CHAPTER 2

1. CHAPTER 2 LAWS OF SECURITY

2. What Are the Laws of Security • Client side security doesn’t work • You can’t exchange encryption keys without a shared piece of information • Viruses and Trojans cannot be 100 percent protected against • Firewalls cannot protect you 100 percent from attack • Secret cryptographic algorithms are not secure • If a key is not required, you don’t have encryption; you have encoding

3. What Are the Laws of Security • Passwords cannot be securely stored on the client unless there is another password to protect them • In order for a system to begin to be considered secure, it must undergo an independent security audit • Security through obscurity doesn’t work • People believe that something is more secure simply because it’s new • What can go wrong, will go wrong

4. Client side Security Doesn’t Work • Users can do modification by using unlimited resources and time • What ever security, can find a way to defeat • Exceptions • Data can be encrypt (encryption) • User need to key-in password • But need the user to play role • Can’t protect but at least make it difficult and challenging • Defense • Always validate data at server • Treat the information received as suspect

5. You Can’t Exchange Encryption Keys Without a Shared Piece of Information • Encrypted communications • IP address (hijack) maybe the attacker • Information to verify another end • Man in the middle (MITM), make sure exchange keys the right party • Exceptions • Secure Sockets Layer (SSL) the best implementations of mass-market crypto in terms of handling keys

6. Viruses and Trojans Cannot Be 100 Percent Protected Against • Simple program that have particular characteristic • Replicate and require other program to attach to (virus) • Trojans programs that design to do something that you don’t want • Signature files in antivirus program to recognize the virus • Exceptions • Prevent better than don’t care • Defense • Install antivirus program, Intrusion Detection System (IDS)

7. Firewalls Cannot Protect You 100 Percent From Attack • Useful devices that can protect a network from certain types of attacks and provide some useful logging • Few levels of protection for Web access • The simplest one, port filtering • Configure router to allow inside hosts to reach any machine on the internet at TCP port 80 • Send reply to inside from port 80

8. Firewalls Cannot Protect You 100 Percent From Attack • More careful firewall understand HTTP protocol • Allow legal HTTP site • Strip out Java, Javascript and ActiveX • Firewall vendor wait new attack before fix it and always be behind

9. Firewalls Cannot Protect You 100 Percent From Attack • Attack firewalls • Social Engineering, e-mail • Attacking Exposed Server • DMZ (demilitarized zone), web & mail servers are placed on • Attacking the firewall directly • Not properly maintain • Need to patch when new info published • Client Side Holes • AOL Instant Messenger, MSN Chat, ICQ, IRC, Telnet and FTP clients

10. Firewalls Cannot Protect You 100 Percent From Attack • Exceptions • Use IDS (Intrusion Detection System), cooperate with firewall to spot suspicious traffic • Almost like antivirus signature database to watch known bad patterns, check compliance against written standards & flag deviations • Can be passive the attacker can’t detect • Collecting info then patch it • New research valuable in shorter time • Defense • Keep up-to-date with new patches

11. Secret Cryptographic Algorithms Are Not Secure • Theoretically possible privately, secretly developed cryptographic algorithm could be secure (wrong) • The best is learned from mistake, let others to break until can’t, maybe can say it secure • U.S government looking for new standard cryptographic algorithm to replace DES, called Advanced Encryption Standard (AES) • To create good one need to know all possible attacks, current and future

12. If a Key Isn’t Required, You Don’t Have Encryption, You Have Encoding • Encryption is a scheme to communicate such as secret language so need to be secret • Encryption need a key (keys, password), if don’t have key than no use • Both parties must know the key

13. Passwords Cannot Be Securely Stored on the Client Unless There is Another Password to Protect Them • Programs that store some form of the password on the client machine in a client-server relationship • Can stole file(s) that store the password by knowing email programs that used • Turn off any features that allow for local storage

14. In Order for a System to Begin to be Considered Secure, It Must Undergo an Independent Security Audit • Do testing on security programs and review the coding to find bugs and holes then fix it • Have a standard guidelines & criteria, Trusted Computer System Evaluation Criteria (TCSEC) • Give employees training & time to contribute to do security reviews

15. Security Through Obscurity Doesn’t Work • Idea that something is secure simple because it is not obvious, advertised or presumed to be uninteresting • Example new Web server even not been registered but people will know through port scanning • Through port scans attackers are looking for particular vulnerabilities

16. People Believe That Something Is More Secure Simply Because It’s New • People almost always are willing to believe, and even assume something more secure when it is newer, it’s wrong • Example WindowsNT for first time it being launched nobody know the holes but a few time later people already found the bugs • Defense • New means untested, give all new software & hardware time and fair evaluation before putting production

17. What Can Go Wrong, Will Go Wrong • Difficult to design a system that is hacker resistant • Better to be a hacker find one hole in the system then concentrate to solve it • It is easier to break than to build • Defense • Need to have a good recovery plan

18. End Of Chapter 2