With the development of Internet business development in network security is becoming an increasingly debated topic. The company Microsoft has published an interesting article: Ten immutable laws of security. I will try it a little supplement and look at some of the issues on the other side.
To start kratenko explain, but what is a security. Safety, according to V. Zaplatinskogo from the book "The language of science on the safety" - is this state of the complex system when the effect of external and internal factors does not lead to a deterioration or failure of its operation and Development. What factors may affect the information security (whether enterprise or individual from his home computer)? From what specifically must be protected? The information environment is the subject of protection of information (essentially a set of noughts and edinichek). This information can steal (for various purposes) or replace (including most corrupt).
In general, security is divided into three categories: software, hardware and organization. In what if one of the categories do not have protection - that there is no protection at all. For those who believe that he had nothing to steal need to remember all that you can steal, you can change or simply destroyed. Imagine if an enterprise completely disappear if the database bookkeeping - this is tantamount to a good fire, and often with the liquidation of the company.
So, start with the axiom of security. And it sounds like: "If the two sources of information is transmitted, it necessarily a third point from which this information can be removed or replaced." Is it all so badly and can steal and spoil everything? Yes, indeed, steal and you can spoil everything, but not all that bad. Information security is defined worth hacking. If, for example, your company is 1000000 rubles, and the cost of breaking it is 900,000 rubles., Then of course it will not wrestle anybody, that is who you want to simply buy. Or, if your home computer is not useful and cost of breaking it is 10000 rubles, the vryadli him someone polezet. But that figure - the necessary cost of hacking should be properly assessed. And as an example, as can be implemented and how much hacking it could cost you can read here in this article.
Consider the laws of security, which Microsoft released popodnobnee.
Law number 1. If you run on your computer attackers are no longer your computer.
Written on one side all accurate. But it does not necessarily mean that you can not just run anything. And in order to help control what gets, for instance, helps such a service as UAC Windows Vista. After all, in fact, the operating system Windows Vista by default is quite protected. A application does not have administrative rights in general it is very difficult to "pick up" your computer. In fact, as soon as the application will require you administrative privileges to cause harm - You and only you choose to click "yes" or enter the administrator password in the window of UAC. And then the law provides a very good example of a sandwich. There's no need to pump program from an unknown source. And when running a program, and she asked the administrative authority, it should think twice, and you need whether it altogether, such a program. By the way, to comply with the law in many companies set up policies in a way that can only run pre-approved applications, and if the application which had not previously asked the administrative law suddenly UAC has issued a warning, the administrator's refusal to respond immediately and begin to understand (the user by definition there should be no Administration password).
Law number 2. If an attacker made changes to the operating system your computer is no longer your computer
That is true. But with the help of which the attacker can make changes? In fact, if you have not kept other laws. On the other hand, there are services that should be treated with caution, even while respecting all laws. For example there is such a service as the NAP. The service, working at the computer can do it all, but it is actually possible only through the System Health Agents, or at the NAP Enforcement Clients. But to install these components on the computer you want to violate other laws. That is, when a service NAP on one side bears the additional mechanisms by which to break security. On the other hand, if introduce the service in a secure environment, the problem should not occur. And if you look at what this service NAP, in an unprotected environment, it generally is not required. In doing so, in the same service despite the full exposure of the components running on klientsoy car information from the server and the server is transmitted securely. Thus, you can rassmotert many services. Therefore, make the law 2 the following conclusion: not to be services and services that are not needed - they must be turned off (so as additional opportunities for malicious users to make changes to your computer).
Law number 3. If a malicious user has unrestricted physical access to your computer, it is no longer your computer
This law fully repeats the beginning of the article. If there is no institutional component, and there is no protection. If a computer can get anyone from the street, the cost of breaking sharply reduced. On the other hand there are mobile users, and there are situations when a computer is really worth in an easily accessible place. Carefully vchitavshis in the wording of the law, you can see the words: "unrestricted physical access" - keyword indefinitely. That is, if we limit it, we can raise the cost of hacking. Restrict can spomoschyu following measures. The most substantive (particularly the case for laptops) - is using Encrypting File System, including the startup disk (the possibility of its use there, along with Windows Vista). True to this may also require additional hardware (and ligament three categories: Software, hardware and organizational one for each law is not repealed). Another effective method is to control switch off the PC. Indeed, most methods of breaking through the physical access impossible without a break in hardware parts. In doing so requires the organizational ability to respond rapidly in case of switching off the computer (or restart) and additional hardware and software solutions (including button responsive to the opening of the hull or displacement transducer).
