General Security Advice

CS5493(7493)

1. Dispel Your Pride

• Assume there is someone out there that is smarter, more knowledgeable, more capable, and with access to more resources than you. (because it’s true)

2. Security Through Obscurity?

• Don’t rely on obscurity as a security strategy.– Someone will eventually discover your

vulnerabilities– Timely address known vulnerabilities

3. Disclose Vulnerabilities

• Does not imply posting known vulnerabilities on the internet or reporting them to the media.

• Disclosure protocol implies contacting the vendor, author, management, and users.

4. Security Degrades with Use

• The security of a computer system degrades in direct proportion to the amount of use the system receives. (Dan Farmer)

5. Create Realistic Policies

• Users will attempt to circumvent your best intentions.

• The administrator would be better off providing for legitimate needs rather than encouraging workarounds that can create substantial and unknown risks

6. Don’t Underestimate Deterrence

• Disclosure of security policy & practices is better than non-disclosure – it’s a matter of moral and ethical behavior.

• Disclosure of monitoring users will impact what many (not all) users do.

“Avoiding dishonesty is the beginning of wisdom.”

7. There is no Security Holy Grail

• You can’t make a system invulnerable and useful at the same time. So forget about it.

• CC EAL-7 does not guarantee a secure system.

8. Think Like The Enemy

• “Help-mate” : Ask how to compromise your systems if you were the attacker.

9. Trust No One?

• Devise an accountability strategy for all important procedures.

10. SA Mantra

• The computing system does not exist for the amusement of the SA.

• The computing system is a shared productivity tool that requires money, time, and resources to maintain – don’t treat it as your own.