脆弱性安全 vs. 结构性安全.ppt

* 结构性安全的局限性Limitation of structural security 结构是在环境中的、有边界的 environment and boundary 在不同阶段、不同人手中保持安全很困难 different phases and organizations * 在人性中寻找弱点Find vulnerabilities from human behavior 社交工程攻击Social Engineering 隐私保护Privacy protection 自由倾向Anti-DRM 懒惰Lazy … … * 结构性安全的局限性Limitation of structural security 结构是在环境中的、有边界的 environment and boundary 在不同阶段、不同人手中保持安全很困难 different phases and organizations 人把科学变成了艺术 Human transform science to art * 结构本身可能就有问题Find vulnerabilities from structure itself * 对于AR/PEP/PDP的伪装，可能打破整个结构 every role may be spoofed 所有看似漂亮的结构，其性能和可用性问题可能会非常严重，会轻易被拒绝服务攻击击垮 Most beautiful structures have performance and availability problems and may be easy to be kick down by DoS. 那么多传统攻击方式，可能有的还有效 Some traditional attacks are still effective 结构本身可能就有问题Find vulnerabilities from structure itself * 结构性安全还要继续博弈We are still in the game 怎么博弈？ How to Play the game? 你了解对方的结构吗？ Do you know the structure of all players? 你了解对方了解多少自己的结构吗？ Do you know “how much have the other player known about your structure” ? * 结构性威胁Structural threats 知识、资源和原则 Knowledge, Resources and Principles * 知识Knowledge 寻求对于系统更深层次技术结构的研究 Who know lower? 寻求对于系统宏观结构的了解 Who know the macro-structure better? 寻求对于具体对象的全面了解 How many details do you know? … … * 资源Resources 从分布式拒绝服务攻击到僵尸网络，掌握具有结构和组织的攻击体 Botnet is a sample of structural software organization for attacking 在时序上组成结构，非常有利于攻击 Time sequence spreading is a good thinking of structural attack … … * 结构的一些关键字Key words of structure Business Distribution Hierarchy Time sequence Life-cycle Management Organization Regular Process Control Value 业务 分布式 层次 时序 生命周期 管理 组织 制度 过程控制 价值 * 流程化的结构思路Process-oriented structure process input output Process owner operator Infra- structure Knowledge base LOG Archive Process improving Monitor * 原则Principles 安全没有百分之百 No 100% Security 安全相对性的三个原则 3 security relativity rule 生存原则 survival rule 风险原则 Risk rule 保镖原则 bodyguard rule 自身完备性要求 Perfective requirement * 总结 Conclusion 脆弱性安全Vulnerability