Principle 2:Defense in depth (cont. Example 1:have a firewall and secure web application software, and run web application with minimal privileges Example 2:use OS access control to restrict access to sensitive files,and encrypt them,especially when files are stored on removable media such as USB sticks,laptops,or PCs which might be disposed. Counterexample:on UNIX systems,the password file, /etc/passwd,which contains hashed passwords,was world readable. -Solution:enforce tight access control to the file. Counterexample:having a firewall,and only having firewall -a user bringing in a laptop circumvents firewall Counterexample:firewall unencrypted data within network CSE825 6CSE825 6 Principle 2: Defense in depth (cont.) Example 1: have a firewall and secure web application software, and run web application with minimal privileges Example 2: use OS access control to restrict access to sensitive files, and encrypt them, especially when files are stored on removable media such as USB sticks, laptops, or PCs which might be disposed. Counterexample: on UNIX systems, the password file, /etc/passwd, which contains hashed passwords, was world readable. ─ Solution: enforce tight access control to the file. Counterexample: having a firewall, and only having firewall ─ a user bringing in a laptop circumvents firewall Counterexample: firewall + unencrypted data within network