issue101:securite
Différences
Ci-dessous, les différences entre deux révisions de la page.
| Prochaine révision | Révision précédente | ||
| issue101:securite [2015/09/29 00:06] – créée d52fr | issue101:securite [2015/10/17 11:42] (Version actuelle) – auntiee | ||
|---|---|---|---|
| Ligne 1: | Ligne 1: | ||
| - | Back in 2001, there was an incident on September 11 that lead many people to go “OMG! We are doomed! We must increase security! Do whatever it takes!” And the NSA was happy to oblige. On 7/7/05 an attack in London added to the frenzy. I think it is fair to say that these security agencies felt they were given a mandate to “do anything as long as it stops the attacks,” and thus was the overwhelming attack on privacy moved up a whole level. To be clear, security agencies are always pushing the limits, it is in their DNA. And politicians have learned that you never lose votes by insisting on stronger security and appearing “tough.” | + | **Back in 2001, there was an incident on September 11 that lead many people to go “OMG! We are doomed! We must increase security! Do whatever it takes!” And the NSA was happy to oblige. On 7/7/05 an attack in London added to the frenzy. I think it is fair to say that these security agencies felt they were given a mandate to “do anything as long as it stops the attacks,” and thus was the overwhelming attack on privacy moved up a whole level. To be clear, security agencies are always pushing the limits, it is in their DNA. And politicians have learned that you never lose votes by insisting on stronger security and appearing “tough.” |
| - | But the reality is that security is never 100%, and the higher the level of security, the greater the costs in terms of our privacy and liberty. And it is also the case that total insistence on liberty and privacy would cause your security to go down as well, so you really should not adopt any simple-minded approach to this problem. In general, as you add layers of security, each added layer gives you less benefit. Some simple security steps can give you a lot, but as you add more and more, the added benefit drops, and we call this the Law of Diminishing Returns. By the same token, each added measure extracts an ever-increasing cost in terms of the loss of liberty and privacy. Conceptually, | + | But the reality is that security is never 100%, and the higher the level of security, the greater the costs in terms of our privacy and liberty. And it is also the case that total insistence on liberty and privacy would cause your security to go down as well, so you really should not adopt any simple-minded approach to this problem. In general, as you add layers of security, each added layer gives you less benefit. Some simple security steps can give you a lot, but as you add more and more, the added benefit drops, and we call this the Law of Diminishing Returns. By the same token, each added measure extracts an ever-increasing cost in terms of the loss of liberty and privacy. Conceptually, |
| - | In the wake of the 9/11 attacks, Bruce Schneier published | + | En 2001, il y a eu un événement - le 11 septembre - qui a conduit beaucoup de gens à dire « Seigneur Dieu ! Nous sommes fichus ! Nous devons améliorer la sécurité ! Faites le nécessaire ! ». Et la NSA était contente de rendre ce service. Le 7 juillet 2005, une attaque dans Londres |
| - | There is an old joke about what constitutes | + | Mais la réalité est qu'il n' |
| - | Five-Step Process | + | **In the wake of the 9/11 attacks, Bruce Schneier published a book called Beyond Fear: Thinking Sensibly About Security in an Uncertain World (2003). In this book he shows that hysteria is not a good approach to security, and that you need to ask yourself some questions to see what the cost vs. benefit calculation looks like for you. I am going to draw on his model to talk about security as we are discussing it in this series. |
| + | |||
| + | There is an old joke about what constitutes a secure computer. The answer is that it has to be locked in a vault, with no network connection, and no power connection, and even then you need to worry about who can access the vault. It is a joke, of course, because no one would ever do this. We use computers and the Internet because of the benefits they give us, and having a computer in a vault is just a waste of money. We accept a certain degree of risk because that is the only way to get the benefits we want.** | ||
| + | |||
| + | A la suite des attaques du 11 septembre, Bruce Schneier a publié un livre appelé Beyond Fear: Thinking Sensibly About Security in an Uncertain World (2003) (Ndt : qui pourrait se traduire par Au-delà de la peur : réfléchir judicieusement à la sécurité dans un monde incertain). Dans ce livre, il montre que l' | ||
| + | |||
| + | Il y a une vieille blague sur ce qu'est un ordinateur sûr. La réponse est qu'il doit être enfermé dans un coffre, sans connexion à Internet, sans alimentation, | ||
| + | |||
| + | **Five-Step Process | ||
| For any security measure you are contemplating, | For any security measure you are contemplating, | ||
| • What assets are you trying to protect? This is what defines the initial problem. Any proposed countermeasure needs to specifically protect these assets. You need to understand why these assets are valuable, how they work, and what are attackers going after and why. | • What assets are you trying to protect? This is what defines the initial problem. Any proposed countermeasure needs to specifically protect these assets. You need to understand why these assets are valuable, how they work, and what are attackers going after and why. | ||
