Quotes Related to Computer Security: humorous, pithy, ...

Quotes Related to Computer Security

Remember, even paranoids have real enemies.

Delmore Schwartz, American poet
circa 1950's
Often misattributed to Henry Kissinger
or to being an "old saying"

Paranoia is the only sane approach.
In this business, you would be crazy not to be paranoid.

In war-time, truth is so precious that she should always be attended by a bodyguard of lies.

Winston Churchill

Good system administration is good security, and vice versa

Douglas Gerdin, System Administrator, AI Center, SRI International

Aggressive creativity: a characteristic of people in intrusion handling

Douglas Moran

The company developed these features at customers' request. When used properly, they automate day-to-day tasks and save time.
"But anytime you have the ability to automate something, there's always the potential for misuse," he said. "More important than the technical side of this is the human side. It's not something technology is ever going to be able to solve." ... Microsoft's Culp said Internet users must ultimately understand technology's limitations. He said customers have the option to turn off some of the features in question and take other security precautions.

"We as a society chose to get more connected, and one of the perils of doing that is, the more connected you are with everybody, the more connected you are with malicious people as well."

Scott Culp, a security manager at Microsoft, quoted in "Technology Security Risks Growing" by Anick Jesdanun, AP, 5/5/2000

One area of intrusion detection R&D that has received much too little attention has been the similarity between on-the-fly network management and on-the-fly network intrusion detection. In particular, the emerging Remote Monitoring (RMON) Management Information Base (MIB) defined in RFC 1271 provides an excellent basis for performing some intrusion detection collection and processing. This is especially important because such an embedded base of network management applications already exists for RMON. ... By utilizing standards such as SNMP and RMON, network system designers can use multiple vendors for their data collection and processing functions, without having to worry about incompatibilities.

Edward Amoroso, Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response, Intrusion.Net Books, New Jersey, 1999, ISBN 0-9666700-7-8.
page 52

The third option in active response is to collection additional information. This option is of special interest when the system being protected is critical and a system owner might want to pursue legal remedies. At times this logging response is coupled with the use of a specialized server, established to serve as an environment into which the intruder can be diverted. This server is known by a variety of names. Most common are "honey pots," "decoys," or "fishbowls." Such servers are equipped to mimic the appearance and content of critical systems.
Decoy servers are of value to security managers who are collecting threat information on intruders or who are collecting evidence to support taking legal action against them. Using a decoy server allows the victim of an intrusion to determine the intent of the intruder, logging extensive information about the activities of the intruder without placing the actual system contents at risk of damage or divulgence. This information can also be used to construct custom detection signatures.

Information collected in this way is also of value to those performing trend analysis of network security threats. This information is of particular interest in systems that must operate in hostile threat environments or that are subject to large numbers of attacks (such as government Web servers or high-profile electronic commerce sites).

Rebecca Gurley Bace, Intrusion Detection, Macmillan Technical Publishing, Indianapolis, 2000, ISBN 1-57870-185-6.
page 128, section 5.2.1.3: Collect Additional Information

Ross Anderson and Roger Needham point out that the challenges of security engineering are those of "programming a computer which gives answers that are subtly and maliciously wrong at the most inconvenient possible moment."* In essence a designer must assume that the computer is under the control of an intelligent and malicious opponent.

* Ross Anderson and Roger Needham. "Programming Satan's Computer", Computer Science Today, Springer LNCS, v1000: 426-441

Rebecca Gurley Bace, Intrusion Detection, Macmillan Technical Publishing, Indianapolis, 2000, ISBN 1-57870-185-6.
page 192

... investigate to what degree the vendor has anticipated this possibility of attack and determine how the vendor has addressed this risk.
First, look for signs that the vendor understands the need for hardening the intrusion detection system against attack. ...
Second, look for signs that the vendor understands the need for hardening the intrusion detection application itself. Look for signs of extensive quality assurance testing. Look for evidence of secure programming practices. Look for vendor assurances of appropriate security measures taken in the design and development of the systems (Does the firm do background checks on its developers to minimize the possibility of subverted software in the product?). Also, look for signs of security-savvy design. Examples include the following:

Encrypted communications between sensors and the control console.
Encrypted license keys restricting the hosts that can be scanned by the product.
Support for token-base or other strong I&A of those configuring the system.
Logging mechanisms for the intrusion detection system itself.

Rebecca Gurley Bace, Intrusion Detection, Macmillan Technical Publishing, Indianapolis, 2000, ISBN 1-57870-185-6.
pages 221-222, 10.2.3: How Did You Test This?