Some Security Suggestions

  

Looking at ciphers and their dependencies on keys gives many ideas regarding the security of an organization. Since keys play a vital role, and changing the keys changes the results of the messages, rotating the keys can keep a hacker guessing. Many attacks on algorithms are considered brute-force attacks. A brute-force attack is not analyzing the cryptographic algorithm, such as in a cryptanalysis attack, but trying many permutations of keys until some information is recovered from the plaintext. If a hacker is trying the brute-force attack and the keys have changed in the middle of the attack, the hacker needs to start again. Rotating keys can add to the confusion for an attacker.

Tip  

A rule of thumb is simply to keep the attacker guessing. For very sensitive data, the data should periodically change with a new key set. However, rotating keys too much can also be problematic because an attacker could be waiting to intercept the key. Only a key rotated through secure means is worth rotating.

Messages can use session keys that are created during a communication session to ensure that the keys are not stagnant. There are many layers in security that have been mentioned, and it is important to make sure that they are all implemented.

The only way to ensure that the different layers are implemented is to test. One of the organizations that I consulted for would have a down day to test the security. A team of network and system administrators would have all their tools monitoring the network. Then they would run all the servers and application servers while the organization was connected to the Internet. Another team of engineers would spend its time trying to hack in to see if it could be stopped . During these tests, there was always a router that could be turned off to cut off the organization from the Internet, and all software was backed up. Many holes in the network were found during these routine tests.

Tip  

Make sure to consider how hackers try to break your organization's security and keep the attackers guessing.

One fruitful suggestion is simply to know the software and hardware. Ensure that people are always getting trained and occasionally bring in consultants to test out the systems and check the installation of equipment. Most attacks that I have witnessed occurred when somebody didn't set up the firewall correctly, or left a back door to a server or machine by not taking the time to delete files or double-checking the setup. Know the security of the applications and application servers.

Note that there are some J2EE servers that will use message digests to save passwords to databases. The passwords are normally six or eight characters long. Spending day in and day out looking at a set of six-character passwords that MD5 produces the same resulting hash for, makes it possible for several passwords to be guessed. The attack is simply based on the fact that using the same six-digit password will always produce the same digest. A pattern emerges, and it produces a pattern attack. Always avoid patterns. Using keys to encrypt the password instead of a digest would eliminate the pattern.

Tip  

Avoid patterns, especially in passwords. Patterns can be mitigated with the use of encryption.

Another attack is the chaotic attack. In software, there is the monkey test; the monkey test is based on the theory that if you have a certain number of monkeys randomly pushing keys for an amount of time, one of them is bound to type something meaningful, just by accident . While everything works with the Web site or application when I follow procedure, what happens when I randomly push keys? Pushing function keys has led to back doors.

One time, in the chaotic scenario, I was FTPing an expensive application in beta, and I wondered what would happen if I changed the directory to a home directory with one of the developer's names as a subdirectory. Next thing I knew, I saw the source to the application. Test the security - not just how is should work, but how it shouldn't work. Test to see if the login is working securely. What happens if I login as "guest" or don't enter a password?

Tip  

The best way to know the degree of your organization's security is to test, test, and test. Not only test how it should work, but also how it should not.

  


Java Security Solutions
Java Security Solutions
ISBN: 0764549286
EAN: 2147483647
Year: 2001
Pages: 222

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net