While googling for resources related to my profesional special subject project, i came across some nice IT Security/Networking related websites, including DigitalThreat, and a cool post on the rules of information security.
- Know what you are protecting, and why you are protecting it
- Understand your enemy
- Defence should be in depth
- Accept some risk
- Technology is the least of your worries
- Your strength is a function of your weakest link –
- People are your solution
- Security is journey, not a destination
- Get top cover
- Be honest
Some of them things universal known or presummed, in my opinion, if you have any know-how in the field. For instance – technology is the least of your worries. When i read this, the first thing in my mind was – social engineering – in other words, people, humans, employees, former employees, wise-guys, smart guys, name them as you want. Most likely, the most scandalous IT security related events that happened accros the years, happened because of social engineering. People will most likely recognize the case of Kevin Mitnick and the movie Hackers.
Others have a historic-military approach, like “defence should be in depth”. This is exactly the counterpart for “profesional” attacks – when you are adding multiple layers of cover to your attack (e.g. vnc to a host, vpn connection to another, then ssh tunneling to your target). But, it’s ultimately useless if you don’t cover your tracks properly (e.g. erasing logs) and the same applies to the good-side. If your defence is in depth, make sure you have clearly defined layers and you are using DIFFERENT methods of protection (e.g. increasing the authentication factor as you have access deeper in the network).
Anyway, you can read the rule descriptions in the original article on DigitalThreat.