9.4. Staying on Top of Security

The landscape of security is changing at a fast pace. You, as a security professional, are primarily responsible for keeping current on the threats and changes that are occurring, as well as staying on top of new developments in the field. At times, it can seem as if new buzzwords and acronyms (such as SPIM for Spam over Instant Messaging) are added daily. You're also responsible for ensuring that systems are kept current and up-to-date. The following list briefly summarizes the areas you must be concerned about:

Operating systems updates

Make sure all scheduled maintenance, updates, and service packs are installed on all the systems in your environment. Many manufacturers are releasing security updates on their products to deal with newly discovered vulnerabilities. For example, Novell, Microsoft, and Linux manufacturers offer updates on their websites. In some cases, you can have the operating system automatically notify you when an update becomes available; this notification helps busy administrators remember to keep their systems current.

As a security administrator, you understand the importance of applying all patches and updates to keep systems current and to close found weaknesses.

Most vendors offer sites specifically devoted to security. For example, Red Hat has http://www.redhat.com/security, Ubuntu has https://help.ubuntu.com/community/Security, Microsoft has http://www.microsoft.com/security, and so on.

Application updates

Make sure all applications are kept to the most current levels. Older software might contain vulnerabilities that weren't detected until after the software was released. New software may have recently discovered vulnerabilities as well as yet-to-be-discovered ones. Apply updates to your application software when they are released to help minimize the impact of attacks on your systems.

One of the biggest exploitations that occurs today involves applications such as e-mail clients and word-processing software. The manufacturers of these products regularly release updates to attempt to make them more secure. Check for updates regularly and apply them the same as you would for operating systems.

Network device updates

Most newer network devices can provide high levels of security, or they can be configured to block certain types of traffic and IP addresses. Make sure logs are reviewed and, where necessary, access control lists (ACLs) are updated to prevent attackers from disrupting your systems. These network devices are also frequently updated to counter new vulnerabilities and threats. Network devices should have their BIOS updated when the updates become available; doing so allows for an ever-increasing level of security in your environment.

Cisco, 3Com, and other network manufacturers regularly offer network updates. These can frequently be applied online or by web-enabled systems. These devices are your front line of defense; you want to make sure they are kept up-to-date.

Policies and procedures

A policy that is out-of-date might be worse than no policy. Be aware of any changes in your organization and in the industry that make existing policies out-of-date. Many organizations set a review date as part of their policy-creation procedures. Periodically review your documentation to verify that your policies are still effective and current.

Personal development

Remember that you're one of your organization's most precious commodities. Like any precious commodity, you need to keep yourself current. Stay abreast of current trends in the industry, new threats, and other issues that might affect your business; doing so will ensure that your skills are always honed. You'll feel more confident about your ability to deal with situations—and so will your company. Attend seminars, subscribe to relevant periodicals, and continue to grow in your knowledge and skills. This is your best bet to ensure career growth. Professional societies and associations are invaluable for gaining knowledge about an industry and its trends. Networking will also help you build a list of people whom you can call for advice or assistance when you encounter an unusual problem or situation. It's likely that someone has already experienced what you're encountering; you can learn from their experiences, and you won't have to repeat their mistakes. Take your career seriously.

In addition to focusing on these areas, you must stay current on security trends, threats, and tools available to help you provide security. The volume of threats is increasing, as are the measures, methods, and procedures being used to counter them. The following sections will help you find places to keep current. Some of these resources are governmental; many other informational sources are available through corporations, schools, and associations concerned with security-related issues. A great deal of information also exists on the Internet and is available through the Web or newsgroup mailing lists. The lists that follow aren't intended to be comprehensive; many of these sources contain links to other sources of information.

You must keep abreast of what is happening in the field and stay informed of the current best practices of the systems and applications you support. You're basically going to be functioning as a clearinghouse and data repository for your company's security. Make it a point to become a walking encyclopedia on security issues: Doing so will improve your credibility and demonstrate your expertise. Both of these aspects enhance your career opportunities and equip you to be a leader in the field.

