Download Print this page

HP 680n - JetDirect Print Server White Paper

Hp jetdirect print servers - philosophy of security.
Hide thumbs

Advertisement

The Philosophy of Security
Table of Contents:
Introduction
Many security whitepapers begin with an in-depth analysis of an algorithm or they begin by showing
how easy it is to exploit various vulnerabilities. The intention is to scare you into performing the steps
outlined by the whitepaper or buy the technology the whitepaper promotes. We are not going to do
that here. This introduction to security endeavors to step back and look at security more generally
and apply some basic philosophical concepts to help understand security in a more meaningful way.
Essentially, we are going to use Holism and apply it to security. What is Holism?
Holism - In the philosophy of the social sciences, the view that denies that all large-scale social events
and conditions are ultimately explicable in terms of the individuals who participated in, enjoyed, or
suffered them. Methodological holism maintains that at least some social phenomena must be studied
at their own autonomous, macroscopic level of analysis, that at least some social "wholes" are not
1

Advertisement

   Related Manuals for HP 680n - JetDirect Print Server

   Summary of Contents for HP 680n - JetDirect Print Server

  • Page 1: Table Of Contents

    The Philosophy of Security Table of Contents: Introduction ............................. 1 Category Mistake ..........................2 Ockham’s Razor ..........................3 Ockham’s Razor Misapplied ......................3 First Cause and Trust Anchors......................5 Greedy Reductionism ........................8 The Verification Problem ........................9 Confessions of an Unethical Hacker – Part 1 ..................11 Confessions of an Unethical Hacker –...

  • Page 2: Category Mistake

    reducible to or completely explicable in terms of individuals' behaviour (see emergence). Semantic holism denies the claim that all meaningful statements about large-scale social phenomena (e.g., “The industrial revolution resulted in urbanization”) can be translated without residue into statements about the actions, attitudes, relations, and circumstances of individuals.

  • Page 3: Ockham's Razor

    owner of a new business and were concerned about how to be profitable and be secure, everything that you’ve read so far may not help. So, let’s start by making a category mistake. What? Why would we want to do that? Because this category mistake we are about to make will actually help us on the road to developing a more sensible way of talking about security: Security is about people.

  • Page 4

    To move to a more complicated security example, let’s see how a couple of simple mistakes can lead to a misapplication of Ockham’s Razor. Example_User is a user in the EXAMPLE Domain. This person has two accounts on the Internet for books and for jewelry, 4 email accounts, and is also an Enterprise Administrator for the Example Domain.

  • Page 5: First Cause And Trust Anchors

    Domain: EXAMPLE Email: example_EA@example.corp Intranet Web Server Login: Example_User Password: WOW!I’mAnEntAdminForExample!!! Domain: EXAMPLE Is this a misapplication of Ockham’s Razor? Analysis: Here we have an interesting scenario. Based upon the research that Example User has performed, one may be confused about whether Example User has done anything wrong. What would happen if a “hacker”...

  • Page 6

    speak and you often have to dig to get that information out. Here is an example of a security developer (SD) and a street wise potential customer (PC) having a conversation about their remote device management software and its advertised security: SD: We have an incredible remote device management solution that is completely secure and no one anywhere has anything like it PC: What security does it use?

  • Page 7

    PC: Okay, so we’ve established a secure SSL connection which has authenticated the device and the management station to each other, how does the web service determine what to do next? SD: We use user authentication. We have Single Sign On capability. You send us your domain credentials, we validate them and determine what group you belong to and then grant you rights off of that group.

  • Page 8: Greedy Reductionism

    just saying “We use SSL” as our Security Developer did is not enough of an answer to really explain anything, much less justify the security claim being made. With our view of security as a holistic enterprise, we can see the people questions – “who configures what settings, where does this configuration take place, when does this configuration need to be done, how is this configuration performed, and what knowledge do I need to give them in order for them to be successful at the tasks they are assigned to do”...

  • Page 9: The Verification Problem

    If HTTP was used (a popular protocol) to read the document, a proxy server could be • involved and there is probably a cached copy of the document in the proxy server’s RAM and potentially on the proxy server’s hard disk •...

  • Page 10

    Our imaginary customer is evaluating encrypting hard drives for his printers in the finance department. The customer is confident all other ways of accessing these sensitive documents have been closed and is now trying to close the final way – a forensic analysis of a printer’s hard drive by a hacker that is able to get his hands on one.

  • Page 11: Confessions Of An Unethical Hacker - Part 1

    What is the company’s response if any of the claims are falsified? Are there legal • obligations for customer notifications? For product replacement? For liability? Are there clear indications the product is working and doing its job properly? Are their •...

  • Page 12: Confessions Of An Unethical Hacker - Part 3

    keystroke loggers – I’m getting pretty good at it – in and out of their cubical really fast. They aren’t ever in the cubicles – they have celebrations to go to! Then I wander around to all the buildings and eat all day on the trays of food people have out.

  • Page 13

    In many businesses, there is a good distinction between super secret documents and • documents that are not confidential. Unfortunately, most documents fall into the grey area in between. In fact, without proper identification, there may be a debate between two peers on whether a document is confidential or not.

  • Page 14: People And Technology: An Analysis For Part 2

    bypass). Most employees walk to the coffee/tea station more times a day than to a network printer. It provides the ability to audit access to those devices. • • It provides the ability to control access to those devices. • It provides a constant reminder to employees about document security.

  • Page 15

    telling employees “Don’t do this” and having the technology deployed in such a way that it allows them to “Do that” very easily isn’t going to work. Especially if “doing that” involves helping people. Let’s go through a sample analysis assuming that employees have identification badges that have security technology for card access control: Identify every exit where employees are solely responsible for making decisions that could •...

  • Page 16: People And Technology: An Analysis For Part 3

    People and Technology: An Analysis for Part 3 In our imaginary unethical hacker’s third confession, we can see he is pretty smart. He’s created a problem and showed up to fix it. If you’ve ever seen an employee’s reaction to the network going down, it is quite similar to a hungry person’s reaction when their food gets stuck in a vending machine.

  • Page 17: How People Can Hurt Security Technology

    Many devices use a simultaneous combination of hard disk, flash, EEPROM, and other • technologies to store a variety of different types of information. An encrypted drive may protect some information placed in non-volatile storage, but not all. These are important questions to ask the MFP manufacturer: What information is stored in non-volatile storage? What types of non-volatile storage is in use?

  • Page 18

    technology and Internet security around SSL is attacked in precisely those areas. As a consumer, you can ask yourself several questions that relate to SSL: • If I only use SSL for a couple of secure shopping sites, why do I automatically trust more root CAs than I need to? Shouldn’t I remove some of them? Why should I support SSLv2.0 if my secure shopping sites offer TLS support? •...

  • Page 19

    This is a lot different – notice the symbols and explanatory text. The way the information is now presented, it will grab your attention. If we click the “Continue to this website (not recommended)” link, we get this:...

  • Page 20: Summary

    Notice the URL and the “Certificate Error” message. Why did Microsoft change the behavior so drastically? Well, because people can make decisions that hurt their security, even when they are using SSL. By moving to a different way of presenting this information to the user, they are helping the user make good decisions around security.

Comments to this Manuals

Symbols: 0
Latest comments: