John Akerson's Thoughts

Business, technology and life

Security Overview

Security is NOT about preventing access and preventing risk. Rather, it is about managing access and risk.

In 1999, the US Department of Energy posted some simple web security steps:

Their recommendations are still surprisingly valuable and are a good place to start.  Here’s a summary of their “BEST PRACTICES IN MANAGING WORLD WIDE WEB SERVER SECURITY:”

1.  Place your web server(s) in a DMZ.  Set your firewall.
2.  Remove all unneeded services from your web server.
3.  Disallow remote administration.
4.  Limit the number of persons having access.
5.  Log activity and maintain logs.
6.  Monitor logs regularly.
7.  Remove ALL unnecessary files.
8.  Remove “default” document trees.
9.  Apply all relevant security patches.
10.  Do not use a GUI manager
11.  Manage, define and limit connections to your server
12.  Run the web server so it cannot access the real system files.
13.  Run FTP server in a tree that is different from the web server’s tree.
14.  Update from your Intranet; maintain originals and automate changes.
15.  Scan periodically for vulnerabilities.
16.  Use intrusion detection software.

This is a start.  Considering that this is circa 1999, I’m amazed that it remains such a valid foundation. Don’t become complacent though – this is not a slowly swimming shark. It is a light speed shark, with very sharp teeth, but it swims in an old ocean.


November 17, 2008 - Posted by | Competitive Advantage, Continuous Improvement, Other Stuff, Security

No comments yet.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: