My Response to "Sparky's List"


• Deploy defense-in-depth 
Please tell me what defense-in-depth is and how you implement it. It’s a lot like saying a good way to be secure is to be secure.  

•Use a strict information security policy 
Easier said than implemented, but overall I agree.

•Have regular audits of your security by an outside firm 
Good advice. 

•Use IDS or IPS 
Why wouldn’t you?

•Teach your staff about information security 
Security awareness is one of the most important things a security team can implement. Every few companies invest the resources needed in this area.

•Teach your staff about social engineering 
See above.

•Keep your software and hardware up to date 
This is a great tip. Patched software and hardware stops a ton of hacks. 

•Watch security sites for news on computer security and learn what the new attacks are 
Agreed. Also run the tools mentioned in the attacks against your systems. 

•Let your sysadmins go to defcon ;D 
Why? How would spending limited training funds to send our sysadmins to defcon be smarter than sending them to a SANS class?

•Get good sysadmins who understand security 
Also get unicorns who grants wishes. (Its easy to say, hard to find)

•Encrypt your data (something like AES-256) 
All of your data? While its at rest? Always? Why? 

•Use spam filters 
Who doesn’t?

•Keep an eye on what information you are letting out into the public domain 
True. If the information isn’t on the internet it can’t be leaked. 

•Use good physical security. What good is all the [security] software if someone could just walk in and take [your “secure” systems]? 
Not much? You are at a greater risk of attack from an online hack than you are from someone walking and stealing your server though.