Tuesday, February 08, 2005

10 Computer Security Laws

I have recently begun reading posts from crime-research.org, and read an article this morning that discussed 10 constants in the IT security field. The ideas presented in this article should be part of the training program of any IT shop and all System Administrators and those who are in charge of Sys Admins should be aware of these concepts as well. The article lists the laws as follows:

  • Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.
  • Law #2:If a bad guy can alter the operating system on your computer, it's not your computer anymore.
  • Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
  • Law #4: If you allow a bad guy to upload programs to your Web site, it's not your Web site anymore.
  • Law #5: Weak passwords trump strong security.
  • Law #6: A computer is only as secure as the administrator is trustworthy.
  • Law #7: Encrypted data is only as secure as the decryption key.
  • Law #8: An out of date virus scanner is only marginally better than no virus scanner at all.
  • Law #9: Absolute anonymity isn't practical, in real life or on the Web.
  • Law #10: Technology is not a panacea.
I highly recommend reading the article located here or the Microsoft article located here.
Posted by at
Labels:

1 comment:

Josh Miller said...

One item that I would like to discuss in the above 'laws' is, who is a 'bad guy'? The bad guy could be anyone, and much of the problem that the layperson has with computer security is knowing who the bad guy is. My grandfather knows how to use a computer, but if he has Windows XP SP2 on his machine so that he will know if an ActiveX control is being installed, what does he do with that? He has no idea what an ActiveX control is... Also, if he receives a pop-up asking him if he trusts an application being installed by Micro$oft, how does he know that he shouldn't allow it?

The resulting question here is, how do we create a computing environment that will allow the common person to be secure without having to learn all that we know?

8:47 PM

Post a Comment

Subscribe to: Post Comments (Atom)