1. General Security Advice CS5493(7493)

2. 1. Dispel Your Pride Assume there is someone out there that is smarter, more knowledgeable, more capable, and with access to more resources than you. (because it’s true)

3. 2. Security Through Obscurity? Don’t rely on obscurity as a security strategy. – Someone will eventually discover your vulnerabilities – Timely address known vulnerabilities

4. 3. Disclose Vulnerabilities Does not imply posting known vulnerabilities on the internet or reporting them to the media. Disclosure protocol implies contacting the vendor, author, management, and users.

5. 4. Security Degrades with Use The security of a computer system degrades in direct proportion to the amount of use the system receives. (Dan Farmer)

6. 5. Create Realistic Policies Users will attempt to circumvent your best intentions. The administrator would be better off providing for legitimate needs rather than encouraging workarounds that can create substantial and unknown risks

7. 6. Don’t Underestimate Deterrence Disclosure of security policy & practices is better than non-disclosure – it’s a matter of moral and ethical behavior. Disclosure of monitoring users will impact what many (not all) users do. “Avoiding dishonesty is the beginning of wisdom.”

8. 7. There is no Security Holy Grail You can’t make a system invulnerable and useful at the same time. So forget about it. CC EAL-7 does not guarantee a secure system.

9. 8. Think Like The Enemy “Help-mate” : Ask how to compromise your systems if you were the attacker.

10. 9. Trust No One? Devise an accountability strategy for all important procedures.

11. 10. SA Mantra The computing system does not exist for the amusement of the SA. The computing system is a shared productivity tool that requires money, time, and resources to maintain – don’t treat it as your own.