10 common security mistakes that shoshould never be made
10 common security errors that should not be committed
Author: Chad Perrin
Author: Chad Perrin
Translation: endurer 2008-08-25 1st
Category: security, authentication, encryption, risk management, privacy
Classification: security, authentication, encryption, risk management, privacy
English Source:Http://blogs.techrepublic.com.com/security? P = 542 & tag = NL. e101
Read about ten very basic, easily avoided security mistakes that shoshould never be made-but are among the most common security mistakes people make.
Read and understand 10 basic and easy-to-avoid mistakes that people should not make. It is the most common security mistake that people make.
Endurer Note: 1. Read about: Read knowledge (read later)
The following is a list of ten security mistakes I see all the time. they're not just common, though-They're also extremely basic, elementary mistakes, that anyone with a modicum of Security knodge DGE shocould know better than to make. the following is a list of 10 security errors that I have been viewing. However, they are not only common-they are also very basic, preliminary errors, that is, everyone with a little bit of security knowledge should know, let alone commit. Endurer Note: 1. All the time: Always
- Sending sensitive data in unencrypted Email:Stop sending me passwords, pins, and account data via unencrypted email. please. I understand that a lot of MERs are too stupid or lazy to use encryption, but I'm not. even if you're Going to giveThemWhatTheyWant, in the form of unencrypted sensitive data sent via email, that doesn't mean you can't giveMeWhatIWant-secure communications when sending sensitive data.
Use unencrypted emails to send sensitive data: If you want to send password and account data through an unencrypted email, stop. I understand that many customers are too stupid or too lazy to use encryption, but I am not. Even if you send them what they want by email in a non-encrypted and sensitive way, this does not mean that you cannot use what I need-to ensure communication security when sending sensitive data.
- Using "security" questions whose answers are easily discovered:Social Security numbers, mothers 'maiden names, first pets, and birthdays do not constitute a secure means of verifying identity. requiring an end user to compromise his or her password by specifying a question like that as a means of resetting the password basically ensures that the password itself is useless in preventing anyone that is willing to do little homework from gaining unauthorized access.
Use the answer to "security" questions that are easily discovered: Social Security numbers, mother's name before marriage, 1st pets, and birthdays do not constitute a security means for identity verification. Ask the end user to specify a problem like that as a means of resetting the password to compromise on handling his or her password. It is basically certain that, the password itself is useless in preventing unauthorized access to people who are willing to spend some time.
Endurer Note: 1. Be willing to: Yes, happy
- Imposing password restrictions that are too strict:The number of cases I 've seen where some online interface to a system that offers the ability to manage one's finances-such as banking web sites-impose password restrictions that actually make the interface less secure is simply unacceptable. six-character numeric passwords are dismayingly common, and the examples only go downhill from there. see a previous article,"How does bad password policy like this even happen?"For another example in more detail.
The password is too restrictive.: I have seen several online interfaces of a system that provides the ability to manage a person's finances, such as a bank website, which is obviously unacceptable because the interface lacks secure mandatory password restrictions. The six-digit password is surprisingly the same, and this example only gets worse. Read the previous article, "how can a bad password like this appear?" To obtain details of other examples.
Endurer Note: 1. go downhill: Bad (worse and worse)
- Leader vendors define "good security ":I 've said before thatThere's no such thing as a vendor you can trust. Hopefully you were listening. ultimately, the only security a wrong ate vendor really cares about protecting is the security of its own profits and market share. while this sometimes prompts a vendor to improve the security of its products and services, it sometimes prompts exactly the opposite. as such, you must question a vendor's definition of "good security", and you must not let vendors tell you what's important to you.
Let suppliers Define "good security": I have said that there is no supplier you can trust. Hope you are listening. In the end, the only security that the company's suppliers really care about is the security of their own interests and market share. Although this sometimes reminds suppliers to improve their security products and services, it sometimes prompts the opposite. In this way, you must question the definition of "good security" of the supplier. You cannot ask the supplier to tell you what is most important to you.
Endurer Note: 1. No such thing: Nothing
2. Market Share: market share
- Underestimating required security expertise:People in positions of authority in executions often fail to understand the necessity for specific security expertise. this applies not only to nontechnical managers, but to technical IT managers as well. in fact, standards working groups such as the one that produced the WEPStandard often include a lot of very smart analysts, but not a single cryptographer, despite the fact they intend to develop security standards that rely explicitly on cryptographic algorithms.
Underestimating the security expertise required: Enterprise leaders often do not understand the necessity of specific security technologies. This is not only the case for non-technical managers, but also for technical IT managers. In fact, in standard working groups, if a WEP standard is generated, many very intelligent technicians are often included, not just a password interpreter, despite the fact that they intend to develop security standards, they rely heavily on encryption algorithms.
- Underestimating the importance of review:Even those with security expertise specific to what they're trying to accomplish showould have their work checked by others with that expertise as well. peer review is regarded in the security community as something akin to a holy grail of security assurance, and nothing can really be considered secure without being subjected to significant, punishing levels of testing by security experts from outside the original development project.
Underestimate the importance of review: Even those with security technical expertise need to submit the work they are trying to accomplish to others with the same expertise. In security groups, peer review is considered to be a security guarantee similar to the holy cup, and there is nothing to do with it, without the punitive level tests by a considerable number of security experts from external independent development plans, it is truly considered safe.
