Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption.

Published byCandice Carmella Randall Modified over 9 years ago

Similar presentations

Presentation on theme: "1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption."— Presentation transcript:

1 1 CHAPTER 2 LAWS OF SECURITY

2 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption keys without a shared piece of information You can’t exchange encryption keys without a shared piece of information Viruses and Trojans cannot be 100 percent protected against Viruses and Trojans cannot be 100 percent protected against Firewalls cannot protect you 100 percent from attack Firewalls cannot protect you 100 percent from attack Secret cryptographic algorithms are not secure Secret cryptographic algorithms are not secure If a key is not required, you don’t have encryption; you have encoding If a key is not required, you don’t have encryption; you have encoding

3 3 What Are the Laws of Security Passwords cannot be securely stored on the client unless there is another password to protect them Passwords cannot be securely stored on the client unless there is another password to protect them In order for a system to begin to be considered secure, it must undergo an independent security audit In order for a system to begin to be considered secure, it must undergo an independent security audit Security through obscurity doesn’t work Security through obscurity doesn’t work People believe that something is more secure simply because it’s new People believe that something is more secure simply because it’s new What can go wrong, will go wrong What can go wrong, will go wrong

4 4 Client side Security Doesn’t Work Users can do modification by using unlimited resources and time Users can do modification by using unlimited resources and time What ever security, can find a way to defeat What ever security, can find a way to defeat Exceptions Exceptions –Data can be encrypt (encryption) –User need to key-in password –But need the user to play role –Can’t protect but at least make it difficult and challenging Defense Defense –Always validate data at server –Treat the information received as suspect

5 5 You Can’t Exchange Encryption Keys Without a Shared Piece of Information Encrypted communications Encrypted communications IP address (hijack) maybe the attacker IP address (hijack) maybe the attacker Information to verify another end Information to verify another end Man in the middle (MITM), make sure exchange keys the right party Man in the middle (MITM), make sure exchange keys the right party Exceptions Exceptions –Secure Sockets Layer (SSL) the best implementations of mass-market crypto in terms of handling keys

6 6 Viruses and Trojans Cannot Be 100 Percent Protected Against Simple program that have particular characteristic Simple program that have particular characteristic Replicate and require other program to attach to (virus) Replicate and require other program to attach to (virus) Trojans programs that design to do something that you don’t want Trojans programs that design to do something that you don’t want Signature files in antivirus program to recognize the virus Signature files in antivirus program to recognize the virus Exceptions Exceptions –Prevent better than don’t care Defense Defense –Install antivirus program, Intrusion Detection System (IDS)

7 7 Firewalls Cannot Protect You 100 Percent From Attack Useful devices that can protect a network from certain types of attacks and provide some useful logging Useful devices that can protect a network from certain types of attacks and provide some useful logging Few levels of protection for Web access Few levels of protection for Web access The simplest one, port filtering The simplest one, port filtering Configure router to allow inside hosts to reach any machine on the internet at TCP port 80 Configure router to allow inside hosts to reach any machine on the internet at TCP port 80 Send reply to inside from port 80 Send reply to inside from port 80

8 8 Firewalls Cannot Protect You 100 Percent From Attack More careful firewall understand HTTP protocol More careful firewall understand HTTP protocol Allow legal HTTP site Allow legal HTTP site Strip out Java, Javascript and ActiveX Strip out Java, Javascript and ActiveX Firewall vendor wait new attack before fix it and always be behind Firewall vendor wait new attack before fix it and always be behind

9 9 Firewalls Cannot Protect You 100 Percent From Attack Attack firewalls Attack firewalls –Social Engineering, e-mail –Attacking Exposed Server »DMZ (demilitarized zone), web & mail servers are placed on –Attacking the firewall directly »Not properly maintain »Need to patch when new info published –Client Side Holes »AOL Instant Messenger, MSN Chat, ICQ, IRC, Telnet and FTP clients

10 10 Firewalls Cannot Protect You 100 Percent From Attack Exceptions Exceptions –Use IDS (Intrusion Detection System), cooperate with firewall to spot suspicious traffic –Almost like antivirus signature database to watch known bad patterns, check compliance against written standards & flag deviations –Can be passive the attacker can’t detect –Collecting info then patch it –New research valuable in shorter time Defense Defense –Keep up-to-date with new patches