| Ligne 15: | Ligne 23: | ||
| • What trade-offs does the security solution require? Every security countermeasure affects everything else in the system. It affects the functionality of the assets being protected, it affects all related or connected systems. And they all have a cost, frequently (but not always) financial, but also in terms of usability, convenience, | • What trade-offs does the security solution require? Every security countermeasure affects everything else in the system. It affects the functionality of the assets being protected, it affects all related or connected systems. And they all have a cost, frequently (but not always) financial, but also in terms of usability, convenience, | ||
| - | And going through this process once is not the end. You need to re-evaluate your choices as systems evolve, as technology changes, etc. | + | And going through this process once is not the end. You need to re-evaluate your choices as systems evolve, as technology changes, etc.** |
| - | Example: Passwords | + | Un processus en cinq étapes |
| + | |||
| + | Pour toute mesure de sécurité que vous envisagez, vous avez besoin d' | ||
| + | • Quels biens essayez-vous de protéger ? C'est ce qui définit le problème initial. Toute contre-mesure proposée doit nécessairement protéger ces biens. Vous devez comprendre pourquoi ces biens ont de la valeur, comment ils fonctionnent et ce qui attirerait des attaquants et pourquoi. | ||
| + | • Quels sont les risques liés à ces biens ? Pour cela, vous avez besoin d' | ||
| + | • Jusqu' | ||
| + | • Quels autres risques sont induits par la solution ? Les contre-mesures de sécurité interagissent toujours les unes avec les autres et la règle est que toutes les contre-mesures induisent des risques additionnels pour la sécurité. | ||
| + | • De quels arbitrages a besoin la solution de sécurisation ? Chaque contre-mesure de sécurité affecte le reste du système. Elle influence la fonctionnalité des biens déjà protégés, ainsi que tous les systèmes connexes ou connectés. Et elles ont toutes un coût, financier en général (mais pas toujours), mais aussi en termes d' | ||
| + | |||
| + | Il ne suffit pas de parcourir ce processus une fois. Vous devez réévaluer vos choix quand les systèmes évoluent, parce que la technologie change... | ||
| + | |||
| + | **Example: Passwords | ||
| I have a cartoon on the wall of my cubicle that shows an alert box that says “Password must contain an uppercase letter, a punctuation mark, a 3-digit prime number, and a Sanskrit hieroglyph”. We’ve all encountered this, and it does get frustrating. This is a humorous take on something that is an accepted best practice. I recall a story about a fellow who worked at a company that insisted he regularly change his password, and would also remember the 8 previous passwords and not let him use any of them again. But he liked the one he had, so he spent a few minutes changing his password 9 times in a row, the last time being back to his favored password. Was he a threat to security, or was the corporate policy misguided? Let’s try Bruce’s model and see where we get. | I have a cartoon on the wall of my cubicle that shows an alert box that says “Password must contain an uppercase letter, a punctuation mark, a 3-digit prime number, and a Sanskrit hieroglyph”. We’ve all encountered this, and it does get frustrating. This is a humorous take on something that is an accepted best practice. I recall a story about a fellow who worked at a company that insisted he regularly change his password, and would also remember the 8 previous passwords and not let him use any of them again. But he liked the one he had, so he spent a few minutes changing his password 9 times in a row, the last time being back to his favored password. Was he a threat to security, or was the corporate policy misguided? Let’s try Bruce’s model and see where we get. | ||
| - | • What assets is the company trying to protect? I think this has several possible answers. The company may want to prevent unauthorized access to corporate data on its network. Or the company wants to prevent unauthorized use of its resources, possibly with legal implications. And the company may be concerned to prevent damage to its network. All of these are good reasons to try and control who has access to this asset, and to protect it. But knowing which of these is being targeted may matter when we get to trade-offs and effectiveness of the proposed countermeasures. For now, let’s assume the primary interest is in preventing unauthorized access to the data, such as credit card numbers on an e-commerce site. | + | • What assets is the company trying to protect? I think this has several possible answers. The company may want to prevent unauthorized access to corporate data on its network. Or the company wants to prevent unauthorized use of its resources, possibly with legal implications. And the company may be concerned to prevent damage to its network. All of these are good reasons to try and control who has access to this asset, and to protect it. But knowing which of these is being targeted may matter when we get to trade-offs and effectiveness of the proposed countermeasures. For now, let’s assume the primary interest is in preventing unauthorized access to the data, such as credit card numbers on an e-commerce site.** |
