general security advice cs5493(7493). 1. dispel your pride assume there is someone out there that is...

11
General Security Advice CS5493(7493)

Upload: darrell-sparks

Post on 04-Jan-2016

214 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: General Security Advice CS5493(7493). 1. Dispel Your Pride Assume there is someone out there that is smarter, more knowledgeable, more capable, and with

General Security Advice

CS5493(7493)

Page 2: General Security Advice CS5493(7493). 1. Dispel Your Pride Assume there is someone out there that is smarter, more knowledgeable, more capable, and with

1. Dispel Your Pride

• Assume there is someone out there that is smarter, more knowledgeable, more capable, and with access to more resources than you. (because it’s true)

Page 3: General Security Advice CS5493(7493). 1. Dispel Your Pride Assume there is someone out there that is smarter, more knowledgeable, more capable, and with

2. Security Through Obscurity?

• Don’t rely on obscurity as a security strategy.– Someone will eventually discover your

vulnerabilities– Timely address known vulnerabilities

Page 4: General Security Advice CS5493(7493). 1. Dispel Your Pride Assume there is someone out there that is smarter, more knowledgeable, more capable, and with

3. Disclose Vulnerabilities

• Does not imply posting known vulnerabilities on the internet or reporting them to the media.

• Disclosure protocol implies contacting the vendor, author, management, and users.

Page 5: General Security Advice CS5493(7493). 1. Dispel Your Pride Assume there is someone out there that is smarter, more knowledgeable, more capable, and with

4. Security Degrades with Use

• The security of a computer system degrades in direct proportion to the amount of use the system receives. (Dan Farmer)

Page 6: General Security Advice CS5493(7493). 1. Dispel Your Pride Assume there is someone out there that is smarter, more knowledgeable, more capable, and with

5. Create Realistic Policies

• Users will attempt to circumvent your best intentions.

• The administrator would be better off providing for legitimate needs rather than encouraging workarounds that can create substantial and unknown risks

Page 7: General Security Advice CS5493(7493). 1. Dispel Your Pride Assume there is someone out there that is smarter, more knowledgeable, more capable, and with

6. Don’t Underestimate Deterrence

• Disclosure of security policy & practices is better than non-disclosure – it’s a matter of moral and ethical behavior.

• Disclosure of monitoring users will impact what many (not all) users do.

“Avoiding dishonesty is the beginning of wisdom.”

Page 8: General Security Advice CS5493(7493). 1. Dispel Your Pride Assume there is someone out there that is smarter, more knowledgeable, more capable, and with

7. There is no Security Holy Grail

• You can’t make a system invulnerable and useful at the same time. So forget about it.

• CC EAL-7 does not guarantee a secure system.

Page 9: General Security Advice CS5493(7493). 1. Dispel Your Pride Assume there is someone out there that is smarter, more knowledgeable, more capable, and with

8. Think Like The Enemy

• “Help-mate” : Ask how to compromise your systems if you were the attacker.

Page 10: General Security Advice CS5493(7493). 1. Dispel Your Pride Assume there is someone out there that is smarter, more knowledgeable, more capable, and with

9. Trust No One?

• Devise an accountability strategy for all important procedures.

Page 11: General Security Advice CS5493(7493). 1. Dispel Your Pride Assume there is someone out there that is smarter, more knowledgeable, more capable, and with

10. SA Mantra

• The computing system does not exist for the amusement of the SA.

• The computing system is a shared productivity tool that requires money, time, and resources to maintain – don’t treat it as your own.