Vi propongo la lettura di un interessante articolo (il primo di una serie di tre pezzi) di Jesper Johansson, ex dipendente Microsoft e validissimo esperto di sicurezza, nel quale si prova a rivisitare le famose "10 Immutable Laws of Security" (scritte ormai ben 8 anni fa) per ripercorrere cosa sia cambiato in questo frattempo e per valutare se esse possano ancora essere considerate, oggi e per il prossimo futuro, quello che sono state fino ad ora, un importante riferimento per far riflettere su alcuni importanti fondamenti di sicurezza informatica. Vi riporto qualche spunto interessante delle prime tre leggi analizzate:
- Law 1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.
"...Law 1 isn't really about shortcomings or vulnerabilities in software. It is really about vulnerabilities in people!"
"...It is extremely important to understand what the term "security boundary" means"
"...Even if you do not have administrative privileges, it may not matter. You, as a standard user, still have access to lots of juicy information"
"...if you define "your computer" as "the data you manage on your computer," you can ignore any discussions about privilege and simply conclude that Law 1 holds."
"...user education is critical in addition to ensuring that users do not have permission to perform administrative tasks"
- Law 2: If a bad guy can alter the OS on your computer, it's not your computer anymore.
"...it is not the act of doing something that means your computer is compromised. The thing that matters only is that someone has the ability to do something."
"...If a computer is wide open to the Internet and goes unpatched for months, is it still trustworthy? No. That computer must be considered compromised."
- Law 3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
"...All things considered, Law 3 does still apply. It is true that certain technologies available today go a long way towards stopping many attackers with physical access and thus minimize the number of attackers able to access data on a computer that employs a safety measure. That said, the capabilities of the attacker always define how much the attacker can actually achieve, and new technologies address many of the 10 immutable laws—to an extent. But physical access still offers ways, though more complex, into a system."
Altri post/risorse correlate:
- 10 Immutable Laws of Security
- Come si segnala una possibile vulnerabilità di sicurezza a Microsoft
- Security bug nel Repair Mode / Recovery Console di Vista ? Ma no ...