hit counter
Sono ancora valide le 10 Immutable Laws of Security? - NonSoloSecurity Blog di Feliciano Intini - Site Home - TechNet Blogs

NonSoloSecurity Blog di Feliciano Intini

Notizie, best practice, strategie ed innovazioni di Sicurezza (e non solo) su tecnologia Microsoft

Sono ancora valide le 10 Immutable Laws of Security?

Sono ancora valide le 10 Immutable Laws of Security?

  • Comments 2
  • Likes

Vi propongo la lettura di un interessante articolo (il primo di una serie di tre pezzi) di Jesper Johansson, ex dipendente Microsoft e validissimo esperto di sicurezza, nel quale si prova a rivisitare le famose "10 Immutable Laws of Security" (scritte ormai ben 8 anni fa) per ripercorrere cosa sia cambiato in questo frattempo e per valutare se esse possano ancora essere considerate, oggi e per il prossimo futuro, quello che sono state fino ad ora, un importante riferimento per far riflettere su alcuni importanti fondamenti di sicurezza informatica. Vi riporto qualche spunto interessante delle prime tre leggi analizzate:

  • Law 1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.
    "...Law 1 isn't really about shortcomings or vulnerabilities in software. It is really about vulnerabilities in people!"
    "...It is extremely important to understand what the term "security boundary" means"
    "...Even if you do not have administrative privileges, it may not matter. You, as a standard user, still have access to lots of juicy information"
    "...if you define "your computer" as "the data you manage on your computer," you can ignore any discussions about privilege and simply conclude that Law 1 holds."
    "...user education is critical in addition to ensuring that users do not have permission to perform administrative tasks"
  • Law 2: If a bad guy can alter the OS on your computer, it's not your computer anymore.
    "...it is not the act of doing something that means your computer is compromised. The thing that matters only is that someone has the ability to do something."
    "...If a computer is wide open to the Internet and goes unpatched for months, is it still trustworthy? No. That computer must be considered compromised."
  • Law 3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
    "...All things considered, Law 3 does still apply. It is true that certain technologies available today go a long way towards stopping many attackers with physical access and thus minimize the number of attackers able to access data on a computer that employs a safety measure. That said, the capabilities of the attacker always define how much the attacker can actually achieve, and new technologies address many of the 10 immutable laws—to an extent. But physical access still offers ways, though more complex, into a system."

Altri post/risorse correlate:

Share this post :
Comments
  • PingBack from http://www.grabbernews.com/sono-ancora-valide-le-10-immutable-laws-of-security-21858.html

  • Interessante articolo. Sono però di idee leggermente diverse rispetto a Jesper riguardo alla terza legge. Non penso che sia quella che poggia sul terreno più instabile, perchè un accesso fisico illimitato ad una macchina, implica la possibilità di compromettere quella macchina. Ok, magari non riesco a decrittare i dati, ma se ti porto via l'hard disk, sei fregato.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment