Security Karma…

June 21, 2007

Recent reports suggest that security Industry expects lot from Users and Designers compared to other Industries and thats the cause of all evil .. as a rephrased quote goes “Uncertainty and expectation are the root causes of Security failure“.

What NOT to Expect from Users:

1)Install Browser Toolbars/Pulgins

2)Verify/Check Security Locks,Indicators,Certificates,Extended Validations.

3)Not to click,download links and attachments sent in Email,IMs.

4)Install latest updates,maintain clean hygiene of the system.

5)Use the same PC for watching P0rn(at least sandbox p0rn..) and sensitive transactions.

6)Not to Share/write their password with friends,coworkers and change their password at least every month.

7)Not to call the VP/CEO for a small(amount) breach in their account after all its hard earned money..

8)Use Strong ,different passwords for different accounts.

9)Identify XSS,Html,JS Injections by checking/blocking sources of the pages.

10)To change their browsing habits

11)Not to use laptops,CD,DVD,USB to store sensitive data without protection(Encryption).

What NOT to Expect from Security people:

1)Not to use a homegrown implementation of well-known cryptographic algorithms or design/implement a home grown crypto algorithm.

2)Plan for protocol flaws,unexpected errors and multiple protection mechanisms failing or being bypassed.

3)Externalize client side components from trust model as its not very difficult to prevent algorithm,key,data recovery when the attacker has full access to the client software, device.

4)Use multiple layers of protection whenever possible and adding detection and logging at every layer.

5)Compartmentalize data in such a way that a breach will not escalate to other compartments.

6)Design hardware crypto considering economics of the attack(time,money,skillset) and the life expectancy of the product