Practical security steps

Friday, 3 October 2003, 4:39 PM EST

Peter takes on the very practical task of describing practical security steps that don't require lots of time, effort, or money. They are steps that, if taken broadly, would make the world of computing a safer place.

Imagine that we live in the Middle Ages. There is chaos beyond our castle wall. We are going to design the castle using the same methods that are employed today in computer security: First we put up a strong door, but make the walls out of paper. We dig a moat, but leave it empty and easy to cross. We put up sentries, but too few, and we ignore what they are telling us. Next we take all of the valuables, put them behind the strong door, show the villains where they are, and put our weakest guards around the goods. A pass is necessary to get through the door, but it can easily be forged and allows access to the entire castle. We also send secrets to our citizens and allies, with some being encrypted strongly, others weakly, and still others not at all.

How long would such a castle stand? How long would the valuables be protected if the door were opened when anyone with a forged pass was allowed through? The point, of course, is that such a design is ridiculous, and yet we have computer facilities built exactly like this facilities have firewalls but frequently no other form of security. External routers frequently have no access control lists, leaving a clear path from the outside to the firewall. Even when other layers are added, such as IDS, the results are useless due to too many alarms, alarms about security breaches that already happened, or ignored log files due to a lack of staffing. We lack security policies for our sites, and we don't do periodic audits and penetration tests to see whether the policies are implemented.

[ Read more ]


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th