| About Blog Cheatsheets Defense Links Offense |
| Defense |
| Architecture Authorities Concept Forensic Introduction ITlawCH Malware Management Measures Methods Network Policy Risks Rules Threats Unix Linux Windows |
Rules
|
Client-side security doesn't work Client-side security is security enforced solely on the client. The user always has the opportunity to break the security, because he or she is in control of the machine. Client-side security will not provide security if time and resources are available to the attacker. |
|
You cannot securely exchange encryption keys without a shared piece of information Shared information is used to validate machines prior to session creation. You can exchange shared private keys or use Secure Sockets Layer (SSL) through your browser. Key exchanges are vulnerable to man-in-the-middle (MITM) attacks. |
|
Malicious code cannot be 100 percent protected against Software products are not perfect. Virus and Trojan detection software relies on signature files. Minor changes in the code signature can produce a non-detectable variation (until the next signature file is released). |
|
Any malicious code can be completely morphed to bypass signature detection Attackers can change the identity or signature of a file quickly. Attackers can use compression, encryption, and passwords to change the look of code. You can't protect against every possible modification. |
|
Firewalls cannot protect you 100 percent from attacks Firewalls can be software or hardware, or both. The primary function of a firewall is to filter incoming and outgoing packets. Successful attacks are possible as a result of improper rules, policies, and maintenance problems. |
|
Any IDS can be evaded Intrusion detection systems (IDS) are often passive designs. It is difficult for an attacker to detect the presence of IDS systems when probing. An IDS is subject to improper configuration and lack of maintenance. These conditions may provide opportunity for attack. |
|
Secret cryptographic algorithms are not secure Crypto is hard. Most crypto doesn't get reviewed and tested enough prior to launch. Common algorithms are in use in multiple areas. They are difficult, but not impossible, to attack. |
|
If a key is not required, you do not have encryption - you have encoding This law is universal; there are no exceptions. Encryption is used to protect the encoding. If no key is present, you can't encrypt. Keys must be kept secret, or no security is present. |
|
Passwords cannot be securely stored on the client, unless there is another password to protect them It is easy to detect password information stored on client machines. If a password is unencrypted or unwrapped when it is stored, it is not secure. Password security on client machines requires a second mechanism to provide security. |
|
In order for a system to begin to be considered secure, it must undergo an independent security audit Auditing is the start of a good security systems analysis. Security systems are often not reviewed properly or completely, leading to holes. Outside checking is critical to defense; lack of it is an invitation to attack. |
|
Security through obscurity does not work Hiding it doesn't secure it. Proactive protection is needed. The use of obscurity alone invites compromise. |