10 Essential Digital Security Processes
24
ESSENTIAL DIGITAL SECURITY PROCESSES 10
-
Upload
wiley -
Category
Technology
-
view
831 -
download
0
Transcript of 10 Essential Digital Security Processes
EssEntial Digital sEcurity ProcEssEs10
Computer insecurity is inevitable, and technology
alone cannot save us. We also need to implement and follow secure processes.
Here are 10 essential processes every organization
should follow.
compartmentalize
compartmentalize
Follow the principle of least privilege: only give people the privileges (e.g. server access) they need to do their job.
secure the weakest link
secure the weakest link
Look at the entire vulnerability landscape and create an attack tree: find the weakest link and secure it. Then worry about the next weakest link and so on.
use choke points
use choke points
A choke point forces users into a narrow channel, one that you can
more easily monitor and control. Firewalls and login screens are some examples.
Provide defense in depth
Provide defense in depth
This is about creating layers of security, such as a firewall combined with an intrusion detection
system and strong cryptography.
Fail securely
Fail securely
Systems should fail in such a way as to be more secure, not less. (For example, if an ATM’s PIN verification system fails, it should fail in such a way as to not spit money out the slot).
leverage unpredictability
leverage unpredictability
There’s no reason to broadcast your network topology to everyone
that asks. If networks are unpredictable, attackers won’t be able to wander around so freely.
Embrace simplicity
Embrace simplicity
A system is only as secure as the weakest link, so a system with fewer links is easier to secure.
Enlist the users
Enlist the users
Security measures that aren’t understood and agreed to by everyone don’t work. Enlist their support as much and as often as possible.
assure
assure
What we really need is assurance that our systems work properly.
This involves a structured design process, detailed documentation, and extensive testing.
Question
Question
Constantly question security. Question your assumptions and
decisions. Question your trust and threat models.
Keep looking at your attack trees. Trust no one, especially yourself.
Find out how to build secure systems in
by Bruce Schneier
Secrets & LiesDigital Security in a Networked World
