What's an IT Security person's "perfect" setup?
Recently, I've been thinking about what would be an ideal "setup" for my position as an IT security person. I deal with a lot of sensitive information, both regarding people that I work with and about the systems that I'm responsible for securing.
What I mean when I say setup, is the equipment that I use to do my job. For example, I have to print out patch level reports for the rest of the team so that they can "go forth and patch". Problem is that the traffic between my scanning machine and the printer is unencrypted. If someone were already into our system, they could potentially grab a nice concise list of our vulnerabilities off the wire as my print job passes by. NOT GOOD. Stuff like that.
So here's an off the top of my head start:
- Multiple OS Desktop(s)
There are numerous ways to accomplish this, starting with 1 physical machine for each needed OS, up to a Virtual Machine for each OS. Typically, the general consensus is that you'll need a MS Windows instance and some UNIX or UNIX-like OS (Linux, *BSD, or Mac OS X) instance, to get good coverage for the various tools of the trade.
- Backups
Since this desktop machine will contain sensitive material, the backups should be performed encrypted, and ideally, separate from the standard backup system.
- Decent network printer
This is a tricky one because most IT budgets don't have room for a nice (for n values of nice) printer dedicated to one person, they are typically a shared resource. Most folks won't need color, so you can save by going with a black and white printer, however, it needs to be reasonably quick (say, 30 ppm), duplex capable (try not to kill a tree a day), reasonable cost per page, and durable.
- Office space
A security persons work space should ideally be a single occupant office, with a restricted (ideally documented and access logged) set of people that have access to the office. You can really get picky and require that janitorial staff are escorted by authorized individuals.
- Shredder, burn bin, or documentation destruction
Some form of documentation destruction should be employed, dictated in some sense by the sensitivity of information printed.
- Management Network
Ideally, this would be physically separate from your production network, and not only involve dedicated network security devices (IDS sensors and servers, firewalls), but also network infrastructure devices (routers, switches, bridges). Budgets and designs restrictions may limit one's ability truly achieve this, but the closer you can get, the better.
Issues to consider:
- Internet access for the desktop
You generally wouldn't want to allow internet access out from the management network, but the security person will need Internet access to do research pertinent to his or her job.
I'll update this post as I think of more. Please post any ideas you might have in the comments, or email me at rfifarek at gmail.com.
Enjoy.
Labels: Security setup