Security Rules of Thumb

  1. In an intruder can run arbitrary code on your UNIX or NT host, you are toast. You can assume your security policies have been violated.

  2. Don't trust data from the network.

  3. Don't trust people, trust hardware.

  4. Make it easy for people to make use of appropriate security technology, if you don't, they will go around you.

  5. don't bother people with weak authentication when you have already authenticated them using some strong method.

  6. Know the difference between authentication, authorization, and auditing, and solve the right problem.

  7. Never configure a "more" secure machine from a "less" secure machine.

  8. Don't let automated systems have unrestricted access to secure systems.

  9. Random numbers are hard, and often are the downfall of crypto systems. The crypto design was good, but the key space was too small.

  10. Social engineering is often easier than "technology" attacks.

Last Revised by MAV