A.1. Getting Started
The Security+ certification contains mainly concepts and theories; the actual implementation of these will vary greatly from one organization to another. You will need to learn how these concepts and theories are put into practice in your company. There is significantly more information about security than any single book or certification exam can contain. So you'll need to do the reading and research to learn about the technologies, software, hardware, and procedures you encounter. This is an important step because without a complete understanding of implemented solutions, you won't know how to adapt and apply these generic recommendations.
Knowing how to do something doesn't mean you should do it. You have been assigned a certain job description that entails a specific set of work tasks and related privileges and permissions. You should not attempt to exceed your assigned authority. If it is not your job, then it is not your job. You can learn anything you want, but without authorization, you cannot do anything you want—at least, not at work.
If you want to be able to experiment and implement anything, you should create your own personal lab environment at home. Your lab could consist of a small network of physical machines or a single high-end machine running a virtual operating system (OS) emulator system, such as VMware or Microsoft's Virtual Server. Then, when you can't implement something at work, you can do it at home. Unless you are the security administrator for your employer, it is doubtful you'll be able to implement many of the security recommendations covered in this appendix. Although you should submit requests and suggestions to the appropriate personnel, if you want to gain hands-on experience, you'll need to find another avenue to explore and develop your new security skills. A home lab is the best place to start. Even if your home lab is just one underpowered system with a dial-up modem to an ISP, it is enough to start the learning process.
|
In some cases, the actions you take, although motivated by good intentions and dictated by sound security concepts, can be perceived as unethical, abnormal, suspicious, antisocial, a breach of security, and even criminal. Think before you act. Consider the effects your actions will produce. Ponder how others will perceive you if they notice your actions. If you are seen peeking around a corner, you might be perceived as spying or trying to hide something. If you are caught looking at network traffic, you can be perceived as a hacker. If you are caught in an area where you are not assigned to work, you can be perceived as a thief or trespasser. Remember, even when doing good, without proper permission and authority your actions can be perceived as unethical and criminal.
If your job is important, then keep communication open with your superiors and the security administration. Often they will be supportive of your desire to learn and improve yourself, which is especially the case when your new skills will benefit the organization directly. However, pushing too far, overstepping your limits, or encroaching on another person's boundaries or areas of responsibility can have negative consequences. These can range from minor verbal warnings to job termination or even criminal prosecution. When in doubt, don't. Instead, be proactive and ask for help and guidance from those in your organization with the authority and the know-how.
NOTE
Not only should you always seek permission, it is highly recommended that you get permission in writing.
There is at least one dark secret that everyone in the IT industry has been keeping from you: No operating system—not Windows, not Unix, not Novell, not Sun, not Linux, not Macintosh—can be fully and completely secured. Therefore, given enough time and resources, every network, every system, and every file can be compromised. While it is true that some solutions and systems offer more security than others, each product, hardware, or software has its own share of problems and issues. Every technological security mechanism has a fault, flaw, oversight, weakness, workaround, or maximum strength that can be overcome. Therefore, picking the "right" OS is not the whole solution—especially because anyone can be an attacker. Modern-day attack tools are powerful, and they don't necessarily require a high level of sophistication from the attacker (hence the terms script kiddie and ankle biter).
Security breaches can arise from a myriad of vectors, including external intruders, internal attackers, misguided insiders, contractors, malicious code, accidents, and oversights. A complete security solution does not stop all attacks, but it reduces the possibility that attacks will be successful and strives to detect any attempts.
This solution requires that you take the following steps:
Create, maintain, and use a written security policy.
Make informed technology choices.
Make your best effort to secure your OS using IT technology.
Deploy multiple overlapping layers of defense.
Consider protection for confidentiality, integrity, and availability.
Implement stronger authentication to support realistic accountability.
Secure your personnel through training.
Secure the physical environment.
Watch for the inevitable security breach attempt.
Be prepared to respond to incidents.
Maintain that security is a never-ending process.
Keep in mind that protections should prevent, then deter, then deny, then detect, then delay.
In the sections that follow, these and many other security concepts are explored and their application discussed.