General Security Advice
CS5493(7493)
1. Dispel Your Pride
• Assume there is someone out there that is
smarter, more knowledgeable, more capable,
and with access to more resources than you.
(because it’s true)
2. Security Through Obscurity?
• Don’t rely on obscurity as a security strategy.
– Someone will eventually discover your
vulnerabilities
– Timely address known vulnerabilities
3. Disclose Vulnerabilities
• Does not imply posting known vulnerabilities
on the internet or reporting them to the
media.
• Disclosure protocol implies contacting the
vendor, author, management, and users.
4. Security Degrades with Use
• The security of a computer system degrades in
direct proportion to the amount of use the
system receives. (Dan Farmer)
5. Create Realistic Policies
• Users will attempt to circumvent your best
intentions.
• The administrator would be better off
providing for legitimate needs rather than
encouraging workarounds that can create
substantial and unknown risks
6. Don’t Underestimate Deterrence
• Disclosure of security policy & practices is
better than non-disclosure – it’s a matter of
moral and ethical behavior.
• Disclosure of monitoring users will impact
what many (not all) users do.
“Avoiding dishonesty is the beginning of
wisdom.”
7. There is no Security Holy Grail
• You can’t make a system invulnerable and
useful at the same time. So forget about it.
• CC EAL-7 does not guarantee a secure system.
8. Think Like The Enemy
• “Help-mate” : Ask how to compromise your
systems if you were the attacker.
9. Trust No One?
• Devise an accountability strategy for all
important procedures.
10. SA Mantra
• The computing system does not exist for the
amusement of the SA.
• The computing system is a shared productivity
tool that requires money, time, and resources
to maintain – don’t treat it as your own.