Best Practices to Address Security Risks

Technologies by themselves have never solved any problems. People must know where, when, and how to use them in the context of solving their security needs. This section offers suggestions on how to minimize the security risks that your company faces when performing transactions on the Internet.

Have a Companywide Security Policy

This type of policy ensures that anyone with access to a workstation and/or server follows company guidelines. When people have an understanding of the implications of not following these guidelines, they're more likely to follow them. Examples of a security policy include always having antivirus software running, not executing applications sent through email, and always running personal firewall software.

A company's security policy should include how Internet browser security is configured. Internet browsers generally have many settings related to security. For example, as depicted in Figure 26.9, Internet Explorer allows certain URLs to be trusted and to allow a more lax security policy when a user visits those Web sites.

Of course, any policy that isn't followed will have no significant effects on the business processes of a company. Identified members of a company's IT department should assist users in following this policy and others should be given the authority to enforce that the policy is followed.

Keep Machines Physically Secure

It's important to keep the machines in your IT infrastructure physically secure. This obviously includes Web servers, database servers, and application servers, but it also includes desktop systems and laptops. If a cracker has physical access to a machine, it will be very easy for him to mess with it. This includes installing cracking software and disabling antivirus software.

Keep Up with Security Fixes

As mentioned earlier, signing up with a security update newsletter ensures that you have access to the latest security exploits and corresponding fixes as they are discovered and patched. It's important to acquire and apply security fixes as soon as possible because crackers have access to the same information and can exploit new security vulnerabilities before you've had a chance to patch them up.

Mailing lists for security vulnerabilities are available from many places, two of them being http://www.ntbugtraq.com/ and http://www.securityfocus.com/. BEA also puts out security advisories that are available at http://dev2dev.bea.com/resourcelibrary/advisories.jsp?highlight=advisoriesnotifications. A subscription service to these advisories is also available.

Use Complex Passwords and Keep Them Secure

The easiest way for a cracker to break into your system is by getting hold of an existing password or by guessing one. Your company's security policy should include guidelines on acceptable passwords and where passwords should be stored. Generally, passwords should not be written down. It isn't that difficult for a user to remember a single password. If users are expected to remember multiple passwords, they can use software that encrypts and stores passwords on their hard drives. Access to all these passwords is then available by remembering just one password.

The idea of a complex password is one that isn't easily guessed. Using longer passwords (eight or more characters), avoiding single words, and using lowercase and uppercase letters, punctuation marks, and special symbols make the task of guessing a password made much more difficult. Another technique of keeping a network more secure is by making passwords expire. If a user's password gets into the wrong hands, it becomes obsolete when the user is forced to choose a new one.

Encrypt Communications and Use Certificates

Although encrypting and decrypting information will put more overhead on your IT infrastructure, both you and your customers will have the confidence that goes along with knowing that your business transactions are private and unalterable. This improved confidence will result in increased usage and, ultimately, higher profitability.

Simplify Your Infrastructure

As your infrastructure grows, it becomes much more difficult to manage and secure. As connections to partner networks are added, the security of your network becomes the lowest common denominator of the security of your partners networks. Some users will want wireless access that opens up a can of worms concerning security. The bottom line is to provide access to information while maintaining security. If your security policy is too rigid, some users might feel justified in going around it and doing things such as setting up an unauthorized FTP server. Finding the right balance isn't easy but educating your users is a way of making this task a bit easier.

Look at Log Files and Event Logs!

No matter how tightly security is controlled, there always remains the possibility that someone will find a way around it. Operating systems, Web servers, application servers, and database servers all have the capability to monitor system status and client requests through the use of log files. Log file tracking must usually be configured and turned before log files will be generated. Log files track client requests by many characteristics, such as time, source IP address, and port. Because the size of these log files tends to be quite large, looking at the raw data in them is usually not very helpful. However, these are software packages that take the raw data and look for patterns that indicate the gathering of information and possible system break-ins by crackers. However, creating log real-time log files will have an affect on the performance of the machine that is creating them. If this results in unacceptable performance, a choice between security and performance must be made. At that point, be prudent in determining the tiers in your architecture where log files are critical. If this means increasing your hardware capabilities, it's a small price to pay considering the extra security and hopefully peace of mind that come with keeping log files.