* 14 *

Site security and the future

Fact of the week

In the final analysis, every issue of security (rather than technology) boils down to a question of whom or what to trust.

Chapter 9,13,14 Gollmann

We have spent a considerable amount of time discussing the meaning of security concepts which we did not have time to amplify on in the system administration course. Let us now try to collect the sum of this knowledge into some kind of checklist for securing a site or enterprise.

Zones of security clearance

The first thing to decide is the nature of the organization we are trying to protect. Many companies, like banks or large cooperate empires require many levels of security. Information is provided on a need to know basis. There might be physical security checkpoints and logical security checkpoints.

The enemy within...

Remember that most major hacking and net crime cases have been carried out by insiders. There is a balance to be struck between trusting workers and checking their behaviour. If we are too lax, someone will try it on. If we are too strict, we will generate bad feelings and encourage staff to turn against the organization.

Insecure operating systems

These have no memory protection or file protection. They are trivially infected with viruses. The only thing one can do with these is to place them behind a firewall and cross your fingers. You can try to drill users to avoid making the worst mistakes with such machines, but probably you will not be able to make them understand or listen.
Insecure operating systems which are used for important work should never be attached to a public network, or be available to unauthorized persons.
It is difficult to trust an operating system which is wide open to attack, both from the console and from the network.

Analysis and checklist

The future of security

Who knows what the future will be bring? The need for security has always existed. What we have seen in this course is that computer security is nothing very special. It is the application of a few basic security principles to the computer arena. It is only the technological climate which focuses attention on specific issues.

The security problem will never be solved because it all has to do with trust. If you understand one thing from this course, it should be this: every security problem has its roots in trust. We can use technology to move trust from place to place, but we can never avoid the final judgement. Why should we bother with security? If you don't know yet......

What specific things can we expect?

If nothing else, an attention to security now will optimize the security issue later. New technology will make actual attacks difficult, but trickery is what human intelligence was invented for. Until the machines are smarter than we are, there will be no end to deception.

The future of security is you!
Go and spread good practices by setting a good example.

Thoughts for the course

Are you your own worst enemy when it comes to security? What are your bad habits? Where do you place your trust?