Physical Security - If some one can touch it, it isn’t secure!

User training - Does your staff understand the value of your data?

Tools and procedures - Usernames, passwords, and other methods of authentication.

Access Control (ACL):

The first step in security is preventing an open door to unauthorized users.

Auditing and Audit logs:

Determine what events should you track.

Determine if you have the resources to track what you want to track. (As in hard drive space, processor, bandwidth)

Determine who will manage the logs

Monitor strange and unexpected uses

Monitor failed attempts

Encryption:

The art of jumbling data so it cannot be read.

It is illegal to use strong encryption (128 bit) outside the U.S. or Canada.

Worldwide encryption is currently limited to 56 bit (the book states 40 bit).

Authentication:

The process of identifying an individual, typically by username and password. This may be supplemented with additional methods such as secure cookies If a cookie is marked secure it will be transmitted ONLY if the host is secure Only sent to HTTPS servers.

Certificates:

The digital substitute for your signature.

A certificate server is a centralized point for confirming or denying a digital identity. You can create and maintain your own PKI, (Public Key Infrastructure) or utilize a third party like VeriSign.

What is a VPN?

A Virtual Private Network allow you to transfer sensitive information across the Internet in a secure way.

Why a VPN?

Exchange secure information over the Internet
Exchange secure information within a private network
To connect remote users securely to corporate networks

A VPN ensures the following:

The data you need to access or share is confidential or private The sender’s identity is authentic before servicing the sender’s request Prevents unauthorized users from modifying data on your network Allows remote users to access your network using the Internet for connectivity

Security:

Security is not only about protecting your network from outside attackers, it is about making sure you can conduct business in a secure environment with customers, suppliers and partners.

A VPN also allows your employees to access your network from remote locations and allow internal traffic to be secure
For instance, confidential communications between company officers and officials can be encrypted to prevent employees from within a company from seeing it.

The International Computer Security Association (www.icsa.net) estimates more than 80% of break-ins occur internally.

Standard Security Protocols:

SKIP - Simple Key Internet Protocol
IPSec - IP Security
PPTP - Point to Point Tunneling Protocol, (does not have the level of security of IPSec)

Encryption / Authentication Schemes:

The Diffie-Hellman key agreement algorithm provides for parties to compute the same secret key without exchanging secret information