Wireless Security.pdf - PDF Archive

214 Chapter 9
the security policy should include a rule, which can be as simple as a single statement
that says the physical interface should have the same password scheme as the network
interface. To take it a step further, the policy might also include a rule that the thermostat
box should be physically locked and only certain personnel have access to the key.
Though it seems like there should be, there are no rules governing security policies in
general. Certain organizations, such as corporations and the government, have certain
guidelines and certifications that must be followed before an application is considered
“ secure, ” but even within a single organization, the security policies will likely differ. The
problem is, as we will repeat throughout this book, that security is application-dependent.
Although this means there is no official template to start from, a good starting place for
a security policy would be the initial requirements document for the application. Each
feature should be analyzed for its impact to the system should it ever be compromised.
Other things to take into account are the hardware used, the development tools and
language used, the physical properties of the application (where is it), and who is going to
be using it.
When developing your security policy, think of your application as a castle. You need to
protect the inhabitants from incoming attacks and make sure they are content (at least if
they are not happy living in a castle); see Figure 9.2 . Your policy is then a checklist of all
the things that might allow the inhabitants to come to harm. There are the obvious things
(get them out of the way first) like locking the castle gate and requiring proof of identity
before allowing someone to enter (the password in an electronic application), or making
sure the inhabitants can do their jobs (the application performs its tasks). However, to truly
develop a useful policy, you have to think a little like the enemy. What are some other
possibilities? Well, the enemy might not care about taking total control of the castle, and
instead prevent it from functioning properly by stopping incoming traders from reaching
the castle (denial of service attack). A more subtle attack might be something that is not
noticed at first, but later becomes a serious problem, like hiring an inhabitant to sabotage
the defenses (disgruntled employee making it easier for hackers), or poisoning the water
supply (viruses). The enemy may also rely on cleverness, such as the mythical Trojan
horse (Trojan horses, basically viruses that give hackers a doorway directly into a system).
The enemy may not even be recognizable as an enemy, in the case of refugees from a
neighboring war-ravaged country suddenly showing up and eating up all the available food
and resources (worms like Blaster and Sasser come to mind). The possibilities go on and
on, and it can be daunting to think of everything that might be a problem.
www.newnespress.com