1
00:00:01,570 --> 00:00:06,880
The biggest consequence of the lack of security policy is that users do not know how to react to typical

2
00:00:06,910 --> 00:00:09,030
and atypical situations.

3
00:00:10,910 --> 00:00:14,730
In a way we shift the responsibility for the decision onto others.

4
00:00:15,920 --> 00:00:21,230
But they can't really make such a call because they do not know the working principles of computer systems.

5
00:00:24,900 --> 00:00:29,430
In the slide you can see one of the older solutions which was created to protect users from a piece

6
00:00:29,430 --> 00:00:31,620
of malicious software called a key logger

7
00:00:34,960 --> 00:00:39,860
bloggers tracked the keystroke on a keyboard and remember the sequence.

8
00:00:39,880 --> 00:00:42,700
They act like a virtual copy of a real keyboard.

9
00:00:44,960 --> 00:00:47,890
The solution presented here doesn't seem to be thought through.

10
00:00:49,630 --> 00:00:52,490
Every security solution must meet two criteria.

11
00:00:53,940 --> 00:00:59,850
It must serve the specific purpose and it mustn't make it harder to use the program or system it's installed

12
00:00:59,850 --> 00:01:02,550
on.

13
00:01:02,650 --> 00:01:07,330
The purpose of the solution presented in the slide is to prevent a key logger from tracking a user's

14
00:01:07,330 --> 00:01:08,500
keyboard input.

15
00:01:10,640 --> 00:01:17,600
This input may then be used to hijack a session to make online shopping at the user's expense.

16
00:01:18,420 --> 00:01:22,790
Or disbands users virtual money.

17
00:01:22,800 --> 00:01:31,090
The truth is however that this solution doesn't really protect the user from any of these threats it

18
00:01:31,090 --> 00:01:36,480
offers protection against tracking keystrokes only.

19
00:01:36,590 --> 00:01:43,250
For example the computer used to log into my pay may be infected with malware that doesn't track keystrokes

20
00:01:43,790 --> 00:01:48,320
but is able to hijack the system.

21
00:01:48,400 --> 00:01:52,590
So the solution presented in the slide is complicated and yet unreliable.

22
00:01:55,710 --> 00:02:04,310
Another example of an unfortunate security solution is a PC smart card reader with a PIN pad a smart

23
00:02:04,310 --> 00:02:06,490
card or a chip card.

24
00:02:06,800 --> 00:02:12,010
It's based on a digital key which both protects and authenticates the identity of the card holder.

25
00:02:14,690 --> 00:02:22,160
To be able to use the digital key you need to know the cards PIN number one manufacturer introduced

26
00:02:22,160 --> 00:02:25,760
a small device for personal computers that look like a credit card reader.

27
00:02:28,210 --> 00:02:34,090
The idea was to use the pin pad not the keyboard to enter the PIN numbers so that the key logger couldn't

28
00:02:34,090 --> 00:02:34,860
record it.

29
00:02:37,580 --> 00:02:45,700
Supposedly it made it safe to use PC smart cards even if the computer was infected with a key logger.

30
00:02:45,700 --> 00:02:49,820
However the solution was complicated impractical and inconvenient.

31
00:02:51,750 --> 00:02:54,740
In reality it failed to eliminate real threats.

32
00:02:57,590 --> 00:03:01,190
Actually to know the PIN number is not enough to attempt an attack.

33
00:03:03,040 --> 00:03:07,770
Use a smart card you have to know the PIN number but you also have to possess the actual card

34
00:03:10,370 --> 00:03:12,560
otherwise the attack is impossible.

35
00:03:15,180 --> 00:03:19,010
A security policy should help you to design smart security solutions.

36
00:03:20,590 --> 00:03:24,630
Solutions which won't be annoying and inconvenient.

37
00:03:24,830 --> 00:03:31,610
For example a virtual keyboard which requires the user to enter the password by clicking on the symbols

38
00:03:31,610 --> 00:03:38,120
with the mouse cursor is inconvenient and will ultimately make the user change the password to a shorter

39
00:03:38,120 --> 00:03:38,650
one.

40
00:03:40,680 --> 00:03:43,660
So in reality it makes the system less secure.

41
00:03:47,140 --> 00:03:53,540
Recently as a consequence of this shift in the approach to the issue computer security has been viewed

42
00:03:53,540 --> 00:03:56,240
as a process where continuum

43
00:03:59,090 --> 00:04:09,980
in security process should consist of at least four elements protect detect react restore.

44
00:04:10,140 --> 00:04:14,890
First you should define the resource you would like to protect.

45
00:04:14,990 --> 00:04:23,160
Then you should detect actions that violate the security policy such violations may turn out to be user's

46
00:04:23,160 --> 00:04:25,320
errors or real attacks.

47
00:04:26,680 --> 00:04:28,920
You also have to react accordingly.

48
00:04:30,530 --> 00:04:32,780
Remember that a system is never secured.

49
00:04:33,020 --> 00:04:35,590
It can only be protected to a certain extent.

50
00:04:36,890 --> 00:04:40,680
You have limited time to take action.

51
00:04:40,920 --> 00:04:47,250
If you use it properly you can counter a successful attack or even completely stop it.

52
00:04:49,040 --> 00:04:54,400
If you fail to use the time you have all you will be able to do is record the attack

53
00:04:57,140 --> 00:05:02,770
the last elements of an effective security process is recovery strategy.

54
00:05:02,800 --> 00:05:06,460
What you can do to restore the system after a failure or an attack

55
00:05:12,820 --> 00:05:19,110
the goal of a security process is not to guarantee that the attack is impossible.

56
00:05:19,280 --> 00:05:21,620
Sooner or later the attack will occur.

57
00:05:23,670 --> 00:05:31,870
Thanks to a security process you will be able to detect it Schneier who is a computer security guru

58
00:05:31,930 --> 00:05:37,940
and a data encryption expert used to say security is a process not a product.