9.4.1. Websites

Several websites actively track security issues. This list provides you with the major providers of security information on the Web. Many of these organizations also provide newsletters and mailings to announce changes or security threats:

Center for Education and Research in Information Assurance and Security

Center for Education and Research in Information Assurance and Security (CERIAS) is an industry-sponsored center at Purdue University that is focused on technology and related issues. CERIAS provides news and information on technology threats. The website is http://www.cerias.purdue.edu.

CERT Coordination Center

The CERT/CC is a federally sponsored partnership in conjunction with Carnegie Mellon University that provides Internet security expertise. CERT offers a wide variety of information about current threats and best practices in security. The website is http://www.cert.org. One of the most interesting pages you can find there details the steps to take to recover after your computer has been compromised; this is located at http://www.cert.org/tech_tips/win-UNIX-system_compromise.html.

Computer Security Institute

Computer Security Institute (CSI) is a professional organization that offers national conferences, membership publications, and information on computer security issues. CSI is one of the oldest societies in this area. The website is http://www.gocsi.com.

European Institute for Computer Anti-Virus Research

European Institute for Computer Anti-Virus Research (EICAR) is an association of European corporations, schools, and educators that are concerned with information security issues. The website is http://www.eicar.org.

LinuxSecurity

The latest news and articles related to Linux security issues can be found here. The website is http://www.linuxsecurity.com.

McAfee Corporation

McAfee is a leading provider of antivirus software. The company's site provides information and updates for its software. The website is http://www.mcafee.com.

National Institute of Standards and Technology

National Institute of Standards and Technology (NIST) is the governmental agency involved in the creation and use of standards. These standards are generally adopted by governmental agencies, and they are used as the basis for other standards. NIST has an organization specifically addressed to computer issues: the Computer Security Response Center (CSRC). The CSRC/NIST maintains a database of current vulnerabilities and other useful information. The website is http://www.csrc.nist.gov.

National Security Institute

The National Security Institute (NSI) is a clearinghouse of information relating to security. This site offers a wealth of information on many aspects of physical and information security, including a free e-newsletter. The website is http://www.nsi.org.

SANS Institute

The SysAdmin, Audit, Network, Security (SANS) Institute is a research and educational organization. SANS offers seminars, research, and other information relating to the security field. The website is http://www.sans.org.

Security Focus

General news and information on security topics of all sorts are archived here. There is also a weekly newsletter that you can subscribe to. The website is http://www.securityfocus.com.

Symantec Corporation

Symantec is a leading provider of antivirus software. Its website lists current threats, provides research abilities, and gives information about information security. The website is http://www.symantec.com.

9.4.2. Trade Publications

Numerous trade publications exist that address issues relating to security at different levels of difficulty. Some of these publications are good sources of overview information and case studies; others go into the theoretical aspects of security. Trade publications are good places to start in furthering your education. Remember that one of the most valuable jobs you perform is to consult for your organization on current issues in the field. Following is a brief list of trade publications you might find useful in your quest for knowledge and websites where you can subscribe:

2600: The Hacker Quarterly

This interesting little magazine provides tips and information on computer security issues. Don't let the name fool you—there is a wealth of information on current issues about security in this magazine. The website is http://www.2600.com.

CertCities

CertCities is an online magazine that covers the broad field of certification. It also does features on the pros and cons of various certifications, and it contains articles related to the computer profession. The website is http://www.certcities.com.

CIO

CIO is a monthly publication that specializes in IT management issues and periodically offers security-related articles that tend to be high level. The website is http://www.cio.com.

CSO Magazine

CSO is a monthly magazine that focuses on issues of interest to security executives. The website is http://www.csoonline.com.

Hackin9

Hackin9 is a bimonthly publication aimed at those with an interest in "hard core IT security". The website is http://www.en.hakin9.org/.

Information Security Magazine

Information Security Magazine is a monthly publication that focuses on computer security issues. The website is http://informationsecurity.techtarget.com.

InformationWeek

InformationWeek addresses management and other IT issues. This magazine provides updates in the field of technology. The website is http://www.informationweek.com.

InfoWorld

InfoWorld deals with PC issues from an IT management perspective. This magazine offers regular articles on security and related topics. The website is http://www.infoworld.com.