| Law #1: |
If a bad guy can persuade you to run his program on your computer,
it’s not your computer anymore. |
|
It is a fact of life that computer programs will do exactly what the
programmer has asked it to do. If you as the user choose to run a program,
whether it is a program that you bought at the local electronics store
or the latest e-mail that you received, you have chosen to turn over control
of your computer to the person that has written the program. Programs can
be written to perform an infinite amount of tasks that we find useful such
as using a modem or creating pictures. They can also be written to record
keystrokes of the user or even delete every file in the Windows directory
or any other directory that the programmer chooses. That is why it is so
important to know the origin of a program before you make the decision
to run it on your system. I am not talking about knowing the person that
sent the program to you, but knowing and trusting the programmer that wrote
the program. It could have come from the computer of a friend who has an
infected computer that is sending its’ infection to everyone in his address
book without his knowledge. |
| Law #2: |
If a bad guy can alter the operating system on your computer, it’s
not your computer anymore. |
|
The operating system is made up of a number of different programs that
produce a desired result for the most part because of the way the programs
are written. If you choose to allow an unknown program to run on your system
that changes the files that control the operating system, you have turned
the control of your system over to this program. Operating system files
are meant to control operations on your computer and if other files replace
them then they will be doing what the hacker wants them to do instead of
what they were intended for. This means that he could be creating an account
for himself as the administrator and having his way with your computer
system and the systems that it connects to. |
| Law #3: |
If a bad guy has unrestricted physical access to your computer,
it’s not your computer anymore. |
|
Your computer should be secured relative to the value of the system.
This would not only include the physical system but also the information
that is stored on it. There are so many things that someone could do to
your system if they could touch it that it is just scary. You wouldn’t
leave your wallet open on the lunch table but it is OK to leave your computer
open to anyone that sits down at your desk while you are at lunch. It all
has to do with the relative value of the information. |
| Law #4: |
If you allow a bad guy to upload programs to your Web site, it’s
not your Web site any more. |
|
With the explosion of the Internet a lot of companies are developing
an online presence with a Web site. A lot of these Web sites are created
by the users instead of professionals and because of this lack of knowledge,
there is the chance that some security measures could be compromised. Unneeded
ports could be opened and your Website could be open to anyone because
of this lack of knowledge. |
| Law #5: |
Weak passwords trump strong security. |
|
If your password is password then it isn’t much of a password now is
it? Enough said! It all comes down to the relative value of the information. |
| Law #6: |
A machine is only as secure as the administrator is trustworthy. |
|
Every computer system has to have an administrator who has control
over the installation of software and the management of the security of
the system. If this is a personal machine then you are it. If this is a
company machine, then you need to understand the power that this person
will have over your world. They as the administrator will have an unlimited
amount of power to control and change the security for your systems. If
the person you hire to manage your systems is not worthy of your trust,
they have your business lying in the palm of their hands. |
| Law #7: |
Encrypted data is only as secure as the decryption key. |
|
This law goes back to the same problem as law #5. There is no sense
encrypting data if the junior high student down the street could break
the code. You can have the biggest and best lock on your house but it won’t
do much good if you keep the key under the front door mat. |
| Law #8: |
An out of date virus scanner is only marginally better than no virus
scanner at all. |
|
If the only viruses that you get hit with are as old as your virus
scanner then you can consider yourself safe. Since this is not the case
for the most part, then you are not protected from any of the viruses that
have come out since the last update to your virus software. |
| Law #9: |
Absolute anonymity isn't practical, in real life or on the Web. |
|
Every interaction that we have with another human being in real life
allows the other person to learn a little bit about us. The same is true
for the Websites that we visit. You need to understand that there are Websites
that collect data about visits that you make to their site. The amount
of information is directly linked to you and the settings within your system.
There is no way that you can be completely anonymous but you do have the
ability to regulate the amount of information that is available to Website
through your system. Options within most browsers will allow you to change
the acceptance of cookies. Routers will mask your true IP address and there
are “anonymizing services” that will launder that information that you
give out. None of these methods will allow you to have complete anonymity
and anyway do you really know who has control of the service? |
| Law #10: |
Technology is not a panacea. |
|
Technology has allowed us to accomplish more work in a shorter amount
of time. Computers are getting more powerful and cheaper by the day. Even
with all of the advances, there will never be a time when we will be able
to feel 100% safe. It has been said that the only totally secure computer
is one that is encased in concrete and unplugged. We have to balance the
amount of security with the value of the data that we are working with.
If the attacks are coming through the e-mail then that is where the protection
must be concentrated. If it is coming from the browser then that should
be the focus of our attention. |
