- Workstation - Personal IDS, two-factor authentication, antivirus, and monitoring tools implemented, updated regularly, and configured to adhere to company policies.
- Internetwork/Subnet - Packet filtering, link encryption, and network monitoring/IDS devices.
- Server Farm/Backbone - Change control, antivirus, audit logs, monitoring, regularly scheduled updates and backups.
- Internet Portal - Screened subnet with stateful firewalls and application proxies.
- Physical Building/Data Center - Intrusion monitoring, two-factor access control via swipe card and PIN, CCTV cameras/monitors, and log books.
- Extranet/Road Warriors - Callback, strong (two-factor) authentication, and virtual private networking, antivirus, personal firewalls, and IDS.
At the station and SOHO level, although it's not practical to think you can be completely safe from exposure, there are ways to fortify your weakest links against most common threats and mitigate risk to an acceptable level. Be sure to follow these seven golden rules:
1. Use a personal firewall. Personal firewalls typically fortify against many incoming intrusions. Among those most popular and proven include, Norton Firewall, McAfee Firewall, BlackICE Defender, and ZoneAlarm Pro.
2. Use antiviral software. Protect your system from downloads and e-mail attachments that contain virii and Trojans with Norton AntiVirus, McAfee VirusScan, or PC-cillin.
3. Use personal intrusion detection software (IDS). Protect your system from hack attacks and malware that gets past your personal firewall and antivirus software. Personal IDS inspects all inbound and outbound network activity and identifies suspicious patterns that may indicate a network or system attack from someone attempting to break into or compromise your system. IDS evaluates a suspected intrusion once it has taken place and signals an alarm, and then asks for action or acts-with it you can block an IP address, block a local or remote port, block all, or allow the connection altogether. Every workstation should run products such as TigerGuard IDS and Pest Patrol.
4. Don't take candy from strangers. Defend your right to privacy with a good cookie manager, such as McAfee Internet Guard Dog or Norton Internet Security.
5. Encrypt sensitive data. Don't even think about transmitting sensitive information without using encryption software. Among those most user-friendly is PGP.
6. Update Habitually. It's important to follow a patch implementation schedule, for your operating and protective software, to keep you abreast of vulnerabilities and advisories with alleviations-each week.
7. Just say "No!" It's none of their business--don't ever reveal personal information such as your passwords, credit card limits, home address, birth date, driver's license and social security numbers.
What do you think about the full disclosure of vulnerabilities?
Bearing in mind the pros and cons of the complete details of security vulnerabilities being made public, I personally consent to full disclosure with restrictions. I believe doing so would increase the general level of awareness, compel companies to take risk mitigation more seriously, strengthen the power of security tools, and force vendors to release patches and safeguards more rapidly.
With that said I feel restrictions including the following should apply: the vendor should be first notified, vulnerabilities should be accurately and fully disclosed at appropriate websites and published in monthly periodicals, and a principal consortium should be formed to test and release testing tools in an open source forum.