1 / 18

Understanding the Unyielding Laws of Security: Challenges and Defenses

This chapter discusses critical laws of security, highlighting the limitations of client-side security and the ineffectiveness of traditional methods such as passwords and encryption. It emphasizes that security cannot be guaranteed by merely obscuring information or relying on new technologies. Key insights include the necessity of independent audits for secure systems, the fundamental roles of encryption keys, and the limitations of firewalls and antivirus programs against viruses and Trojans. The text argues for a proactive approach to security, focusing on validation and continuous updates.

oren-henry
Télécharger la présentation

Understanding the Unyielding Laws of Security: Challenges and Defenses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CHAPTER 2 LAWS OF SECURITY

  2. What Are the Laws of Security • Client side security doesn’t work • You can’t exchange encryption keys without a shared piece of information • Viruses and Trojans cannot be 100 percent protected against • Firewalls cannot protect you 100 percent from attack • Secret cryptographic algorithms are not secure • If a key is not required, you don’t have encryption; you have encoding

  3. What Are the Laws of Security • Passwords cannot be securely stored on the client unless there is another password to protect them • In order for a system to begin to be considered secure, it must undergo an independent security audit • Security through obscurity doesn’t work • People believe that something is more secure simply because it’s new • What can go wrong, will go wrong

  4. Client side Security Doesn’t Work • Users can do modification by using unlimited resources and time • What ever security, can find a way to defeat • Exceptions • Data can be encrypt (encryption) • User need to key-in password • But need the user to play role • Can’t protect but at least make it difficult and challenging • Defense • Always validate data at server • Treat the information received as suspect

  5. You Can’t Exchange Encryption Keys Without a Shared Piece of Information • Encrypted communications • IP address (hijack) maybe the attacker • Information to verify another end • Man in the middle (MITM), make sure exchange keys the right party • Exceptions • Secure Sockets Layer (SSL) the best implementations of mass-market crypto in terms of handling keys

  6. Viruses and Trojans Cannot Be 100 Percent Protected Against • Simple program that have particular characteristic • Replicate and require other program to attach to (virus) • Trojans programs that design to do something that you don’t want • Signature files in antivirus program to recognize the virus • Exceptions • Prevent better than don’t care • Defense • Install antivirus program, Intrusion Detection System (IDS)

  7. Firewalls Cannot Protect You 100 Percent From Attack • Useful devices that can protect a network from certain types of attacks and provide some useful logging • Few levels of protection for Web access • The simplest one, port filtering • Configure router to allow inside hosts to reach any machine on the internet at TCP port 80 • Send reply to inside from port 80

  8. Firewalls Cannot Protect You 100 Percent From Attack • More careful firewall understand HTTP protocol • Allow legal HTTP site • Strip out Java, Javascript and ActiveX • Firewall vendor wait new attack before fix it and always be behind

  9. Firewalls Cannot Protect You 100 Percent From Attack • Attack firewalls • Social Engineering, e-mail • Attacking Exposed Server • DMZ (demilitarized zone), web & mail servers are placed on • Attacking the firewall directly • Not properly maintain • Need to patch when new info published • Client Side Holes • AOL Instant Messenger, MSN Chat, ICQ, IRC, Telnet and FTP clients

  10. Firewalls Cannot Protect You 100 Percent From Attack • Exceptions • Use IDS (Intrusion Detection System), cooperate with firewall to spot suspicious traffic • Almost like antivirus signature database to watch known bad patterns, check compliance against written standards & flag deviations • Can be passive the attacker can’t detect • Collecting info then patch it • New research valuable in shorter time • Defense • Keep up-to-date with new patches

  11. Secret Cryptographic Algorithms Are Not Secure • Theoretically possible privately, secretly developed cryptographic algorithm could be secure (wrong) • The best is learned from mistake, let others to break until can’t, maybe can say it secure • U.S government looking for new standard cryptographic algorithm to replace DES, called Advanced Encryption Standard (AES) • To create good one need to know all possible attacks, current and future

  12. If a Key Isn’t Required, You Don’t Have Encryption, You Have Encoding • Encryption is a scheme to communicate such as secret language so need to be secret • Encryption need a key (keys, password), if don’t have key than no use • Both parties must know the key

  13. Passwords Cannot Be Securely Stored on the Client Unless There is Another Password to Protect Them • Programs that store some form of the password on the client machine in a client-server relationship • Can stole file(s) that store the password by knowing email programs that used • Turn off any features that allow for local storage

  14. In Order for a System to Begin to be Considered Secure, It Must Undergo an Independent Security Audit • Do testing on security programs and review the coding to find bugs and holes then fix it • Have a standard guidelines & criteria, Trusted Computer System Evaluation Criteria (TCSEC) • Give employees training & time to contribute to do security reviews

  15. Security Through Obscurity Doesn’t Work • Idea that something is secure simple because it is not obvious, advertised or presumed to be uninteresting • Example new Web server even not been registered but people will know through port scanning • Through port scans attackers are looking for particular vulnerabilities

  16. People Believe That Something Is More Secure Simply Because It’s New • People almost always are willing to believe, and even assume something more secure when it is newer, it’s wrong • Example WindowsNT for first time it being launched nobody know the holes but a few time later people already found the bugs • Defense • New means untested, give all new software & hardware time and fair evaluation before putting production

  17. What Can Go Wrong, Will Go Wrong • Difficult to design a system that is hacker resistant • Better to be a hacker find one hole in the system then concentrate to solve it • It is easier to break than to build • Defense • Need to have a good recovery plan

  18. End Of Chapter 2

More Related