[ISM3 Users] Tuesday Insight: Security Patterns

Vicente Aceituno vac at zenobia.es
Thu Oct 25 10:43:13 CEST 2007 

Probably many of you have noticed that information security and other
types of security use common techniques. By techniques or security
patterns I don't mean how something is protected, but the general
"what you do" scheme used for the protection.

For example, encryption is a way of Hiding. In this particular case,
you hide structured information in information that is apparently
random. If you use stenography instead, you are hiding structured
information inside structured information.

I can think of the following security patterns:

1- User Registation - identify users (identification) and providing
them with credentials and access rights.
2- Access Control - users providing credentials to systems
(authentication) and actually using them with their access rigths
(authorization)
3- Records - systems recording the use performed by users
4- Backup - making copies of information (backup) ) to replace
information if lost
5- Summarization - Adding hashes and digital signatures or detect if
information has changed.
6- Camouflage - hide structured information in information that is
apparently random
7- Mimetism - hide structured information in structured information.
8- Clearing - destroying information or systems
9- Redundancy - keeping spare channels, repositories, interfaces, etc
in case the main ones are not available
10- Decoys - creating lookalikes of potential targets to force the
attacker to fail or use more resources (honeypots)
11- Delays - add artifical delays to hamper attacks (e.g. delay
between login attempts)
12- Quarantine - delaying authorization until authentication can be
performed thouroughly or other conditions are met.
13- Watch: keep under surveillance
14- Marking: for inventory and ownership proof purposes, Watermarking:
hidden marking
15- Signatures: express will or authorship of something
16- Disociation: keep two pieces of information linked but separated
(used for privacy)
17- Dispersion: spread your systems in a big geographic area (most
runaways groups spread to prevent getting all caught )
18- Diversification: use different technologies in redundant systems
to prevent technology-dependent single points of failure
19- Durability: make systems in a way that doesn't break down easily.
20- Environment Control: control temperature, humidity and heat
21- Expiry: marking for clearing outdated information
22- Hardening: making systems less vulnerable to attack
23- High Mobility: move and turn fast to prevent being hit
24- High Visibility: be so obvious that it is more difficult to hit
you (or miss you) by mistake. 25- Impredecibility: reduce the
opportunity of attack by not following predictable patterns of
behaviour (threatened people use different routes every day)
26- Insurance: recover your loss by transferring the risk to someone else
27- Inventory: learn what you have so you can protect it
28- Misinformation: misguide the attacker by giving him false but
seemingly true information
29- Opportunity Minimization, Patching: Reduce the opportunities of
attack by fixing holes or restricting when you are available
30- Reservoir: keep spares so you can replace failed componets or systems
31- Shielding: put something hard between you and what could hit you

My best

Vicente

P.S. I hope next Tuesday Insight get actually sent on a Tuesday... :)

More information about the Users mailing list