• Choose a category
• All
• Classic-Fiction

■ Be prepared to renew or reissue keys and certificates after they expire.

■ Regularly purge your software to remove copies or caches of both current and expired keys—your current keys should only be stored on a removable media.

■ Don’t leave active keys or certificates on portable systems.

■ Never store the removable media used for key storage in the same luggage or carryall as the device for which it is used.

■ Purge all keys that have expired.

■ Always check the revocation status of keys and certificates before acceptance or use.

■ When a key or certificate will be unused or dormant for seven days or more, request a key/certificate suspension to temporarily “disable” them.

■ Ensure that some form of M of N Control is employed on key recovery as well as key/ certificate generation and issuance.

■ Use session keys only once.

■ Generate new session keys at the beginning of each session.

■ When available, use a one-time pad form of encryption for highly valuable transmissions.

■ Try to make the work function/work factor of a key just barely exceed the length of time the protected data will be valuable.

■ Each time a key is reused, consider its useful lifetime or work function/factor reduced by a factor of 2.

■ Whenever a compromise of the trust structure, secured server, secured client, or storage media is suspected, destroy all keys and certificates and obtain new ones.

■ Never share your keys or certificates with anyone.

■ Never encrypt and transmit data as is that is received or extracted from an outside source.

■ Never rely on static keys or certificates for protection on truly valuable assets.

As you can see, for the most part, improving your key management tactics is a matter of common sense and a healthy dose of paranoia.

Preventing Common Malicious Events

If you don’t know what you are up against, then you don’t know how to prepare. “Know your enemy” is an admonishment from Sun Tzu that all security administrators should heed. If you are fully versed in the tools and techniques of your opponents, then you can be well prepared to stave off their attacks. We’re sure you’ve heard the phrase ethical hacking. It is a flashing marketing phrase for security assessment or penetration testing. Ultimately, it refers to using cracker/attacker techniques and tools to test the security of your environment. But before you can perform ethical hacking, you must have two things:

■ Thorough knowledge and skill in cracker/attacker techniques and tools

■ Written approval from the owner/manager/administrator of the target network

Study is the best way to obtain knowledge and skill in cracker/attacker techniques and tools. You have four options to accomplish this:

■ Learn what you can as you stumble upon relevant materials at work or on the Internet.

■ Read relevant books, study guides, and self-paced courses.

■ Attend online or computer-based training (CBT) classes.

■ Attend instructor-led training.

The first of these options is the cheapest, but it’s the least effective. The last option is the most expensive, but it is the most direct route to accomplishing the goal of being well versed in cracker/attacker techniques and tools. If you are serious about learning more about ethical hacking, several official certifications are available, such as Certified Ethical Hacker (CEH) from the EC Council (www.eccouncil.org) or the SysAdmin, Audit, Network, Security (SANS) and Global Information Assurance Certification (GIAC) (www.sans.org and www.giac.org) line of security certification pathways.

After you have a basic foundation of cracker/attacker techniques and tools, you then have to perform self-imposed continuing education, which involves the following:

■ Setting up a lab where you can perform attack/defend activities safely. I recommend the book Build Your Own Security Lab by Michael Gregg (Wiley, 2008).

■ Finding a partner to learn and experiment with. You could turn the attack/defend activities into a competition.

■ Watching security topic mailing lists and discussion groups.

■ Watching major