of what criminals (or attackers) do commonly to gain unauthorized access to (networked) computer systems. This is so you a) know how easy it is, and b) are familiar with an overview of the basic steps and techniques to gain illicit access.

For online resources, RISKS digest (not focused on malicious activities, but how systems fail - very insightful and low volume), and Bugtraq a full disclosure mailing list will show you recent exploits, and vuln notices, but it is fairly lacking in actual educational content, and there are several other mailing lists at SecurityFocus that could also be useful to developing professional paranoia.

Next you need the language and basics of information/computer security. For this textbooks like Computer Security by Dieter Gollmann, Information Security Management Handbook by Tipton and Krause, Practical Unix & Internet Security by Simson Garfinkel, Gene Spafford, Alan Schwartz, and Security in Computing by Pfleeger and Pfleeger.

For procedures look at CISSP study material, BS 7799 / ISO 17799, and security auditing and incident handling materials. Some knowledge of risk management can also be useful.

From these basics, of the right mindset, the common language of infosec, and procedures and policy you can get into the low-level details of firewalls, VPNs, IDS, and network design. For this you should have a good network/internetworking basics, a very detailed understanding of TCP/IP, and understand firewalls, VPNs, and IPsec.

Firewalls and Internet Security: Repelling the Wily Hacker, 2nd ed. by William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin is a great place to start, and Building Internet Firewalls by Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman is a great follow-up. An alternative book on firewalls and VPNs is Inside Network Perimeter Security: The Definitive Guide to Firewalls, VPNs, Routers, and Intrusion Detection Systems by Stephen Northcutt, Karen Frederick, Scott Winters, Lenny Zeltser, Ronald W. Ritchey (crowd from SANS).

For networking basics, a Cisco certification like CCNA could useful in providing knowledge about internetworking and Cisco router's IOS. For the gory details of TCP/IP either TCP/IP Illustrated: Volume 1: The Protocols by Richard Stevens or Internetworking With TCP/IP Volume 1: Principles Protocols, and Architecture, 4th edition by Douglas Comer.

For IDS - Network Intrusion Detection: An Analyst's Handbook by Stephen Northcutt and Intrusion Signatures and Analysis by Matt Fearnow, Stephen Northcutt, Karen Frederick, Mark Cooper are the best IMHO.

I am not sure what to recommend for VPNs, other than you need to know about IPsec.

Security is not an Engineering discipline. Knowing one security tool, or even many tools does little or nothing towards cultivating the approach, process, culture and awareness-in-context that are basic to a professional in the Information Security field.

One could do worse than browse the documents collection in the Reading Room at SANS.org,and the archive of Bruce Schneier's Crypto-gram newsletter.

If Information Security still appeals to you, and you can specialize in an area suited to your temperment -go ahead.

SANS InfoSec Reading Room.

inetd - Google is your friend.

Sans reading room has a wide variety of papers. It's not the be-all and end-all of network security, but it's a damn good start.

1. Education - Get educated about what information security is all about, you should know what C.I.A. stands for (in infosec, not the US federal agency), you should know what a security policy is, understand risk management and mitigation, and known what criminals/attackers can do in your organization.

You can get a lot of this from several books and websites, such as Secrets and Lies by Bruce Schneier, the SANS Reading Room, if you can afford it SANS/GIAC training and/or certification may be of benefit to you and your org, the CISSP and SSCP Open Study Guides even if you don't go for CISSP or SSCP (I don't recommend paying any money to ISC^2), and Security Focus.

2. Audit - This step is critical and too many places forget to do it. You need to know what you are trying to secure, yet most organizations do not have a complete picture of their network and all the systems on it. This includes security and non-security issues (e.g. software licenses, maintenance patches, standardization)

Tools like those from IBM Tivoli or HP Openview can help here. For security specific vulnerability analyzer, open-source Nessus and eEye's Retina, ISS's Internet Scanner

3. Policy - You need a plan and a document to give you and others guidenance, and this if your infosec policy.

Large orgs should consider BS 7799 or ISO 17799 whereas smaller groups can look at Center for Internet Security for benchmarks, and SANS Reading Room - Auditing and Assessment, and Site Security Handbook - RFC 2196.

4. Implement -- Using your education, audits and policies you can now implement decent security.

Basic principles of defence in depth, fail-safe, separation of privilege, and complexity is the enemy of security can guide you to build a practical network of secured systems that limits exposure to criminal activities, and minimizes damage from attacks.

5. Be vigilant - "Security is a process, not a product" - Bruce Schneier

Now the work begins, up to now it was the fun stuff, now you get to dig in with boring but important tasks such as analyzing log files, maintaining a accurate asset database, applying patches, maintaining user accounts, periodic audits (internal and if you can afford it and it is warranted, external), educating users, and maintaining your security posture.

1. Education - Get educated about what information security is all about, you should know what C.I.A. stands for (in infosec, not the US federal agency), you should know what a security policy is, understand risk management and mitigation, and known what criminals/attackers can do in your organization.

You can get a lot of this from several books and websites, such as Secrets and Lies by Bruce Schneier, the SANS Reading Room, if you can afford it SANS/GIAC training and/or certification may be of benefit to you and your org, the CISSP and SSCP Open Study Guides even if you don't go for CISSP or SSCP (I don't recommend paying any money to ISC^2), and Security Focus.

2. Audit - This step is critical and too many places forget to do it. You need to know what you are trying to secure, yet most organizations do not have a complete picture of their network and all the systems on it. This includes security and non-security issues (e.g. software licenses, maintenance patches, standardization)

Tools like those from IBM Tivoli or HP Openview can help here. For security specific vulnerability analyzer, open-source Nessus and eEye's Retina, ISS's Internet Scanner

3. Policy - You need a plan and a document to give you and others guidenance, and this if your infosec policy.

Large orgs should consider BS 7799 or ISO 17799 whereas smaller groups can look at Center for Internet Security for benchmarks, and SANS Reading Room - Auditing and Assessment, and Site Security Handbook - RFC 2196.

4. Implement -- Using your education, audits and policies you can now implement decent security.

Basic principles of defence in depth, fail-safe, separation of privilege, and complexity is the enemy of security can guide you to build a practical network of secured systems that limits exposure to criminal activities, and minimizes damage from attacks.

5. Be vigilant - "Security is a process, not a product" - Bruce Schneier

Now the work begins, up to now it was the fun stuff, now you get to dig in with boring but important tasks such as analyzing log files, maintaining a accurate asset database, applying patches, maintaining user accounts, periodic audits (internal and if you can afford it and it is warranted, external), educating users, and maintaining your security posture.