Endurer Note: 1. akin to: similar (similar to, same family)
2. Peer Review: Peer Review
3. Holy Grail
4. Be subjected to: suffering and suffering
- Overestimating the importance of secrecy:Alibaba security software developers who make the mistake of underestimating the importance of review couple that with overestimation of the importance of secrecy. they justify a lack of peer review with hand-waving about how important it is to keep security policies secret. as kerckoffs 'prinle le-one of the most fundamental in Security Research-points out, however, any system whose security relies on the design of the system itself being kept secret is not a system with strong security.
Overestimate the importance of confidentiality: Security software developers who have made minor review attempts overestimate the importance of confidentiality. What makes it important for them to shake hands on the secret of maintaining security policies because of the absence of peer review. However, as a kerckoffs principle-one of the most fundamental security studies-points out that any system that relies on its own security design is not a robust and secure system.
Endurer Note: 1. Couple with: connect together (coupling)
2. design principle of the password system proposed by kerckhoffs: Data Security should depend on keys rather than the confidentiality of cryptographic algorithms."
- Requiring easily forged identification:Anything that involves faxing signatures, or sending photocopies or scans of ID cards, is basically just a case of security theater-putting on a great show without actually providing the genuine article (security, in this case) at all. it is far too easy to forge such second-generation (or worse) low quality copies. in fact, for things like signatures and ID cards, the only way for a copy to serve as useful verification is for it to actually be a good enough copy that it is not recognized as a copy. put another way, only a successful forgery of the original is a good enough copy to avoid easy forgery.
Authentication that is easy to forge: If a fax signature is involved, or a photocopy or scanned ID card is sent, the situation is basically similar to a security theater-a large-scale performance, but it is not actually genuine (safe, in this case ). So far, it is too easy to forge copies of low quality, such as the second generation (or worse. In fact, the only way to make a copy of something similar to a signature and an ID card for effective verification is to make it a copy that is sufficient to be false or false. In other words, only one successful fake is a copy that is easy to forge.
Endurer Note: 1. Genuine article: genuine
2. Serve as: act as the role of...
- Unnecessarily reinventing the wheel:Often, developers of new security software are recreating something that already exists without any good reason for doing so. login software vendors suffer fromNot specified Ted hereDisease, and end up creating new software that doesn't really do anything new or needed. that might not be a big deal, if not for the fact that the new software is often not peer reviewed, makes security mistakes that have already been ironed out of the previous implementation of the idea, and generally just screws things up pretty badly. whenever creating a new piece of software, consider whether you're replacing something else that already does that job, and whether your replacement actually does anything different that is important. then, if it is doing something important and different, think about whether you might be able to just add that to the already existing software so you will not create a whole new bundle of problems by trying to replace it.
Unnecessary duplicate Manufacturing: Generally, developers of new security software have no reason to recreate some existing things. Some software vendors suffer from non-self-invention and eventually create new software that is not new or needed. This may not be a big deal. If you don't care about the new software, it's usually a mess if it's not under peer review and has made security mistakes that have been flushed before. Whenever you create a new software, think about whether you are replacing something you are already doing that job, and whether your replacement is indeed significantly different. Then, if it is important and different, consider whether you can add it to existing software, so that you will not create a new package of problems by trying to replace it.
Endurer Note: 1. suffer from: suffering (damage due)
2. Not Supported Ted here syndrome: Non-self-invention, a technique that is unwilling or denied to use an external invention
3. Big deal: VIP (WOW)
4. iron out: ironing, flattening, straightening out, and solving
5. Screw Up: tighten (force, strengthen, and drum)
Don't ask them to organize the trip, they all only screw everything up. Don't let them organize this trip. They must make everything worse.
6. The bad news has shaken her up pretty badly. The bad news has always upset her.
- Giving up the means of your security in exchange for a feeling of security:This is a mistake so absurd to make that I have difficulty formulating an explanation. it is also so common that there's no way I can leave it out of the list. people give up the keys to their private security kingdoms to anyone who comes along and tells them, "Trust me, I'm an expert," and they do it willinly, eagerly, often without thought. "Certificate Authorities" tell you who to trust, thus stripping you of your ability to make your own decisions about trust; webmail service providers offer on-server encryption and decryption, thus stripping you of end-to-end encryption and control over your own encryption keys; Operating Systems decide what to execute without your consent, thus stripping you of your ability to protect yourself from mobile malicious code. don't give up control of your security to some third party. sure, you may not be able to develop a good security program or policy yourself, but that doesn't mean the program or policy shouldn't give you control over its operation on your behalf.
Give up security means in exchange for security: This is an error. It is so ridiculous that I can hardly explain it, but it is so common that I cannot remove it from the list. As long as someone declares, "Believe me, I am an expert," people will put hands on the keys of the personal privacy and security realm, and they are so willing, eager, and often without thinking. The "Certificate Authority" tells you who you trust, thus depriving you of the ability to make your own decisions on trust issues. The webmail service provider provides server-side encryption and decryption, this will deprive you of end-to-end encryption and control of your own keys. The operating system determines what to execute without your consent, thus depriving you of your ability to protect yourself from malicious Mobile Code infringement. Do not discard security control to a third party. Of course, you may not be able to develop a good security program or strategy on your own, but this does not mean that the program or strategy should not allow you to control the operation for your own interests.
Endurer Note: 1. In exchange for: Exchange (Exchange)
2. Give control over: control...