security policy

[Metgod]

Okay folks..

I was working on something, and this is what I came of.. it's not really a step by step 'guide' or anything of the such. In fact, it's just a bunch of ideas jotted down. I think it's a good start to getting into security.. it just goes over things, requirements, suggestions.. etc

I'd much appreciate comments..
so let me attach it here..

[Zerored]

Good stuff Metty. Good stuff.

[godaigo]

Nice.

[wilnix]

Two things I noticed were of importance to me while reading through the text. In the encryption section, it talks about storing credit card information. It is my own personal firm belief that the storage of credit card information (encrytped or not) is a bad idea. There is no physical reason to store a credit card number when you can handle a transaction in realtime and discard the sensitive data immidiately after a successful transaction. I think even some of the larger companies who offer the user a chance to store their credit card info are seriously pushing the lines as to how "secure" their system is. There are such things as "BAD ADMINS" who would have the ability to do some serious damage with that much user info.

Also, the part on firewall protection shows the absolute need for one, but to have a complete firewall system is to have not one, but at least 2 DIFFERENT firewalls and the necessity to use ACLs on the routers connected around them. This keeps the chance of an intrusion down due to any new exploits out on one box compared to the other.

Other then that, I thought the text was a pretty good checklist.

Wilnix

[godaigo]

I thought that this was a nice "getting started" checklist. As far as firewalls go, like the checklist says, a hardware firewall is a must. But would everyone here recommend going with a DMZ type of configuration, or is there some other config. that's better or worse. I read an article in Linux (gasp) Journal about the DMZ config that sounded pretty interesting and I know that it's been mentioned at least once somewhere in the forum. Opinions?

[Uneek]

DMZ's in my opinion are a great idea anywhere as long as it's financially feasible. Sometimes however it may not be possible to implement due to circumstances beyond our control.

[Cobra]

In response to Wilnix's arguements about the storage of Credit Card details.

Alot of e-commerce companys such as Amazon will store your credit card details for a number of reasons. The main one is so the user can log back in at any time and order products without re-entering his/her credit card details. Meaning they can do it from anywhere, at anytime, without worrying about weither or not they have there Visa with them. It makes for great useability and if secured correctly there should be no danger of customers credit card details being compramised.

And as for that little GASP by godaido after reading the Linux Journal.. I have alot of system on my network, ranging from a variety of Windows platforms, to BSD, LInux Distros out ther arse, and Solaris.. And I am telling everyone right now.. Quit the fucking shit With linux.. You fucking dildo's.. You bitched about Windows long enough, Now your bitching about linux.. if you don't fucking like it, don't use it. Further more.. If you think you can do better with the linux OS.. IT IS OPEN SOURCE!! .. Do something with it!.. If you think you can improve it, stop bitching about it and do it.

Aye Aye Aye Aye Aye!!.. Okay i am finished on my soap box..  Wasn't having ago at ya godaigo, just everyone in general that bitches every day about how shitty Linux is.

Bleh!.

[Uneek]

Cobby needs a hug or some shit...  

And Cobby... you're wrong about linux! It sux ass... which is why I use nothing but DR-DOS...

I always say, use what you like in order to get the job done. But there's nothing wrong with voicing one's preferences as long as you can give good reasons for it...

[Cobra]

Very true Uneek, I have no problem whatsoever of someone voicing there opinions. But i have yet to see someone with a good reason.

They just bitch about it being shit and then have nothing to back it up.

So that is why I am bitching .. With no apologies.

[wilnix]

If Amazon.com gets ripped by its own admin or by some hacker looking to score bigtime, they will recover from the loss. Nobody in this forum could afford it...

The bottom line in security is that we WILL fail, and we WILL be the hated.

Amazon.com and all the other large companies are in the same boat along these lines. Just like aids doesn't care what race, age, sex, etc...

So, once again, if you don't NEED to hold credit card info, DONT. Sitting in court is NOT fun, especially when your ass is on the line.

Wilnix

[Cobra]

Okay, I do agree with, "If there is no main functioning reason to hold the credit card details then why do it?"

