再保险:你的法律顾问在击败DDOS攻击

艾伦,我们几个人在斜方聚在一起,对你的建议有以下评论。在我们看来,尽管其中的一些建议可能是“梦幻”克雷格所说,额外的关注安全现在可以帮助建立或后续文档作为一个“最佳实践”的建议可以执行——通过尴尬帕斯卡提出,通过法律措施公司强制攻击受害者赔偿损失,因为他们没有执行尽职调查,或为政府和大型组织使用他们自己的需求(如不购买产品如果操作系统供应商不配置系统安全开箱即用的,或如果软件供应商不遵守某些安全编程实践)。——史蒂夫= = = = = = = = = = = = = = = = = = = =主要趋势部分= = = = = = = = = = = = = = = = = = = =这里有些建议修改。我们相互参照一些这些点来减轻他们的融入。添加- - - - - - - - - - - - 1)很多时候,机器首先妥协,因为程序员不知道如何编写安全的代码,或安全是牺牲了的新功能。2)新的互动模式被广泛部署没有足够重视安全与控制。(例如,梅丽莎病毒和移动代码)。3)体积和各种各样的信息,从一个大数量的来源,是极其困难的系统管理员处理。此外,计算机网络的规模和多样性使保持最新的安全极为困难。“主人粗心大意”不是唯一的问题。 4) Often, security is not a corporate priority, which means that it is under-supported financially. Modifications ------------- 6th bullet - Many systems are configured to run unnecessary services by default. In turn this makes them useful as attack points. Many "everyday users" may thus become unwitting participants. ======================= Immediate Steps Section ======================= Additional Steps ---------------- Problem 4 (Unprotected computers): 1) Disable all unnecessary services on your systems. While it's not a panacea, a large number of systems have vulnerabilities in services that aren't even necessary. 2) Each enterprise should create their own "top 20 list" of the most important vulnerabilities that MUST be fixed by the enterprise. (This is more of a grassroots approach than creating a top 20 list based on community consensus, which could be difficult to define for all/most networks.) Modifications ------------- Problem 4 (Unprotected computers): 3rd bullet - All software vendors should (a) establish clear, easy-to-use methods of distributing all security-related patches, and (b) provide a distinct public acknowledgement when a problem arises. This is currently the case with most major OS vendors (at least for most significant problems) although it does not necessarily scale well, but it is a problem with third party and minor vendors. ========================= Long Term Efforts Section ========================= Additions --------- 1) Encourage the widespread use of strong authentication. Encryption is mentioned in the proposal, but not authentication. 2) Programmers are strongly recommended to use or build tools that help them to detect and avoid vulnerabilities during the software development cycle. 3) Fund research into security assessment tools which are as easy to use and deploy as anti-virus checkers (this is a long-term approach to producing "system-hardening scripts" as described in the immediate steps section). Modifications ------------- 1st bullet (IP v6) - If you want to keep this paper strictly related to DDoS (instead of including how to secure zombie/slave systems in general), then consider removing or reprioritizing this bullet, which doesn't curb spoofing or DDoS attacks. Some of these ideas are the result of email exchanges with various Board members. All Board members, please feel free to add your comments. - Steve