[Dshield] Security Project

vinny vinu at hiwaay.net
Wed Nov 23 14:45:30 GMT 2005


Mephisto wrote:

>>Hello all
>>
>>My name is Daniel, I am a junior in High School at a HS in North 
>>Carolina.  During our senior year, we have to write a report and do a 
>>project to graduate (grad project).  My project is going to be on how 
>>the lack of computer security knowledge in the general public has 
>>affected current business practices involving the internet.
>>
>>Sence many of you work on the business end, I was hoping you could 
>>provide me with some insight on how your companies polices and practices 
>>have been affected by your client base. I may also have some other 
>>questions as I progress with the project. I realize that this might lead 
>>into some privacy concerns, therefor I invite you to email me privatly 
>>at the address i'm posting with if you wish too.
>>
>>I also am hoping you could give me some books or websites I could use as 
>>references so I can write my paper.
>>    
>>
Hi Daniel,

The lack of Computer Security Knowledge is an interesting topic indeed.  
I believe that this is a very complex issue, and the polices and 
practices are basicly only as good as the people that are in charge of 
inforcing them.   Its amazing how much can be done to gain confidential 
information about a person or company without ever touching a computer, 
multiplied with advent of search tools (google for instance), that will 
give you almost anything you want to know about a person or company.
A major problem that occurs with companies, is that fact that they 
simply don't care.  They do not believe it will happen to them, or they 
firmly believe that it is someone else's fault, there for not their 
responsibility.  

I am a firm believer in least privledge.  Give the users access to only 
what they absolutely need inorder to get their job done.
Inforce strict password/authentication.
Educate your users, explain how not securely doing things will impact 
them, make them care about what is going on.  Preaching will not help, 
make them understand.

For instance, if a user gets infected by malware, immediately take the 
computer off the network, shut it down.  Explain to the user, that 
he/she can no longer do their job, which will inturn badly reflect the 
amount of work they are able to do.  Make the user realize that yes it 
is their fault, if it wasn't their fault(granted it was their fault). 

Also educate users about what to say and what not to say, make sure they 
understand prior to them even starting work.  Its easier to get them at 
the beginning than, 8 years in when they are already set in their ways. 

SANS has a bunch of RSS feeds that are always interesting.

I also like the idea of companies monitoring traffic on the LAN, if a 
user believes that they may be watched, they have a tendency to think twice.

Keep us updated and good luck on your project





More information about the list mailing list