![Page 1: CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really](https://reader036.vdocuments.us/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ebe/html5/thumbnails/1.jpg)
CHAPTER 2
Laws of Security
![Page 2: CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really](https://reader036.vdocuments.us/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ebe/html5/thumbnails/2.jpg)
Introduction Laws of security enable user make
the judgment about the security of a system.
Some of the “laws” are not really laws, but rather behaviors that happen so often that be regarded as laws
![Page 3: CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really](https://reader036.vdocuments.us/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ebe/html5/thumbnails/3.jpg)
First Law Client-site Security Doesn’t Work What is client-site? The computer that the user (or attacker) has
control over. What is client-site security? Some sort of mechanism that is being enforced
solely on the client. Reason It not possible to keep software secure from the
person sitting in front the computer
![Page 4: CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really](https://reader036.vdocuments.us/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ebe/html5/thumbnails/4.jpg)
First Law Exceptions Disk Encryption – the product must require the
user to enter a password for decryption when the machine is booted.
Problems 1. It doesn’t stop the user from being deprived of
the data. 2. It doesn’t stop replace the hardware. 3. It doesn’t stop the information from being
erased if the attacker want to format the hard drive.
![Page 5: CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really](https://reader036.vdocuments.us/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ebe/html5/thumbnails/5.jpg)
First Law Defense 1. Always validate data at the server in a client-
site system. 2. Treat the information received as suspect.
![Page 6: CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really](https://reader036.vdocuments.us/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ebe/html5/thumbnails/6.jpg)
Second Law User Can’t Exchange Encryption Keys
without Shared Piece of Information In life scenario: the telemarketer begins tell us
about product X. we would like to purchase the product and telemarketer need our credit card number. For verifying, we need some extra info. But how do we trust?
In Encryption scenario: how do we know what computer we exchanged keys with? It might be the right person or it might be an attacker.
![Page 7: CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really](https://reader036.vdocuments.us/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ebe/html5/thumbnails/7.jpg)
Second Law Reasons It is difficult to make sure we are exchanging keys
with the right party and not falling victim to a man-in-the-middle (MITM) attack.
Exceptions Using SSL (Secure Socket Layer) – provide
nothing to go to a secure Web page. It is not really an exception but its really need “the
root certificate’s public key”. Defense We must have good key management.
![Page 8: CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really](https://reader036.vdocuments.us/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ebe/html5/thumbnails/8.jpg)
Third Law Viruses and Trojans Cannot Be 100
Percent Protected Reasons 1. Even a slight change can be done in the virus
code, the antivirus software won’t be able to spot it any longer.
2. The most recent set of viruses propagate so much and more quickly. It can spread via any method – web pages, e-mail and downloads.
![Page 9: CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really](https://reader036.vdocuments.us/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ebe/html5/thumbnails/9.jpg)
Third Law Exceptions Modifying our behavior. How? 1. We have to install software only from a
trusted vendor. 2. We must never exchange information with
anyone when using a network. 3. Our computer would have to be physically
secure.
![Page 10: CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really](https://reader036.vdocuments.us/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ebe/html5/thumbnails/10.jpg)
Third Law Defense 1. Employing the standard antivirus tools at a
minimum. 2. Make sure we know how to configure mail
server, firewalls or IDS (Intrusion Detection System).
![Page 11: CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really](https://reader036.vdocuments.us/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ebe/html5/thumbnails/11.jpg)
Fourth Law Firewalls Cannot Protect 100 Percent
from Attack Reasons 1. There are so many threats – malicious
employees, physical security, modems and infected floppies.
2. Firewall are designed to permit some types of traffic while denying other traffics.
3. What is permitted or denied should reflect a written security that exist in certain organization.
![Page 12: CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really](https://reader036.vdocuments.us/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ebe/html5/thumbnails/12.jpg)
Fourth Law Exceptions No exceptions, only can defense. Defense Using IDS – designed to spot bad traffic through
some mechanisms: 1. Match against known bad pattern. 2. Check for compliance against written standards. 3. Profile normal traffic and flag it that varies. IDS also have key in collecting information about
new attacks.
![Page 13: CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really](https://reader036.vdocuments.us/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ebe/html5/thumbnails/13.jpg)
Fifth Law In Order for A System To Be Secure, It
Must Undergo An Independent Security Audit
Reason Most programmers only doing functionally testing
but doesn’t doing security testing. Functionally Testing – to ensure that the users
will be able to use the product without complaining.
Security Testing – mush more in-depth analysis including checking the source code.
![Page 14: CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really](https://reader036.vdocuments.us/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ebe/html5/thumbnails/14.jpg)
Fifth Law One of the most secure operating system is
OpenBSD. A couple of years, OpenBSD team have done
independent auditing: 1. Audit the source code for bugs and fixing
them. 2. Fixed any bugs that found whether security
related or not. 3. Search all source code to see whether that
type of bug had been made anywhere else.
![Page 15: CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really](https://reader036.vdocuments.us/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ebe/html5/thumbnails/15.jpg)
Fifth Law Exceptions Using NSA rules – software have been rated as
A1 for designing secure computer systems, especially operating system.
Defense 1. Use purchasing dollars to encourage vendors
to do better work 2. Give training to employees to contribute
security reviews for the system.
![Page 16: CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really](https://reader036.vdocuments.us/reader036/viewer/2022062412/5a4d1af57f8b9ab059980ebe/html5/thumbnails/16.jpg)
End of Chapter 2Thank You