Weinstein.org > Digital World > Technical Papers and Presentations

> > >

oct 06 08

Digital World

Open Source Health Care Alliance: Computer Security Fundamentals, Los Angeles, November 15, 2002.

Introduction (Slide Two)

who i am
what i plan to say
- personal experience
  - pitfalls
  - planning
  - resources
  - questions

Notice (Slide Three)

"Persons attempting to find a motive in this narrative will be prosecuted;persons attempting to find a moral will be banished; persons attempting to find a plot will be shot."

- Preface for The Adventures of Huck Finn By Mark Twain

Pitfalls (Slide Four)

Pitfalls: Security Through Obscurity (Slide Five)

home network:

Pitfalls: Security Though Obscurity (Slide Six)

Outside Connection Attempts to Firewall, October 14-15 2002, 752 Total Requests

Pitfalls: Have No Fear, I Don't Use Microsoft (Slide Seven)

"The long BSD tradition of cautious development, extensive peer review, and thorough testing makes them some of the most reliable software ever developed. In fact, as far as anyone knows, only one worm has ever been developed that attacked any of the BSDs."

- Source: "The BSDs: Sophisticated, Powerful, and (Mostly) Free"
<http://www.extremetech.com/print_article/0,3998,a=31573,00.asp>

Pitfalls: Have No Fear, I Don't Use Microsoft (Slide Eight)

"since June ... Microsoft, of Redmond, Wash., has released six patches ... for Windows XP Pro. However, the list of patches included in the new Service Pack 1 for XP Pro shows 30 security-related fixes, including several that were never publicized or issued separately."

However, in the same time frame, "Red Hat Inc., of Raleigh, N.C., for example, has issued fixes for 35 security problems in its Red Hat Linux 7.3."

- Source: "Open Source: A False Sense of Security?"
<http://www.eweek.com/article2/0,3959,579097,00.asp>

Pitfalls: WHat's Wrong with This Picture? (Slide Nine)

home office:

Creating a Plan (Slide Ten)

Creatling a Plan: Creating a Policy (Slide Eleven)

what is the system for?
who will be using this system?
what network services are needed?
how do these services work?
how can i secure these needed services?

Creating a Plan: Creating a Policy (Slide Twelve)

discovering a vulnerability
find the fix, workaround
applying the fix, workaround

Creating a Plan: Creating a Policy (Slide Thirteen)

being the bad guy, enforce your policy
- known vulnerability + slow on applying fixes = troubles

Resources (Slide Fourteen)

Resources (Slide Fifteen)

cert
- <http://www.cert.org>
  - vulnerability
    - casue & fix
  - fixes
    - vender patches, upgrades
cvs
- <http://cve.mitre.org>
  - vulnerability dictionary

Resources (Slide Sixteen)

commercial vendor
- red hat <->
- i.e. know your vendor
open source community
- users, developers
- mailing lists, websites

Resources (Slide Seventeen)

Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage
By Cliff Stoll
ISBN No. 0743411463

Resources (Slides Eighteen)

Secrets and Lies: Digital Security in a Networked World
By Bruce Schneier
ISBN No. 0471253111

Resources (Slide Nineteen)

The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography
by Simon Singh
ISBN No. 0385495323

Additional Resources: This Presentation (Slide Twenty)

<http://www.weinstein.org/work/presentations/oshca/computer_security/>
<http://www.weinstein.org/work/presentations/oshca/computer_security.pdf>
small plug
- upcoming book, Professional Apache Security, Wrox Press
- whitepaper, Apache and OpenSSL
- consulting, Waubonsie Consulting, <http://www.waubonsie.com>, <pdw@waubonsie.com>

What I Said (Slide Twenty One)

pitfalls
- security through obscurity
- its not just microsoft
- access, remote & physical
planning
- create a policy
- stick with it
resources
- <http://www.cert.org>
- <http://cve.mitre.org>
- commercial vendor
- open source community
- books

Questions (Slide Twenty Two)

Never take life seriously. Nobody gets out alive, anyway.