1 00:00:00,840 --> 00:00:09,350 Another myth things to x y x technology you don't need physical protection or a security policy. 2 00:00:09,380 --> 00:00:18,390 Why is this false all applications can only be used for protection if they're turned on shutting down 3 00:00:18,390 --> 00:00:19,440 your operating system. 4 00:00:19,440 --> 00:00:24,710 It's hard to believe that it would still protect the data saved on the disks. 5 00:00:24,800 --> 00:00:27,750 It doesn't and that can't. 6 00:00:27,960 --> 00:00:31,810 This is true also of any other device. 7 00:00:31,810 --> 00:00:33,810 Let's go back to firewalls for a moment. 8 00:00:36,240 --> 00:00:42,570 Even if you paid $5000 for a mid-range firewall it won't defend your system against locally driven attacks 9 00:00:42,750 --> 00:00:48,030 which for example may be launched from the computer standing next to your own. 10 00:00:48,050 --> 00:00:51,170 In other words technological security measures are vital. 11 00:00:52,770 --> 00:00:57,380 This should only be part of a larger security policy for your company. 12 00:00:57,380 --> 00:01:04,100 We'll talk about that in the next part of this course effected security is achieved through obscurity 13 00:01:04,960 --> 00:01:06,610 is another false notion. 14 00:01:07,450 --> 00:01:11,690 This theory assumes that the less conspicuous You are the more secure your system will be. 15 00:01:13,400 --> 00:01:17,870 But it's much harder to hide in the Internet than it is to hide in your house on your street or in your 16 00:01:17,870 --> 00:01:18,740 neighborhood. 17 00:01:20,690 --> 00:01:25,220 Attempting to obscure your computer system and the internet means that your presence will be compromised 18 00:01:25,220 --> 00:01:32,600 for potential customers and other people you want to share information with not connecting to the Internet 19 00:01:32,630 --> 00:01:35,150 in the first place wouldn't make for a big difference. 20 00:01:37,590 --> 00:01:42,540 Any system that performs some operations can disclose a lot on its configuration and the people who 21 00:01:42,540 --> 00:01:43,070 manage it 22 00:01:46,140 --> 00:01:48,350 this information is out there for the public. 23 00:01:49,330 --> 00:01:52,240 And then the next parts of this course will learn to read it. 24 00:01:53,940 --> 00:02:02,390 The next myth client side security successfully protects the server and example is a client application 25 00:02:03,750 --> 00:02:08,930 which does not allow users to enter minus one is a value in the price field on an online show. 26 00:02:10,460 --> 00:02:15,170 It protects us from people who would want to try and deceive us by buying a product for free and making 27 00:02:15,170 --> 00:02:16,570 us pay money to them. 28 00:02:18,490 --> 00:02:20,660 This myth is false for two reasons. 29 00:02:21,540 --> 00:02:27,290 As server administrators you have no control over client computers. 30 00:02:27,420 --> 00:02:34,290 The client couldn't be the administrator of his computer and will be able to use it freely. 31 00:02:34,300 --> 00:02:39,130 You could for example tamper with the functioning of your secure web page used for online purchases. 32 00:02:40,560 --> 00:02:47,240 Not being a programmer the user may not want to modify the code on the web page but it can connect to 33 00:02:47,240 --> 00:02:50,150 the page bypassing your application on a public server. 34 00:02:51,530 --> 00:02:59,740 You can't force all users to connect to the server always using your application if there's communication. 35 00:02:59,740 --> 00:03:04,050 Users can always set it without having to use an X program if they know how to do it. 36 00:03:05,820 --> 00:03:13,320 And the program that will be used instead may not function exactly as you wish it would cracking passwords 37 00:03:13,320 --> 00:03:22,370 is the biggest threat is another myth from our list yes you should protect your authorisations. 38 00:03:22,600 --> 00:03:28,030 It's not true however that if in an authorized person gains access to your authorizations he or she 39 00:03:28,030 --> 00:03:32,310 may hijack your identity and a computer system. 40 00:03:32,340 --> 00:03:37,470 It's also not sure that cracking a password consists of trying algorithms and authorization procedures 41 00:03:38,010 --> 00:03:40,530 until an unencrypted password is determined. 42 00:03:41,660 --> 00:03:49,680 It's far easier to simply ask the user to provide a password as you'll see in six out of 10 attempts 43 00:03:50,840 --> 00:03:53,270 the user will submit his password himself. 44 00:03:53,720 --> 00:03:55,930 So cracking is simply not worth the trouble. 45 00:03:57,880 --> 00:04:04,870 Encrypted passwords for example an empty five hash or any other cryptographic material are used for 46 00:04:04,870 --> 00:04:06,980 authorizations in computer systems. 47 00:04:09,320 --> 00:04:13,650 It's enough to send the hash to an application without even knowing the unencrypted value. 48 00:04:15,420 --> 00:04:22,320 The threat is not limited to simply cracking passwords as far as computer systems users are concerned. 49 00:04:23,160 --> 00:04:27,580 A variant of the myth tells them not to save any passwords they have to be memorized. 50 00:04:29,710 --> 00:04:35,470 A secure password set up by administrators could for example be a string of 18 pseudo randomly generated 51 00:04:35,470 --> 00:04:37,480 characters. 52 00:04:37,650 --> 00:04:42,790 Users knowing they'll have trouble remembering it take the password down. 53 00:04:42,970 --> 00:04:44,320 Is it wrong to do so. 54 00:04:45,570 --> 00:04:47,260 No. 55 00:04:47,490 --> 00:04:50,800 The problem is however storing the information in a secure way. 56 00:04:52,150 --> 00:04:56,340 Like you would store the confidential data such as a credit card. 57 00:04:56,360 --> 00:05:00,890 Not many people would leave their credit card under their keyboards. 58 00:05:00,920 --> 00:05:06,690 They usually put it in a wallet so why don't you keep the note with your password in your wallet and 59 00:05:06,690 --> 00:05:08,530 leave it under the keyboard instead.