build it right build it secure - cert presentation (1999)

8/7/2019 Build It Right Build It Secure - Cert Presentation (1999)

1/26


2/26

CERT Conference 99CERT Conference 99

The Perfect Solution...

2


3/26


...How Secure Is It?...

3


4/26


...Absolutely Impenetrable!!!...

4


5/26


We need to

communicate with

the world to do our

jobs.

...T

he Problem...

5


6/26


...T

he Solution...

6


7/26


The BIGGER Problem...

7


8/26


...T

he REAL Solution.

8


9/26


Lets Cover... A quick review of a typical product development

lifecycle

Where are folks CURRENTLY implementing

security procedures?

Where SHOULD you implement security?

What can you do to decrease your cost for ITsecurity?

How can you make your IT security program more

effective?

9


10/26


Typical Product Development

Explore a concept

Determine what the requirements are Turn the requirements into a valid design

Convert the design into a viable product

Put the product to daily use Perform maintenance as needed

10


11/26


Where does security get implemented?

Concept Exploration?

Requirements?

Design?

Development?

Operations?

Maintenance?

11


12/26


Maintenance

Where currently MOST security is executed.

Closing the door after the cows left.

Many COTS products

Cost 100x

12


13/26


Operations

(1/2)

Where currently most security problems are

identified.

Found by...

trial and error

intrusion corrupt data

problems

13


14/26


Operations

(2/2)

Where currently most security problems are

identified.

Attacks occur here

Problems trigger search for resolution

Some attempt to be proactive Help from CERT/CC

Cost 90x

14


15/26


Development

A good start

Product inspections: invite security folks

Consider Ada; advantages

Cost 50x

15


16/26


Design

A better start

Design security INTO the product

Have security folks assist with design

Keep it flexible Cost 10x

16


17/26


Requirements

An even BETTER start

Include security features in the requirements

Defer any feature that may cause security

problems Cost 2x

17


18/26


Concept Exploration

Best Place to Start Looking at Security!!!

Think security from the very beginning

Involve security in the whole process

Cheapest cost to implement security: 1x

18


19/26


*PC Computings Helpful Hints

Operations: Hack your own site

Use a port scanner to see what doors are open

Download Rhino9s Ogre 0.9b at

www.hackers.com/files/portscanners/ogre.zip

*PC Computing magazine Sep 99 issue.

19


20/26



Development: Encrypt everything that leaves

your control.

If using Windows, will need 3rd party product.

PC Computing recommends Network

Associates McAfee PGP Personal Privacy6.5.1. Others include WinMagics SecureDoc

and RSA Data Securitys SecurPC.

20


21/26



Design: You need to get up to speed on...

security issues now.

Useful sites:

www.microsoft.com/

securitywww.ntbugtraq.com

21

www.ntsecurity.net

www.cert.org

www.hackers.comwww.icsa.net


22/26


+Software Developments Helpful Hints

Requirements: Be aware of all vulnerabilities

of your hardware, software, and comm.

Useful tools:

www.smartcardforum.org

E-commerce:

www.visualcommerce.com

Linux: www.unify.com

Mobile code:

www.security7.com

22+Software DevelopmentMagazine,

Aug 99 issue

Dynamic passwords:

www.cryptocard.com

Black box: www.bardon.com

Net scanner: www.iss.net

SW Dongle :

www.softlocx.com


23/26


Tom Neffs Helpful Hints

Concept Exploration: Attend CERT Conf 00

www.omaha.com/cert

www.omaha.org/spin

[email protected]

www.sdmagazine.com

www.pccomputing.com/getnow23


24/26


Tom Neffs Helpful Hints

Process is EVERYTHING!

Climb the process improvement ladder

Form a CERT & Red Team

Register with CERT/CC

Info Cons

Remember superchicken

24


25/26


T

om Neffs Helpful Hints

You cant control what you cant control

Outsourcing is a double-edged sword

Gives you flexibility and possible savings

Gives others intimate access to your system

(Gardner Group: Y2K)

25


26/26


[email protected]

24

Final thoughts:

READ (you can get a free subscription to

almost any magazine.

Use the web

Think like a hacker, act like a CEO

build it right build it secure - cert presentation (1999)

Documents