Everyone has their opinion as to what are the best security practices. At work, we have at least 20 booklets on network security specifying in detail how to secure our network from attack. I am not going to lie the books are very good and the information in them is sound for our network implementation, but what we consider our best security practices may not work for someone else. Here are some of my best practices.
1. K.I.S.S – (Keep It Stupid Simple) complexity is the gateway to security vulnerabilities. It is much easier to find problems in 500 lines of code than 5000. The more complex a system becomes the more difficult it becomes to identify security problems in it. Oh ya, that feature is great, it will be used by exactly two people out of 1000, it is also super complex and has 20 vulnerabilities in it; quick kill it with a spoon dear brother!
2. Users will find the easiest way to do something, like putting their complex password on sticky notes in their desk drawers. So make security practices so easy for them that it is easier to use the secure method. Issue smart cards for network logons and install a program like Keepass to manage their passwords securely.
3. Train your users! Show them the GDP of Nigeria and remind them that they have no long lost uncles that live there who recently died and left them with 200 million dollars. Show them what to look for in email attachments, and inform them of network security policies and their repercussions.
4. Review your logs people! I have seen this too often where a fancy network security system was installed and the system admin only looks at the logs when there is a problem, only to note that the network has been hacked for weeks. Take one hour out of your day once or twice a week to look at the logs. Catch the problems before they start, it will make your boss happy.
I could come up with fifty of these things but you get the point.
