1 Computer Security Fundamentals Paul Weinstein Waubonsie Consulting <[email protected]> November 15, 2002
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Computer SecurityFundamentals
Paul Weinstein
Waubonsie Consulting
November 15, 2002
2
Introduction
• who i am
• what i plan to say
– personal experience• pitfalls
• planning
• resources
• questions
3
“Persons attempting to find amotive in this narrative will beprosecuted;persons attempting tofind a moral will be banished;
persons attempting to find a plotwill be shot.”
Notice
- Preface for The Adventures of Huck Finn By Mark Twain
4
Pitfalls
5
Pitfalls: Security Through Obscurity
• home network:
6
Pitfalls: Security Through Obscurity
Outside Connection Attempts to Firewall, October 14-15 2002, 752 Total Requests
70%12%
6%6%
6%port 137 (netbios) port 1433 (ms-sql)port 80 (http) port 445 (smb)(ftp, smtp, ssh, other)
7
Pitfalls: Have No Fear, I Don’t Use
Microsoft
“The long BSD tradition of cautiousdevelopment, extensive peer review,and thorough testing makes them someof the most reliable software everdeveloped. In fact, as far as anyoneknows, only one worm has ever beendeveloped that attacked any of the
BSDs.”
- Source: “The BSDs: Sophisticated, Powerful, and (Mostly) Free”<http://www.extremetech.com/print_article/0,3998,a=31573,00.asp>
8
Pitfalls: Have No Fear, I Don’t Use
Microsoft
“since June … Microsoft, of Redmond, Wash., hasreleased six patches … for Windows XP Pro. However,the list of patches included in the new Service Pack
1 for XP Pro shows 30 security-related fixes,including several that were never publicized or
issued separately.”
However, in the same time frame, “Red Hat Inc., ofRaleigh, N.C., for example, has issued fixes for 35
security problems in its Red Hat Linux 7.3.”
- Source: “Open Source: A False Sense of Security?”<http://www.eweek.com/article2/0,3959,579097,00.asp>
9
Pitfalls:What’s Wrong with This Picture?
• home office:
10
Creating a Plan
11
Creating a Plan:Creating a Policy
• what is this system for?• who will be using thissystem?
• what network services areneeded?
• how do these services work?• how can i secure these neededservices?
12
Creating a Plan:Creating a Policy
• discovering a vulnerability
• find the fix, workaround
• applying fix, workaround
13
Creating a Plan:Eternal Vigilance
• being the bad guy, enforceyour policy– known vulnerability + slow onapplying fixes = troubles
14
Resources
15
Resources
• cert– http://www.cert.org
•vulnerability– cause & effect
•fixes– vendor patches, upgrades
• cve– http://cve.mitre.org/
•vulnerability dictionary
16
Resources
• commercial vendor– red hat <-> microsoft
– i.e. know you vendor
• open source community– users, developers
– mailing lists, web sites
17
Resources
Cuckoo’s Egg: Trackinga Spy Through the Mazeof Computer Espionage
By Cliff Stoll
ISBN No. 0743411463
18
Resources
Secrets and Lies:Digital Security in a
Networked World
By Bruce Schneier
ISBN No. 0471253111
19
Resources
The Code Book: TheScience of Secrecy from
Ancient Egypt toQuantum Cryptography
by Simon Singh
ISBN No. 0385495323
20
Additional Resources:This Presentation
• http://www.weinstein.org/work/presentations/oshca/computer_security/
• http://www.weinstein.org/work/presentations/oshca/computer_security.pdf
• small plug:– upcoming book, Professional Apache Security,Wrox Press
– whitepaper, Apache and OpenSSL– consulting, Waubonsie Consulting,http://www.waubonsie.com,<[email protected]>
21
What I Said
• pitfalls– security through obscurity– its not just microsoft– access, remote & physical
• planning– create a policy– stick with it
• resources– cert, http://www.cert.org– cve, http://www.cve.mitre.org/– commercial vendor– open source community– books
22
Questions
Related Documents