| - | • What are the risks against these assets? Well if we are talking about credit card numbers, the risk is that criminals could get their hands on these numbers. From the company’s standpoint, though, the risk is what can happen to them if this occurs. Will this cause them to assume financial penalties? Will the CEO be hauled in front of legislative committees? Will their insurance premiums rise as a result? This is the sort of thing companies really care about. And when you understand this, you begin to see why companies all adopt the same policies. When people talk about “Best Practices”, | + | |
| - | • How well does the security solution mitigate the risks? This becomes a question of whether forcing people to change their passwords frequently is a significantly effective measure in preventing unauthorized access to computer networks. And here is where things really start to break down. It is very difficult to come up with many examples of cases where a password in use for a long time leads to unauthorized access. That is simply not how these things work. We know that the majority of these cases derive from one of two problems: social engineering to get people to give up their password, and malware that people manage to get on their computer one way or another. I suppose you could make an argument that forcing people to frequently change passwords might in rare cases actually do some good, but there is no way to say that this is in general an effective countermeasure against unauthorized access. | + | |
| - | • What other risks does the security solution cause? There are several possible risks that come out of this. First, since all security measures require a variety of resources (and people’s time and attention is one of those resources), emphasizing one security measure may take resources away from more effective measures that don’t get sufficient attention. But there are also risks from how people act in response to this policy. In the ideal world of the security department, each person with access would choose a long, complicated password each time, chosen for maximum entropy, and then memorized but never written down. Sadly, for the security department, they have to deal with actual human beings, who do not do any of these things. Most people at the very least consider this an annoyance. Some may actively subvert the system, like the fellow in our story who changed his password 9 times in a row to get back to the one he liked. But even without this type of subversion, we know what people will do. If you let them, they will choose something that is easy to remember as their first attempt, and that means they will most likely choose a password that can easily be cracked in a dictionary attack. If you instead insist that each password contain letters, numbers, upper and lower case, a Sanskrit hieroglyph, and two squirrel noises, they will write it down, probably on a yellow sticky note attached to their monitor. If the person in question is a top level executive, it gets even worse, because they won’t put up with the BS ordinary worker bees have to tolerate. | + | |
| - | • What trade-offs does the security solution require? This policy causes a major impact on usability and convenience, | + | |
| - | Bottom Line | + | Exemple : les mots de passe |
| + | |||
| + | J'ai une bande dessinée sur le mur de mon bureau qui montre un message d' | ||
| + | • Quels biens la société essaie-t-elle de protéger ? Je pense qu'il y a plusieurs réponses possibles. La société peut vouloir prévenir tout accès non autorisé aux données de l' | ||
| + | |||
| + | **• What are the risks against these assets? Well if we are talking about credit card numbers, the risk is that criminals could get their hands on these numbers. From the company’s standpoint, though, the risk is what can happen to them if this occurs. Will this cause them to assume financial penalties? Will the CEO be hauled in front of legislative committees? Will their insurance premiums rise as a result? This is the sort of thing companies really care about. And when you understand this, you begin to see why companies all adopt the same policies. When people talk about “Best Practices”, | ||
| + | • How well does the security solution mitigate the risks? This becomes a question of whether forcing people to change their passwords frequently is a significantly effective measure in preventing unauthorized access to computer networks. And here is where things really start to break down. It is very difficult to come up with many examples of cases where a password in use for a long time leads to unauthorized access. That is simply not how these things work. We know that the majority of these cases derive from one of two problems: social engineering to get people to give up their password, and malware that people manage to get on their computer one way or another. I suppose you could make an argument that forcing people to frequently change passwords might in rare cases actually do some good, but there is no way to say that this is in general an effective countermeasure against unauthorized access.** | ||
| + | |||
| + | • Quels sont les risques pour ces biens ? Bon, si nous parlons des numéros de cartes de crédit, le risque serait que des criminels puissent s' | ||
