My Security Approaches

Security is vital but you must not make life impossible and you must not forget critical issues like performance , ease of use etc.
You cant plumb internet cable for being secure, you must use internet and you must be secure.

My general security approaches are listed below
I will appreciate and thank any comment. 

                                         Feel free to communicate by bulent.yucesoy@gmail.com


 

1- Nothing is unbreakable so put as many meaningful security caution as you can.

 
What is meaningful?

You must have complex password, it is meaningful because it will be harder to break down.
If password is complex enough, you may expire password each month. Monthly period is again meaningful

What is meaningless?

Not making complex password control and resetting passwords each week.
Weekly resetting makes like unnecessarily harder and letting weak passwords provides continuity of your unsecure life.

 
Why nothing is unbreakable?

Can you just trust your firewalls and run your production workload on an unsecure server behind firewall? 
What if firewalls get an attack and get bypassed?
What about inside-attackers behind firewalls?
Dont think that i have 5 cautions so 6 th is not necessary. If there exists a hole , fix it, dont ignore the holes.
If there is hole, it must be fixed, that caution cant be told as unnecessary.
 

2-  Take care about read-write-execute permissions.

Read permission may seem innocent but what if someone else could read a private data and harm you?
For example, Program versions must not be known so vulnerabilities must not be known. It is similar for file read.

3- Dont just ban the users! Security is not just banning! Dont feel yourself strong because of banning! It is funny..
You can disallow some usages due to security, it is necessary and normal.
But dont forget that you must provide an alternative, secure and user-friendly solution.
You must not hide behind security and leave your users without any solution after cancelling any operation.
You cant say "I only provide security, I dont know how will they work now, it is their problem"

 
4- Log anything at any detail. Every scenario must be examined clearly and there must not be an identity problem.

Logging is crutical for security. While logging, take care also that you dont log company sensitive unnecessary data.
Logging / Auditing aim is solving identity problem at any stage, sensitive company data is not necessary for you.
It is also import who can read the logs , edit the logs etc. Logs must not be tampered!
Date-time seems like noncritical but it is in fact too important at log analysis to provide consistency and correlation.