Security is really about knowing what to secure; the more you know about potential vulnerabilities and how to fix them, the more secure your enterprise will be. In this short excerpt from a longer InformIT
The top 10 that's likely to be of most interest to any individual network or system administrator, or IT security professional, is a list of the top known exposures "in the wild" that actually apply to the systems, software and networks that such hard-working professionals must protect and manage.
To a large extent, this means that your real security issues list probably differs from somebody else's list, simply because it's highly unlikely that any two network or system environments completely match up. In other words, avoiding the most likely security threats depends on constant vigilance, coupled with direct knowledge of what's out there on your systems and networks that needs to be kept safe and secure. Thus, the following rounds of activity are essential to help you build and manage your own personal security issues list:
- Make sure you understand basic security principles, policies and best practices (several in our top 10 list directly address these topics). Any good book on network or system security will cover these topics to some extent, though some such books are better than others (the "Security Bibliography" section provides a brief list of excellent security books).
- Routinely monitor security advisories (the "Security Advisory Resources" section documents some of the best sources of such information, but you'll also want to research and sign up for or visit vendor-specific security advisory resources).
- Compare current security advisories against your networks, platforms, hardware and software. Take appropriate action (such as applying necessary patches, fixes or upgrades) as circumstances dictate.
- In addition to responding to advisories as they come up, schedule and perform regular security assessments of your systems and networks (in more secure or sensitive environments, this often occurs monthly; in less secure or sensitive environments, this should occur two-to-four times yearly). Many organizations also schedule and perform penetration testing and run security scanning software against their environments at the same frequency. You should, too.
Don't get hung up on the number "10," either. Just because Letterman and radio stations track the top 10 doesn't mean that's the exact number of security issues you should handle at any given time. If you're lucky, the actual number will be smaller; if not, it'll be larger, and you'll have more work to do.
Sources of security top 10 information
The following Web sites contain some useful top 10 lists relevant to system and network security topics:
- www.sans.org/topten.htm. SANS Top Ten Most Critical Internet Security Threats
- hq.mcafeeasap.com/security_found.asp. McAfee's Top 10 High Risk Security Threats
- www.zdnet.com/zdnn/content/pcwk/14nw/pcwk0004.html. General Top 10 list from 1997 (still accurate today)
- www.techcourt.com/technologies/security/hackernews.html. 10 Security Tips (common sense security rules)
- www.securitytracker.com/startup/index.html. SecurityTracker: Top 5 (great tracking data and info available)
- www.secureroot.com/category/security. Security Challenges: Public, concerted cracking or break-in appeals
- www.hipaadvisory.com/tech/TopTenSecurityRisks.htm. HIPAAdvisory Top 10 Security Threats
- www.apocalypseonline.com/security/index.asp. Apocalypse Online Security: Current top 10 stories under "Latest News" heading
- www.hackers.co.za/archive/security/articles/tips.html. Tiemann's Top 10 Security Tips (common sense Web server tips)
- www.pinkertons.com/news/press/threat2000.asp. Pinkerton's has a different take on the Top 10
Read more of this article at InformIT. Registration is required but it is free.
This was first published in November 2001