A collection of web-sites with web-security resources. The short version in no particular order: use encryption, use good passwords and don't re-use them, secure your email account, make sure you don't have malware on your computers, use open source products that are vetted and used by a large communities, install security updates, monitor your sites.
- Several Apache documentation sites state, that it is not possible to have several name-based virtual hosts with individual ssl certificates on one server. That information is outdated. A summary on how to configure apache can be found on: https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-us.... There is no excuse not to encrypt authenticated sessions. And BTW - ssl certificates have become really cheap - I get mine through http://namecheap.com.
Open source password manager - available for many platforms: http://keepass.info
Article by Karoly Negyesi on practical security, that covers a number of non-drupal security aspects, like email, web-server, mobile device security: http://drupalwatchdog.com/2/2/practical-security
Drupal-focused security guide, with a focus on securing government sites, starting from how to setup your server, configure your lamp stack to Drupal specifics. It requires registration, but the 30 page pdf guide is well worth it: http://openconcept.ca/drupal-security-guide. Not ready to register? Here is an excerpt: http://openconcept.ca/blog/mgifford/principles-web-security
Web-application security consortium, runs a web-security mailing list: http://www.webappsec.org/