Immutable Laws of security; Laws 1, 2 


Мы поможем в написании ваших работ!



ЗНАЕТЕ ЛИ ВЫ?

Immutable Laws of security; Laws 1, 2



Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

 

Here at the Microsoft Security Response Center, we investigate thousands of security reports every year. In some cases, we find that a report describes a bona fide security vulnerability resulting from a flaw in one of our products; when this happens, we develop a patch as quickly as possible to correct the error. (See “A Tour of the Microsoft Security Response Center”). In other cases, the reported problems simply result from a mistake someone made in using the product. But many fall in between. They discuss real security problems, but the problems don’t result from product flaws. Over the years, we’ve developed a list of issues like these, that we call the 10 Immutable Laws of Security.

Don’t hold your breath waiting for a patch that will protect you from the issues we'll discuss below. It isn’t possible for Microsoft – or any software vendor – to “fix” them, because they result from the way computers work. But don’t abandon all hope yet – sound judgment is the key to protecting yourself against these issues, and if you keep them in mind, you can significantly improve the security of your systems.

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore

Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more

Law #5: Weak passwords trump strong security

Law #6: A computer is only as secure as the administrator is trustworthy

Law #7: Encrypted data is only as secure as the decryption key

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

Law #9: Absolute anonymity isn’t practical, in real life or on the Web

Law #10: Technology is not a panacea

 

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore

It’s an unfortunate fact of computer science: when a computer program runs, it will do what it’s programmed to do, even if it’s programmed to be harmful. When you choose to run a program, you are making a decision to turn over control of your computer to it. Once a program is running, it can do anything, up to the limits of what you yourself can do on the computer. It could monitor your keystrokes and send them to a website. It could open every document on the computer, and change the word “will” to “won’t” in all of them. It could send rude emails to all your friends. It could install a virus. It could create a “back door” that lets someone remotely control your computer. It could dial up an ISP in Katmandu. Or it could just reformat your hard drive.

That’s why it’s important to never run, or even download, a program from an untrusted source – and by “source”, I mean the person who wrote it, not the person who gave it to you. There’s a nice analogy between running a program and eating a sandwich. If a stranger walked up to you and handed you a sandwich, would you eat it? Probably not. How about if your best friend gave you a sandwich? Maybe you would, maybe you wouldn’t – it depends on whether she made it or found it lying in the street. Apply the same critical thought to a program that you would to a sandwich, and you’ll usually be safe.

 

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer any more

 

In the end, an operating system is just a series of ones and zeroes that, when interpreted by the processor, cause the computer to do certain things. Change the ones and zeroes, and it will do something different. Where are the ones and zeroes stored? Why, on the computer, right along with everything else! They’re just files, and if other people who use the computer are permitted to change those files, it’s “game over”.

To understand why, consider that operating system files are among the most trusted ones on the computer, and they generally run with system-level privileges. That is, they can do absolutely anything. Among other things, they’re trusted to manage user accounts, handle password changes, and enforce the rules governing who can do what on the computer. If a bad guy can change them, the now-untrustworthy files will do his bidding, and there’s no limit to what he can do. He can steal passwords, make himself an administrator on the computer, or add entirely new functions to the operating system. To prevent this type of attack, make sure that the system files (and the registry, for that matter) are well protected. (The security checklists on the Microsoft Security website will help you do this).

Vocabulary


immutable – непреложный, постоянный

archived [′ɑ: kaıvd] – архивный

accuracy – точность, правильность

content – содержание

warranty – гарантия

link – соединять(ся)

no longer – больше не

exist – существовать

bona fide [bǝunǝ ′faıdı] – лат. настоящий;

добросовестный

vulnerability – уязвимость

flaw – недостаток, упущение

patch – исправление, “заплата” (код для опера-

тивного исправления ошибки в программе)

issue – вопрос, пункт

breath – дыхание

vendor – продавец

fix – уладить, решить

abandon – оставлять

sound – правильный, умелый

judgment – мнение, рассудительность

keep in mind – помнить

bad guy – злоумышленник

persuade – убеждать

run (a program) – выполнять

unrestricted – неограниченный

upload – пересылать файл в другой компьютер;

загружать

weak – слабый

trump – превзойти, взять верх; козырная карта

trustworthy – заслуживающий доверия

encrypted – зашифрованный

virus scanner – антивирусное приложение

marginally – незначительно

panacea – панацея, универсальное средство

harmful – вредный

once – как только

keystroke – нажатие клавиши

rude – грубый

install – устанавливать

create – создавать

remotely – на расстоянии

dial up – набирать номер, настраиваться

hard drive – жёсткий диск, дисковод

download – загружать, скачивать

untrusted – непроверенный, ненадёжный

source – источник

interpret – объяснять, толковать,

преобразовывать

certain – определённый

account – счёт, учёт; учётная запись, аккаунт

handle – обрабатывать

enforce – усиливать

govern – регулировать

bidding – распоряжение, требование


URL = Uniform Resource Locator – унифицированный указатель информационного ресурса

ISP = Internet Service Provider

Exercises

 



Поделиться:


Последнее изменение этой страницы: 2016-12-29; просмотров: 280; Нарушение авторского права страницы; Мы поможем в написании вашей работы!

infopedia.su Все материалы представленные на сайте исключительно с целью ознакомления читателями и не преследуют коммерческих целей или нарушение авторских прав. Обратная связь - 3.84.7.255 (0.053 с.)