1
00:00:02,350 --> 00:00:04,870
Sometime after the laws of security had been published.

2
00:00:04,870 --> 00:00:11,710
Scott Kulp devised another version specifically for your administrator's benefit these laws are still

3
00:00:11,710 --> 00:00:12,910
valid as well.

4
00:00:15,180 --> 00:00:17,540
We'll just mention them for informative purposes.

5
00:00:20,990 --> 00:00:26,840
The first law states nobody believes anything bad can happen to them until it does.

6
00:00:26,840 --> 00:00:29,340
The rule describes a kind of wishful thinking.

7
00:00:31,260 --> 00:00:36,240
No one ever thinks that his or her network could be attacked or that their computer may be broken into

8
00:00:38,150 --> 00:00:44,760
reality proves that private computers are targeted by attackers and broken into research indicates that

9
00:00:44,760 --> 00:00:48,480
in Eastern Europe three computers out of ten are infected with malware.

10
00:00:49,760 --> 00:00:55,470
One third of the users open programs from untrusted sources.

11
00:00:55,610 --> 00:01:00,290
We already know that if someone runs his or her program on your computer it's no longer solely your

12
00:01:00,290 --> 00:01:04,240
computer.

13
00:01:04,270 --> 00:01:10,390
The second real security only works at the secure way also happens to be the easy way.

14
00:01:10,480 --> 00:01:14,300
One of the largest modules in the seminar was devoted to security policy.

15
00:01:16,780 --> 00:01:23,780
When you create security policy the biggest mistake is to pit security against functionality you want

16
00:01:23,780 --> 00:01:29,360
to achieve complete security if you force users to use a 24 character long randomly generated password

17
00:01:29,450 --> 00:01:34,490
that you won't allow them to write down and then make them authenticate their identity every time they

18
00:01:34,490 --> 00:01:39,010
leave their computer idle.

19
00:01:39,010 --> 00:01:45,760
The third law if you don't keep up with security fixes your network won't be yours for a long.

20
00:01:46,010 --> 00:01:49,440
It's very easy to break into a computer that's not regularly updated.

21
00:01:51,060 --> 00:01:57,420
And one of the modules to come we will learn how to make updates completely automatic.

22
00:01:57,530 --> 00:02:03,080
If you don't download the latest updates your network won't stay your property.

23
00:02:03,170 --> 00:02:08,020
It doesn't do much good to install security fixes on a computer that was never secure to begin with.

24
00:02:09,440 --> 00:02:10,680
That's the next law.

25
00:02:11,580 --> 00:02:19,220
When it comes to massive attacks there are two main attack vectors none Apptd it systems or applications

26
00:02:19,310 --> 00:02:21,470
and typical configuration mistakes.

27
00:02:23,630 --> 00:02:30,750
These vectors are independent of each other and fixing one problem want to eliminate the other.

28
00:02:30,810 --> 00:02:36,640
The fifth law states external vigilance is the price of security.

29
00:02:36,670 --> 00:02:41,650
The greatest challenge for any administrator is that he or she must protect the network 24 hours a day

30
00:02:42,190 --> 00:02:44,130
against all kinds of attacks.

31
00:02:46,130 --> 00:02:50,370
If the administrator fails to detect just one attack the attack will succeed.

32
00:02:51,740 --> 00:02:58,910
The attacker can attack whenever he wants just one undetected attack is a success for the attacker.

33
00:03:00,480 --> 00:03:05,060
The next flaw there really is someone out there trying to guess your passwords.

34
00:03:07,190 --> 00:03:16,380
Many people still use weak passwords start one two three pass and password are among the most popular.

35
00:03:16,590 --> 00:03:24,600
They're still used by System users the attackers always try them first.

36
00:03:24,670 --> 00:03:27,250
The more secure network is a well administered one.

37
00:03:27,610 --> 00:03:32,320
That's the next one to control all network operations.

38
00:03:32,320 --> 00:03:36,170
The administrator must have a clear network design.

39
00:03:36,390 --> 00:03:42,280
If he doesn't you won't be able to detect an attack if the attack goes undetected.

40
00:03:42,290 --> 00:03:45,100
It cannot be stopped.

41
00:03:45,210 --> 00:03:48,880
This is connected with the next law.

42
00:03:49,030 --> 00:03:53,250
The difficulty of defending a network is directly proportional to its complexity.

43
00:03:56,080 --> 00:04:00,460
You might have heard someone saying that his or her network was so complex that even they didn't know

44
00:04:00,460 --> 00:04:01,660
what was going on there.

45
00:04:02,460 --> 00:04:04,370
So how was the tech successful.

46
00:04:05,130 --> 00:04:06,770
This is a false premise.

47
00:04:10,410 --> 00:04:15,320
Security isn't about risk avoidance it's about risk management.

48
00:04:15,480 --> 00:04:22,570
During one of the other modules we analyzed the risk assessment model this mentioned the need to assess

49
00:04:22,570 --> 00:04:25,250
the threat correctly and act correspondingly.

50
00:04:27,120 --> 00:04:31,130
You cannot pretend that the threats don't exist.

51
00:04:31,310 --> 00:04:38,910
If you start believing this premise you stop protecting your computer system.

52
00:04:38,950 --> 00:04:47,510
The final law technology is not panacea was discussed before in this module re-analyzed ten immutable

53
00:04:47,510 --> 00:04:53,820
laws of security that have been created more than a decade ago by Scott holp none of them are still

54
00:04:53,820 --> 00:04:59,120
valid and don't need any adjustment only one of them.

55
00:04:59,210 --> 00:05:05,440
The one concerning Web site security needs slight adjustment.

56
00:05:05,450 --> 00:05:09,250
This means that computer system security is not a technological issue.

57
00:05:11,750 --> 00:05:15,990
Technology has changed completely in recent years.

58
00:05:16,000 --> 00:05:21,070
There is an enormous gap between Windows 95 and Windows 7.

59
00:05:21,080 --> 00:05:28,700
Nevertheless the principle is valid then are still valid Now this means that the module devoted to attack

60
00:05:28,700 --> 00:05:33,890
in defense methodology is crucial for security.

61
00:05:33,910 --> 00:05:40,970
It's essential that you know various configuration and implementation issues and even if you're experts

62
00:05:40,970 --> 00:05:47,490
in the field it doesn't mean that you know how to effectively secure your computer systems methodological

63
00:05:47,490 --> 00:05:55,970
knowledge is crucial.

64
00:05:55,980 --> 00:05:57,160
Thank you for your attention.