下载

0下载券

加入VIP
  • 专属下载特权
  • 现金文档折扣购买
  • VIP免费专区
  • 千万文档免费下载

上传资料

关闭

关闭

关闭

封号提示

内容

首页 【网络安全】13个安全神话你会相信吗([13] network security securit…

【网络安全】13个安全神话你会相信吗([13] network security security Myth will you believe it).doc

【网络安全】13个安全神话你会相信吗([13] network…

张elliott
2018-12-21 0人阅读 举报 0 0 0 暂无简介

简介:本文档为《【网络安全】13个安全神话你会相信吗([13] network security security Myth will you believe it)doc》,可适用于社会民生领域

【网络安全】个安全神话你会相信吗(networksecuritysecurityMythwillyoubelieveit)【网络安全】个安全神话你会相信吗(networksecuritysecurityMythwillyoubelieveit)InthefieldofITsecurity,therearesome"securitymyths",whichareoftenmentionedanduniversallyacceptedHowever,theyareallincorrectconceptsInotherwords,theyarejustmythsSecurityexperts,consultants,suppliers,andenterprisesecuritymanagerssharewithustheirfavorite"securitymyths",andhereareofthemythswe'vepickedout:Myth:"moresecurity,better""BruceSchneider,asecurityexpertandsecuritywriter,explainswhythisoftentalkedaboutsecurityconceptiswrongHeexplained:"moresecuritydoesnotmeanbetterFirstofall,weneedtobalancesecurity,andsometimestheextrasecuritycostsarenotequaltothevaluecreatedForexample,isnotworth$thousandtoprotectadonut,ofcourse,thisdonutwillbemoresecure,buttheprotectionisawasteofmoney,"healsopointedoutthat"additionalsecuritywillleadtoreducedearningsInotherwords,reducingthecostofspecificcrimes(suchasshoplifting)takesabitofmoney,butareductionwouldrequiremoremoneyMoresecurityfromtheperspectiveofcosteffectivenessisnotworthAndasacorollary,absolutesecurityisnotpossible"Sometimessecuritycanevenbecomeamoralchoice,andcompliancemaybeanunethicaldecision,becauseitmayinvolveatotalitarianregime"Securityneedstocomplywithcompliance,andsometimescomplywithandnottherightthingtodo"Myth:"DDoSisorientedtobandwidth""Weoftenhearnorealevidencetosupportavarietyofsecuritymyth,"RadwaresecuritysolutionsvicepresidentCarlHerbergersaid,"thereisacommonviewamongITmanagers:aslongastheyhaveenoughbandwidth,distributeddenialofservice(DDoS)attackswilldisappear"Butinfact,theresearchdatashowthatsincelastyear,morethanhalfofthedistributeddenialofserviceattackisnotbasedonthebandwidthoriented,butinapplicationoriented,theattackerwillattacktheapplicationstack,andthevulnerabilitiescausedbyserviceinterruptionsInthiscase,alotofbandwidthwillactuallyhelptheattackerHerbergersaysonlyofdistributeddenialofserviceattackswilleaseasbandwidthincreasesMyth:"regularlysettingpasswordusage(usuallyeverydays)canenforcepasswordsystems""EMCsecuritycompanyRSAchiefscientistAriJuelsonthesecuritymyth"hesaidthelovepasswordmustberegularlysetexpirationtime":"Ithinkthisislikeaurgedustodrinkeightglassesofwatereverydayhealthadvice,nooneknowthisiswheretheycomefrom,donotknowthatthisisnotagoodsuggestionInfact,recentstudieshaveshownthatregularpasswordexpirationtimemaynotbeuseful"RSAlabresearchshowsthatifcompanieswanttosetpasswordusage,itshouldbebasedonrandomtime,ratherthanfixedtimeThesecuritymyth:"youcanrelyonthewisdomofthemasses""Often,employeeswillreceivethesenttoapersonalemailthatshowsdangerousothertypesfoundanewvirusortheInternet,causesthestafftoITdepartment,PhoenixBillvicepresidentSunsBoltsaidthebasketballteamofinformationtechnologyButafterinvestigation,itseemsthatthesesharedideasarenotnewatallInfact,mostofthetime,thispanicisusuallyjustaboutthewellknownmalwarethatwasfirstdiscoveredtenyearsagoMyth:clientvirtualizationcansolvethesecurityproblemof'carryingyourownequipmenttowork'""Ioftenhearthesecuritymyththat"securityissuestobringtheirowndevicestowork"can"work"throughthedeploymentofvirtualmachinesandvirtualmachinetosolvethe"individuals","GartneranalystJohnPescatoresaid,"ifyoudothis,Allrisksattheindividualendwillbecontrolled,andnodatawillbeleakedfromtheworksidetothegameside"ButskepticalaboutPescatore"Theintelligencecommunityintheyearsagoalsotriedthismethod,theUSNationalSecurityAgencyhiredwasstillsmallVMwarecompanytodevelopaproductcalledNetTopforintelligenceanalysis,thisproductisconfidential,confidentialandnonconfidentialinformationwerecreatedindependentlyofthevirtualmachine,soontherewasaatthesametime,analystsneedtoworkacrossalldomains,theneedtomoveinformationbetweendomainsFornow"work"and"game"isthesamesituation,clientvirtualizationfirstthingis:Iworkintheenvironmentreceivedapersonalemail,andIneedtousethisemailinthepersonalenvironment,soIsentmyown,ortheuseofUSBtotransfer,suchastheisolationoutofactionVirtualizationisjustawasteofmoneyNetTopisstillinuse,butonlyintheuseoftheintelligencecommunity,whichisthemostlikelyfieldofeffectiveuseofthisproduct"Myth:"theITsectorshouldencourageuserstousecompletelyrandompasswordstoimprovepasswordsecurity,andalsorequirepasswordstobemodifiedatleastonceeverydays""KevinHaley,headofSymantec'ssecurityresponse,says,"infact,completelyrandompasswordsarepowerful,buttheyalsohavedrawbacks:hardtorememberandslowtoinputInreality,youcaneasilycreatepasswordsthatarejustaspowerfulasrandompasswordsbyusingafewsimpletechniques,andthey'remucheasiertorememberThepasswordisatleastcharacterslong,usinguppercaseandlowercaseletters,twonumbersandtwosymbols,suchpasswordsareusuallyquitepowerful,andcanuseeasytorememberphrases"Headdedthatalthoughthedayperiodofuseisagoodsuggestionforsomehighriskenvironment,butthisisusuallynotthebestpolicyforsuchashortperiodofuseoftenleadstousersreadyinadvanceorreducetheeffectivenessofsimilarpasswordpasswordThetodayperiodismorerealisticThesecuritymyth:"anycomputerviruswillhaveavisiblesymptomsonthescreen""Forthepeopleonthestreet,mostofthecomputervirusisamyth,thatistosay,forheknowthatmostofthemalicioussoftwarefromsciencefiction,televisionandfilm,"GDataSoftwareDavidPerrysaid,"thesecuritymythilovemostisanycomputerviruswillhaveanobvioussymptomsinonthescreen,displaythefileisbeingerodedorletthecomputeritselfonfireWithoutanyvisiblesignsofthevirusthatnomalicioussoftwaresystemThisisobviouslynonsense"Thesecuritymyth:"wearenotatarget"Kroll,networksecurityandinformationsecuritysystemofseniormanagingdirectorAlanBrillsaid:"Ioftenhearthevictimssaidtheythinktheyarenotworthyofhackerattacks,somesayitisnotworthitbecausetheyarejustsmallbusinesses,notasagoalOthersarguethatthereisnosocialsecuritynumber,creditcardinformation,orothervaluableinformationintheirsystemButthat'snotthecase"Myth:"fromsecurityflaws,thesoftwareisn'tgettinganybetterthantheprevioussoftware""Therewasalargecrowdofpeoplesaytherearetoomanyloopholesinthesoftware,comparedwiththeprevioussoftware,safetyandnoimprovement,"Cigital'schieftechnologyofficerGaryMcGrawsaid,"infact,nowthesoftwareimprovedalot,andthedefectdensityratioisdecreased"Hepointedoutthat,comparedwithtenyearsagoortwentyyearsago,wenowhaveabetterunderstandingofsecurecodingpractices,andtherearemanyeffectivesecuritycodingtoolsMcGrawsaid:"weknowwhattodo"ThefactthatisoftenoverlookedbyusisthatweneedtowritetoomuchsoftwarecodecomparedtotheageofWindows,TheamountofcodewearewritingfarmorethaneverbeforeThehugeamountofcodeisalsothereasonwhythesoftwarenowhasmorevulnerabilitiesthantheprevioussoftware,butzerovulnerabilityisimpossible"Myth:"sensitiveinformationthroughtheSSLsessiontransmissionissafe""EnterprisesoftenuseSSLtocustomersorpartnerstosendsensitiveinformation,theythinkthatthedatatransmissionthroughtheSSLsessionisverysafe,"AmericasNCP,EngineeringCTORainerEnderssaid,"butthisprocessbegantoemergemoreandmoreloopholes"HepointedoutthatCitibankhassuffereddataleakageintheprocess,andthisisnotanisolatedincident"TheSwissresearchersrecentlyreleasedamemodescribedbyusingblockencryptionalgorithm(egAES)vulnerabilitiesincaptureinSSLchanneldatatransmissionprocessdata,"hesaysthereisdoubtsecurityindustryfortheSSLsession,"mayavoidthisproblemthemostidealmethodisneverusedthesamekeystreamtoencrypttwodifferentfiles"Anothersimilarsecuritymyth,Enderadds,isthatitisabsolutelysafetousetrustedcertificatesfromacertificationauthority,andlastyearfraudulentcertificatesoverturnedthemythMyth:"endpointsecuritysoftwareisakindofcommodity"Enterprisestrategygroup(ESG)analystJonOltsiksaid,askedinthequestionnairesurveyintheESGendpointsecuritysoftwareisacommodityandwhethertheyarebasicallythesame,securityprofessionalsagreethatmostenterprisesonendpointsecurityproductButOltsiksaidhedisagreedwiththeendpointsecuritysoftwarearebasicallythesameargument"Ithinkthisisamyth,"hesaid,"theendpointsecurityproductsintheprotectionandfunctionfeaturesareverydifferentintermsof"Oltsikaddsthatheevenbelievesthatmostcompaniessimplydon'tknowthefunctionoftheendpointsecurityproductsthey'vepurchased,andthattheydon'tusetherightproductstoprotectthemOfcourse,therearesecuritymyth"firewallinournetwork,wecertainlyareprotected!"KevinButler,aninformationtechnologysecurityanalystatUniversityofArkansas,saidheworkedasafirewalladministratorfortenyears,andtherewerealotofmythsaboutfirewallsHeadmittedthatinthepastfewyearshehadbelievedthatsomeofthemyths,including"firewallsareahardware"and"properlyconfiguredfirewalls,"couldprotectyoufromanythreat"Heknowsotherfirewallmyths,including"firewall,noantivirussoftware",andwhatmakeshimangryisthatabrandfirewallcanevenresistzerodaythreat"Inthisregard,hesaid,"firewallprotectionfortheuseofnewvulnerabilitiesappearveryfast,thefirewallisimpossibletoresistZeroDaythreat"Thefirewallforperipheralprotectionisneverasolutiononceandforall"Myth:"you'vefoundamalwaresampleaspartofatargetedattack,andyoushouldn'tuploadthesesamplestoawellknownmalwarevendororservice"JoeSecureWorks,theheadofmalwareanalysisatDellStewart,saidhehadheardtheproposal,andhethoughtitwasa"problematic"proposalHesaidtheideaisbasedon"first,theattackermayviewthepublicsandboxandvirusscannertofindtheirmalwaretracesfoundinincidentresponseinthesamplewillallowanattackertouploadtoknowtheyarefound"Hepointsoutthatthesecondreasonforthisideaisthatinatargetedattack,theremaybecluesinthemalwarethatindicatewhoisthetargetofattackandexposetheattackStewartpointsout:"thefirstpointisthatit'salmostimpossibleforanattackertohavethetimetocheckpublicinformationregularly,andevenintargetedattacks,therearedozensofvictimsinasingleattack,AndthesameattackerhastolaunchseveralsuchattackseveryyearAttackersrarelyuseuniquemalwareforeachdifferenttarget,theyjustchoosetousepreselectedTrojanprograms,sothattheyarenotdetectedbyantivirussoftwareEvenifamalwaresampletrackingwebsiteinpublicmalicioussoftware,cannotguaranteethattheattackerwillsee,eveniftheattackersawthatanattackercannotbesuretouploadthismalwaresampletarget"Fortargetedattacks,sharingmalwaresamplesyoufindisofgreatbenefitMalwarecanalsoexposethenameofthetargetorganization,whichispossible,butnotoftenseenStewartsaysthatinthelongrun,tryingtokeepasecretofthistargetedattackmayhaveanimpactoneveryone,becauseitwillencourageattackerstoattack

用户评价(0)

关闭

新课改视野下建构高中语文教学实验成果报告(32KB)

抱歉,积分不足下载失败,请稍后再试!

提示

试读已结束,如需要继续阅读或者下载,敬请购买!

评分:

/9

VIP

在线
客服

免费
邮箱

爱问共享资料服务号

扫描关注领取更多福利