I was however debating the point of the larger e-commerce sites that do store credit card details for user friendlyness.

[godaigo]

I haven't been able to check the forum for a while, but I guess that I probably should have been clearer, I was just making a joke with the (gasp) I actually like and use linux, but it was a little play on the BSD discussion from a while ago. I've never had any problems with it and lets face the facts it's quite a bit easier to jump into Linux for your average no nothing user (me a little while ago) then it is to jump into BSD. Anyway though, I'm not writing this because I was offended or anything, just thought I should clarify my position (hmmm, maybe an emoticon next time....   ) Cheers....

[Metgod]

I had thought I replied to everyone's reply to my little checklist. But looking at this thread, I obviously did not. So I will now..

The gasp about linux (I know you were not offended or anything, godaigo)... I truthfully believe that if it works for you, then you should use it. It's that simple. It is true that I am biased towards *BSD, Solaris, etc. But that doesn't mean others can't use Linux. Anyhow, I've been much more tolerant and I will admit that it could be worse and there are some good things in Linux too. As far as reasons for me preferring unix over linux.. well, that's for another discussion. Though, I will say that there is a site (can't think of the url) about how linux sucks.. but anyhow.. forget me talking about linux.


About firewalls.. Yeah, I agree that a good firewall system MUST have 2 or more firewalls with different rulesets, and ACLs are also a good point you made. It's just more protection. Simple as that. And truth is -- with different rulesets, you can make things much more complex. And in this case.. complex = more secure, I'd say. Well it could be less but don't think so in a lot of cases.

For credit card stuff..

I actually agree with both Will and Cobby. It is true that companies store it for convenience, but.. is convenience worth the losses (even if only cancelling charges and getting new cards) one can encounter when trusting someone *ELSE* with their credit card information ?

I really don't think it's worth it. And personally, even though there are neat things one could buy over the Internet (including stuff I collect), I wouldn't [1]. And let's not forget that a lot of the time the information is breached not by the actual transaction. No, it's that the information is stored on a PUBLIC (i.e., connected to the Internet; hell, even on a network connected to the Internet) machine. When that machine (or any machine that can access the goat machine) is compromised, guess what the intruder will find ? Customer information.. End of story.

Does anyone remember any of the times that someone intruded upon some company's network and posted all the credit card information they found... on index.html ? Quite scary. Bad enough when it's only one person.. imagine thousands of people's credit card information posted. Scary. What is really shocking too, is that how the public seem to think they've seen it all, and know it all.. but they really don't. I remember I was talking to my step mom (I think around this time last year) and I was talking about how credit cards should not be given over cables and wires. She wouldn't even let me finish. She just said she's seen it all. I know she doesn't even realize how much more is possible.

No network is secure enough to do that I would say. Like Will said, too, it's not just the outside.. it's the inside as well. Thus it is by no means secure enough. Ever.

[1] Okay, so though there are neat stuff on the Internet, I really do not believe it's secure enough (above). But it is also in my opinion that there are less secure ways of giving info. Cordless phones are so easily invaded it's scary. A five year old could solve a crime if his folks had a scanner. He could just be playing with it and  hear something and remember.

Hell, while I don't remember this, something happened when I was a child (5 years old or less). We were moving and my mom put a hammer in some chest (I think) just because it works fine to do so. (Weeks or months ?) later, my mom or dad was looking for the hammer and could not find it. But you know what.. I was there when they put it in the chest. I went right over to the chest, opened it and my folks had it back. Same applies to scanners. What would  happen if the kid happened to hear a convo and then somehow was indirectly involved.. even if their folks were just dicussing it.. the kid could just reveal it without a second thought. I do believe similar things have happened because a kid overheard or saw something. If a kid can.. what makes anyone think an adult cant' ? I sure as hell don't. Truth is.. cordless phones aren't secure. Hell, even phones with cords could be breached.


Anyhow, thanks for replying folks.. I think this was posted around the time I got VERY sick from a med.. horrible GI problems (uh, which I already had so made things worse).
Which was also the time I wasn't posting much of anything for quite a few months...

Met