Security Principles & Strategies
Content Leader: Jess Garcia - Last Updated: January 23, 2007
Security Parameters
-
Confidentiality
-
Integrity
-
Availability
Security Principles & Strategies
-
Principle of least privilege.
-
Defense in depth - Layered Security.
-
Limited Trust: Trust no-one, nothing.
-
“Know Yourself & Know Your Enemy”.
-
Security through obscurity.
-
Biodiversity.
Implementation
-
Identify critical/most exposed assets & put your efforts on defending them.
-
Mitigate Risk.
-
Defend from inside threats.
-
Review & Audit Policies, Processes & Technologies Periodically.
-
Plan for the worse and hope for the best.
-
Anything that makes security easier, probably creates a security flaw.
-
Good security is not characteristic of a product but of a deployment.
In the Real World
-
Nothing is secure.
-
Prevention is ideal but detection is a must.
-
Paranoia is your friend.
-
You can prove that a system is not secure; you just cannot prove that it is secure.
-
Security is a trade-off with usability.
-
Defenders have to "win" every single day; Attackers only have to win once.
The Human Factor
-
Educate Your Users.
-
Risk assumed by one is shared by all.
-
Never underestimate human stupidity.
-
Don’t forget about the Political Layer
Questions
-
How secure is secure enough?
-
"Sure, I'm paranoid, but am I paranoid enough?"