11 11 Secret Cryptographic Algorithms Are Not Secure Theoretically possible privately, secretly developed cryptographic algorithm could be secure (wrong) Theoretically possible privately, secretly developed cryptographic algorithm could be secure (wrong) The best is learned from mistake, let others to break until can’t, maybe can say it secure The best is learned from mistake, let others to break until can’t, maybe can say it secure U.S government looking for new standard cryptographic algorithm to replace DES, called Advanced Encryption Standard (AES) U.S government looking for new standard cryptographic algorithm to replace DES, called Advanced Encryption Standard (AES) To create good one need to know all possible attacks, current and future To create good one need to know all possible attacks, current and future

12 12 If a Key Isn’t Required, You Don’t Have Encryption, You Have Encoding Encryption is a scheme to communicate such as secret language so need to be secret Encryption is a scheme to communicate such as secret language so need to be secret Encryption need a key (keys, password), if don’t have key than no use Encryption need a key (keys, password), if don’t have key than no use Both parties must know the key Both parties must know the key

13 13 Passwords Cannot Be Securely Stored on the Client Unless There is Another Password to Protect Them Programs that store some form of the password on the client machine in a client- server relationship Programs that store some form of the password on the client machine in a client- server relationship Can stole file(s) that store the password by knowing email programs that used Can stole file(s) that store the password by knowing email programs that used Turn off any features that allow for local storage Turn off any features that allow for local storage

14 14 In Order for a System to Begin to be Considered Secure, It Must Undergo an Independent Security Audit Do testing on security programs and review the coding to find bugs and holes then fix it Do testing on security programs and review the coding to find bugs and holes then fix it Have a standard guidelines & criteria, Trusted Computer System Evaluation Criteria (TCSEC) Have a standard guidelines & criteria, Trusted Computer System Evaluation Criteria (TCSEC) Give employees training & time to contribute to do security reviews Give employees training & time to contribute to do security reviews

15 15 Security Through Obscurity Doesn’t Work Idea that something is secure simple because it is not obvious, advertised or presumed to be uninteresting Idea that something is secure simple because it is not obvious, advertised or presumed to be uninteresting Example new Web server even not been registered but people will know through port scanning Example new Web server even not been registered but people will know through port scanning Through port scans attackers are looking for particular vulnerabilities Through port scans attackers are looking for particular vulnerabilities

16 16 People Believe That Something Is More Secure Simply Because It’s New People almost always are willing to believe, and even assume something more secure when it is newer, it’s wrong People almost always are willing to believe, and even assume something more secure when it is newer, it’s wrong Example WindowsNT for first time it being launched nobody know the holes but a few time later people already found the bugs Example WindowsNT for first time it being launched nobody know the holes but a few time later people already found the bugs Defense Defense –New means untested, give all new software & hardware time and fair evaluation before putting production

17 17 What Can Go Wrong, Will Go Wrong Difficult to design a system that is hacker resistant Difficult to design a system that is hacker resistant Better to be a hacker find one hole in the system then concentrate to solve it Better to be a hacker find one hole in the system then concentrate to solve it It is easier to break than to build It is easier to break than to build Defense Defense –Need to have a good recovery plan

18 18 End Of Chapter 2

Download ppt "1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption."

Similar presentations

Computer Security II Lecturer – Lynn Ackler – Office – CSC 222 – Office Hours 9:00 – 10:00 M,W Course – CS 457 – CS 557.

Computer Security II Lecturer – Lynn Ackler – Office – CSC 222 – Office Hours 9:00 – 10:00 M,W Course – CS 457 – CS 557.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
How (not) to use your firewall Jurjen N.E. Bos Information Security Consultant.

How (not) to use your firewall Jurjen N.E. Bos Information Security Consultant.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Definition : Computer Virus A computer program with the characteristic feature of being able to generate copies of itself, and thereby spread. Additionally.

Definition : Computer Virus A computer program with the characteristic feature of being able to generate copies of itself, and thereby spread. Additionally.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Similar presentations

Ads by Google