Vulnerability computing A vulnerability is a weakness in design, implementation, operation or internal control. Most of the vulnerabilities that have been discovered are documented in the Common Vulnerabilities and Exposures CVE database. An exploitable vulnerability is one for which at least one working attack or " exploit" exists. To secure a computer system, it is important to understand the attacks that can be made against it, and these threats can typically be classified into one of these categories below:
One of my programmer buddies refers to this process as "turd polishing" because, as he says, it doesn't make your code any less smelly in the long run but management might enjoy its improved, shiny, appearance in the short term. Richard Feynman's " Personal Observations on the Reliability of the Space Shuttle " used to be required reading for the software engineers that I hired.
It contains some profound thoughts on expectation of reliability and how it is achieved in complex systems. In a nutshell its meaning to programmers is: The premise of the "vulnerability researchers" is that they are helping the community by finding holes in software and getting them fixed before the hackers find them and exploit them.
The premise of the vendors is that they are doing the right thing by pushing out patches to fix the bugs before the hackers and worm-writers can act upon them. Both parties, in this scenario, are being dumb because if the vendors were writing code that had been designed to be secure and reliable then vulnerability discovery would be a tedious and unrewarding game, indeed!
Let me put it to you in different terms: What has it been? If you look at major internet applications you'll find that there are a number that consistently have problems with security vulnerabilities.
There are also a handful, like PostFix, Qmail, etc, that were engineered to be compartmented against themselves, with modularized permissions and processing, and - not surprisingly - they have histories of amazingly few bugs.
The same logic applies to "penetration testing. That's because their design or their security practices are so fundamentally flawed that no amount of turd polish is going to keep the hackers out.
It just keeps managers and auditors off of the network administrator's backs. I know other networks that it is, literally, pointless to "penetration test" because they were designed from the ground up to be permeable only in certain directions and only to certain traffic destined to carefully configured servers running carefully secured software.
Running a "penetration test" for Apache bugs is completely pointless against a server that is running a custom piece of C code that is running in a locked-down portion of an embedded system.
So, "Penetrate and Patch" is pointless either because you know you're going to find an endless litany of bugs, or because you know you're not going to find anything comprehensible. One clear symptom that you've got a case of "Penetrate and Patch " is when you find that your system is always vulnerable to the "bug of the week.
Doesn't that sound dumb? Your software and systems should be secure by design and should have been designed with flaw-handling in mind.
Nov 15, · News about computer security (cybersecurity). How to Delete Facebook and Instagram From Your Life Forever Now is the time to be freaking out about the dangers. View Essay - COMPUTER SECURITY Basics Essay from CIS Computers at South Texas Christian Academy. CIS The book laptop Security written by Time . About the Author. Stuart Henderson is an experienced consultant and trainer who specializes in effective IT audits and computer security. He has helped hundreds of organizations make better use of security software such as RACF, ACF2, and TopSecret.
That's a dumb idea. One of the best ways to discourage hacking on the Internet is to give the hackers stock options, buy the books they write about their exploits, take classes on "extreme hacking kung fu" and pay them tens of thousands of dollars to do "penetration tests" against your systems, right?
Around the time I was learning to walk, Donn Parker was researching the behavioral aspects of hacking and computer security. He says it better than I ever could: Anonymity and freedom from personal victim confrontation increased the emotional ease of crime, i.
Timid people could become criminals. The proliferation of identical systems and means of use and the automation of business made possible and improved the economics of automating crimes and constructing powerful criminal tools and scripts with great leverage.
It's not a technology problem, at all. The 4th dumbest thing information security practitioners can do is implicitly encourage hackers by lionizing them. The media plays directly into this, by portraying hackers, variously, as "whiz kids" and "brilliant technologists" - of course if you're a reporter for CNN, anyone who can install Linux probably does qualify as a "brilliant technologist" to you.
I find it interesting to compare societal reactions to hackers as "whiz kids" versus spammers as "sleazy con artists.
If you're a security practitioner, teaching yourself how to hack is also part of the "Hacking is Cool" dumb idea. Think about it for a couple of minutes: It means you've made part of your professional skill-set dependent on "Penetrate and Patch" and you're going to have to be part of the arms-race if you want that skill-set to remain relevant and up-to-date.
Wouldn't it be more sensible to learn how to design security systems that are hack-proof than to learn how to identify security systems that are dumb?
My prediction is that the "Hacking is Cool" dumb idea will be a dead idea in the next 10 years. I'd like to fantasize that it will be replaced with its opposite idea, "Good Engineering is Cool" but so far there is no sign that's likely to happen.
On the surface of things, the idea of "Educating Users" seems less than dumb: On the other hand, like "Penetrate and Patch" if it was going to work, it would have worked by now. If "Educating Users" is the strategy you plan to embark upon, you should expect to have to "patch" your users every week.
The real question to ask is not "can we educate our users to be better at security?
Why are users expecting to get E-mails from banks where they don't have accounts? Most of the problems that are addressable through user education are self-correcting over time.Computer Security (Understanding Computers) by Time-Life Books Computerized Society (Understanding Computers) by Time-Life Books Computers and the Cosmos (Understanding Computers) by Time-Life Books.
Term Life: A Novel of Love, Death, and Computer Security and millions of other books are available for instant rutadeltambor.com Kindle eBook | view Audible audiobook.
PREFACE to Web edition. Computer: Bit Slices from a Life was converted to HTML for the Web by Frank da Cruz in May for the Columbia University Computing History Project with permission and collaboration of Dr.
Grosch. This is a manuscript of the 3rd edition, a work in progress sponsored by the US National Science rutadeltambor.com first edition was published by Third Millenium Books, Novato.
† Recount the history of computer security, and explain how it evolved into information security information security † Define key terms and critical concepts of information security † Enumerate the phases of the security systems development life cycle Introduction to Information Security 5 Figure Development of the ARPANET.
Search Search publication record data (not a full text search) Sort By Relevance (best match) Release Date (newest first) Release Date (oldest first) Series (A-Z) Series (Z-A) Number (highest to lowest) Number (lowest to highest) Title (A-Z) Title (Z-A).
Jan 01, · Computer Security has 7 ratings and 2 reviews. Jeffrey said: I loved this series of time / life books on computers.
At the time I was working as a comput /5(2).