NYCPHP Meetup

NYPHP.org

[nycphp-talk] Basic security question

inforequest sm11szw02 at sneakemail.com
Wed Jul 14 17:38:48 EDT 2004 

You get some great advice out of the PHP community on some pretty 
sophisticated stuff, because as we have all heard it ain't so much about 
PHP as it is about the PLATFORM and the APPS. When the discussion 
approaches ARP cache poisoning, you know there is some real depth to 
this commuity :-)

Now let's make it also clear that when you step into the realm of 
*security* (or privacy) you need to adddress the DATA in addition to all 
else. Im my view it is essential that you:

-be able to restore your data easily and efficiently *at any time* (how 
many can do that?) to the same or another system
-have nothing of high value to hackers available to hackers (not as hard 
as it sounds, but the devil is in the details) e.g. translucent databases
-have a process in place (tested, secure, reliable) to respond to 
compromise in the course of normal business (as normal as possible)
-determine and document and publicize (raise awareness internally ) of 
the downtime and risks associated with your setup, so there are no 
surprises if *everything* is lost. It should be just a normal business 
event to rebuild/restore everything (planned to be a rare event, but not 
a disastrous event)

There are many businesses that would not survive a fire - they would be 
devastated and go bankrupt. Ditto for compromise or breech of servers 
and networks. It doesn't have to be that way, and those who are prepared 
will survive. Now, to get the costs of preparedness approved by 
management.... that is another story.

-=john


Paul Reinheimer preinheimer-at-gmail.com |nyphp 04/2004| wrote:

>Every attack wether web or otherwise I have heard about starts with
>learning as much as you can about the target's systems, then seeking
>to exploit some either known or unknown security holes in the software
>that system is running.
>
>Knowing that, why reveal anything? Make the potential attacker work
>for every peice of information they want. Set the apache server string
>to claim it is some recent release of IIS, tell all the services not
>to advertise they are running, save your .php files as .exe and tell
>apache just to interpret apropriatly. etc. Obviously if you choose to
>run some off the shelf application (ie phpBB) you will let the cat out
>of the bag, but seperating it to a subdomain may only add to the
>confusion.
>
>Does anyone see any real advantage to this approach?
>
>
>paul
>

More information about the talk mailing list