Law number 4. If the attacker was able to download an application on your Web site is no longer your Web site
In fact, I would have such a law removed. The Web site - is also a computer and the law fully repeats law number 1. But perhaps this is an important point, once Microsoft issued as a separate item. And as a recommendation - all Web sites to better keep the host rather than from "unknown", albeit "very reliable" provider. Only then can we guarantee at least some security.
Law number 5. Unreliable passwords make useless any security system
That is true. For any password should apply rule 3 of 4 (where 4 - are 4 types of characters: lower case letters, upper case letters, numbers and special characters) and a length of not less than 8 characters. At the same password may know only one man! owner login. (Some companies have even administrators there are separate lists of all passwords, and these lists "Valya" in a "very safe" place including, for example, fleshke ... how easy to lose. And on the other hand, if you password on a web server "Pupkina" coincides with a password to Exchange - OWA ... it already knows your password is the same "Pupkin" as mimnimum. Because this is very difficult to remember passwords, and over time they accumulate a lot, you can use special programs , For example, RoboForm, to store passwords in an encrypted form.
Law number 6. The security of the computer is directly dependent on the reliability administrator
That is true. Is also true that administrators should be very few and each their responsibilities and access. Well, most flagrant violation is when the head of the company or division chiefs have administrative rights. Also, the administrator must be a "limp" in the organization. That is to be isolated people - the observer (this just might be the chief at any level) who has the right to see and observe all the changes, but only to see (the right to change it did not). There administrator same direction is the right of any change in this direction (for example, the database administrator), but he changed nothing institutionally can not. For example, take the man at work - you need to bring it into the system. As usually happens? (I think you know) as it should be? Otlel personnel should fill a special form of newly hired. This form is transmitted supervisor worker, which he defines (put options) to which services and services (tazhe E-mail and Internet) from the worker should have access. And only on the basis of this form (it may be in electronic form and paper) administrator rights records in the system. Similarly, should take place very quickly and automatically lock the user account (ie dlokirovka rather than removal - remove - is also the problem of security) in his dismissal.
Law number 7. The security of encrypted data directly depends on how protected decryption key
Here, and especially nothing to add, is clear from the title. As a recommendation - the use of special keys, tokens where all the keys are stored and encrypted passwords. It is also very good when this is a token and pass into the room (building), then the employee back to the toilet had to pick a key (or back into the room did not get) a cut in the key computer immediately blocked (this is the default action, but all can be customized).
Law number 8. Outdated antivirus application only slightly better than his absence
That is true. But it is important to complement: anti-virus provision should have functions heuristics, and send suspicious files directly to an antivirus company, warning administrator. This should be followed, that recently intensified attacks on the writing of special viruses. Because this virus (Trojan) is written specifically for ogrganizatsiyu, the antivirus software on it yet knows nothing. And if there is no quick and accurate response, it may be too late. Also off the signature in an e-mail message that the files reviewed so-Anti-Virus. What exactly is the antivirus must remain a mystery (though a needle in a haystack can not be hidden). Also, it recommends using several antivirus on different machines - but it must be properly produmyvatsya, so how could severely complicate handling (and hence the response to the problem).
Law number 9. Absolute anonymity is not neither in life nor in the Internet
This law just need to take into account. We also recommend a ban, many services in the workplace, as well as merging some information comparing ip addresses of users so that they write, you can gather enough information to hacking organization. Also, the prohibition of online services is often linked to the cost of time, rather than security. (Suppose, for example, a worker holds forum on the entire 15 minutes of working time - in fact, much more - but it is already 15 * 5 = 1 hour 15 minutes a week, or 5 hours a month. That is a month rabotkin loses at least one whole working day (and this is only at 15 minutes))
Law number 10. The technology is no panacea
Here, too, could add little. Technology is constantly changing and each has its own sly Boltik hitraya nut. Therefore, burglary must constantly overestimated, must constantly organizational activities designed to safety, technical and updated Program Fund. And always want to learn and understand the workings of a program or service where she had weaknesses.