Last week I cleaned up my office. I replaced my desk, took out a work table and threw out a lot of junk that had built up over the last couple decades. I’m not sure why I did it last week, but that’s the way it goes.
One thing I did was to purge some of the books on my bookshelf. I threw away a couple dozen books. I hate to toss books! It totally goes against my upbringing, not to mention my love of books. And most of them went to be recycled (if they will do it), not to be resold. Most of the ones I tossed were security books.
“Good,” you say, “those books were probably misleading and useless anyway!” Well, not exactly. I threw them away because they referred to old versions of software, recommended websites that have gone away, or had been replaced by two or three newer versions. Most of the fundamental advice in those books is still solid.
If you have been following this blog, you’ll know that I am very interested in authentication. The advice then, as now, was to use strong passwords, not share them and so on. Nothing changed there. Yes, processors are faster so longer passwords are a bigger deal. The idea of rainbow tables is newer than some of these books. There are good password managers now that weren’t around then. But for the most part, the advice was good.
Firewalls have changed a bit, too. In some of the books I tossed there was no notion of the commercial firewall appliance. We built our own back then, often by installing scripts on, and removing software from Linux or BSD systems. There is a lot less of that today, but filtering of network traffic is still a good idea. Personal firewalls weren’t popular then. Part of the reason is that processors weren’t beefy enough to do both the work people wanted done and packet inspection. Fortunately, more modern processors can do that. At any rate, preventing denial of service attacks was a goal of all early firewalls.
There are new hash functions to check for integrity, but integrity checking is still essential.
The Advanced Encryption Standard was approved in 2001, and some books were from the 1990s. Triple-DES was still king, even though. The AES competition was announced on January 2, 1997. Some books had been written before that and had no mention of the competition or the competitors (many books are written six months or even a year before they are published). The need for encryption to ensure confidentiality was a big deal even back then.
The vaunted CIA confidentiality, integrity and availability along with authentication were and will continue to be security essentials. Learning Tree’s security introduction course is focused around these four pillars.