| + | • Jusqu' | ||
| + | |||
| + | **• What other risks does the security solution cause? There are several possible risks that come out of this. First, since all security measures require a variety of resources (and people’s time and attention is one of those resources), emphasizing one security measure may take resources away from more effective measures that don’t get sufficient attention. But there are also risks from how people act in response to this policy. In the ideal world of the security department, each person with access would choose a long, complicated password each time, chosen for maximum entropy, and then memorized but never written down. Sadly, for the security department, they have to deal with actual human beings, who do not do any of these things. Most people at the very least consider this an annoyance. Some may actively subvert the system, like the fellow in our story who changed his password 9 times in a row to get back to the one he liked. But even without this type of subversion, we know what people will do. If you let them, they will choose something that is easy to remember as their first attempt, and that means they will most likely choose a password that can easily be cracked in a dictionary attack. If you instead insist that each password contain letters, numbers, upper and lower case, a Sanskrit hieroglyph, and two squirrel noises, they will write it down, probably on a yellow sticky note attached to their monitor. If the person in question is a top level executive, it gets even worse, because they won’t put up with the BS ordinary worker bees have to tolerate. | ||
| + | • What trade-offs does the security solution require? This policy causes a major impact on usability and convenience, | ||
| + | |||
| + | • Quels autres risques seront induits par la solution de sécurisation ? Il y a plusieurs risques potentiels qui peuvent en découler. D' | ||
| + | • Quels arbitrages sont nécessaires à la solution de sécurisation ? Cette politique a un impact majeur sur l' | ||
| + | |||
| + | **Bottom Line | ||
| So what does all of this mean in the final analysis? I think it means that you need to carefully consider which measures are actually worth taking. And this is, at least in part, a cost vs. benefit analysis. For instance, as I write this, the Heartbleed vulnerability is in the news a good deal, and I got to hear Bruce Schneier discuss how people should react. And he did not say “OMG! Change all of your passwords right now!” He said you should assess the case. If it is your password to login to your bank, that is probably something you want to change. But if it was some social network you access once every two weeks, you needn’t bother. And that seems reasonable. | So what does all of this mean in the final analysis? I think it means that you need to carefully consider which measures are actually worth taking. And this is, at least in part, a cost vs. benefit analysis. For instance, as I write this, the Heartbleed vulnerability is in the news a good deal, and I got to hear Bruce Schneier discuss how people should react. And he did not say “OMG! Change all of your passwords right now!” He said you should assess the case. If it is your password to login to your bank, that is probably something you want to change. But if it was some social network you access once every two weeks, you needn’t bother. And that seems reasonable. | ||
| - | And as another example, although I have discussed how to encrypt e-mails and digitally sign them, that does not mean I open up GPG every time I send an e-mail. It is something of a pain in the posterior to do, and I use it judiciously. I don’t see the point in digitally signing every email when a lot of it is just stupid stuff anyway. | + | And as another example, although I have discussed how to encrypt e-mails and digitally sign them, that does not mean I open up GPG every time I send an e-mail. It is something of a pain in the posterior to do, and I use it judiciously. I don’t see the point in digitally signing every email when a lot of it is just stupid stuff anyway.** |
| - | Three Final Rules | + | Bilan |
| + | |||
| + | Ainsi, qu' | ||
| + | |||
| + | Et, comme autre exemple, bien que j'aie présenté comment crypter les mails et les signer numériquement, | ||
| + | |||
| + | **Three Final Rules | ||
| We will finish this discussion with Bruce’s final three rules from Beyond Fear: | We will finish this discussion with Bruce’s final three rules from Beyond Fear: | ||
| • Risk Demystification: | • Risk Demystification: | ||
| • Secrecy Demystification: | • Secrecy Demystification: | ||
| - | • Agenda Demystification: | + | • Agenda Demystification: |
| + | |||
| + | Trois règles pour conclure | ||
| + | Nous finirons cette présentation avec les trois règles de Bruce tirées de Beyond Fear : | ||
| + | • Démystifier le risque : Vous devez prendre le temps de comprendre ce qu'est le risque réel, et bien comprendre l' | ||
| + | • Démystifier le secret : Le secret est l' | ||
| + | • Démystifier les priorités : Les gens ont des priorités, et ils utilisent souvent la sécurité comme une excuse pour quelque chose qui n'est pas de base une mesure de sécurité. Et les émotions conduisent les gens à des choix irrationnels. | ||
issue101/securite.1443478013.txt.gz · Dernière modification : 2015/09/29 00:06 de d52fr