general security advice cs5493(7493). 1. dispel your pride assume there is someone out there that is...
TRANSCRIPT
General Security Advice
CS5493(7493)
1. Dispel Your Pride
• Assume there is someone out there that is smarter, more knowledgeable, more capable, and with access to more resources than you. (because it’s true)
2. Security Through Obscurity?
• Don’t rely on obscurity as a security strategy.– Someone will eventually discover your
vulnerabilities– Timely address known vulnerabilities
3. Disclose Vulnerabilities
• Does not imply posting known vulnerabilities on the internet or reporting them to the media.
• Disclosure protocol implies contacting the vendor, author, management, and users.
4. Security Degrades with Use
• The security of a computer system degrades in direct proportion to the amount of use the system receives. (Dan Farmer)
5. Create Realistic Policies
• Users will attempt to circumvent your best intentions.
• The administrator would be better off providing for legitimate needs rather than encouraging workarounds that can create substantial and unknown risks
6. Don’t Underestimate Deterrence
• Disclosure of security policy & practices is better than non-disclosure – it’s a matter of moral and ethical behavior.
• Disclosure of monitoring users will impact what many (not all) users do.
“Avoiding dishonesty is the beginning of wisdom.”
7. There is no Security Holy Grail
• You can’t make a system invulnerable and useful at the same time. So forget about it.
• CC EAL-7 does not guarantee a secure system.
8. Think Like The Enemy
• “Help-mate” : Ask how to compromise your systems if you were the attacker.
9. Trust No One?
• Devise an accountability strategy for all important procedures.
10. SA Mantra
• The computing system does not exist for the amusement of the SA.
• The computing system is a shared productivity tool that requires money, time, and resources to maintain – don’t treat it as your own.