COLUMN

Mad As Hell V -- Is the CIA PC?

By Winn Schwartau 10 Jun 2005 | SearchSecurity.com Digg This!     StumbleUpon     Del.icio.us

Disgusted by security issues and poor performance, Winn Schwartau makes the switch from Windows to the Mac and details the bumps in the road along the way in his "Mad as Hell" series.

Now that we all understand and agree on the basics, let's relate that to my concerns about security on PCs, Mac and WinTel.

Yes, I can secure a WinTel box. Well, secure as far as is reasonable and practical. Nothing is perfect. One reader said all I needed was a firewall. That's crazy. Sure, my network router has a firewall, and sure my XP box and Mac have firewalls. But please do not make the same mistake at home or in SOHO that Corporate America made in the 1990s.

The non-techie Boss: "Hey, get us a firewall and we'll be secure. Then have Marge in accounting set it up. I hear she knows how to use Word really well."

A firewall, if properly installed, will make you and your network invisible to the bad guys and this is a good thing. But that is a far cry from the kind of security that you need today on any PC.

The concerns that really drove me over the edge did not focus on the issues of Confidentiality. To the best of my knowledge, no one has ever broken into any of my desktops or laptops. Good password practices accomplish a lot. I remember getting one harmless virus in 1995, because I screwed up and forgot to auto update my signature files.

My real issue is with Availability. I want my machine to work all of the time. Much of the discussion on this blog has been

More Mad as Hell MacIntosh vs. Windows: Choosing to take a bite of the Apple Disgusted by security issues and poor performance, Winn Schwartau makes the switch from Windows to the Mac and details the bumps in the road along the way in this exclusive intro to his "Mad as Hell" series. Mad as Hell archive

about traditional security thinking; hacking, viruses, malware, etc., and while tremendously important as part of any security awareness effort [lest we get sloppy], I am really not concerned about them for me -- albeit still ever a pain in the tuccous to buy and maintain.

To me, this discussion is more about availability as a prime security consideration.

If my screen goes blue I can't use my computer, access my data or my resources. I am out of business until I can reconstitute the system. If my PowerPoint crashes in the middle of a rocking presentation, my audience will be annoyed… but not as annoyed as I'll be. If my O/S bsods on me, I have to spend time to figure it out and hopefully rectify it. But that is not a sure thing. [What about Ma&Pa? How many of us had to sooth them in some way?]

Look at availability [security] from this standpoint:

• How many times does your OS crash in one month? If never, cool. You're doing something really right.



• If your WinTel crashes, how much time do you need to spend to repair the crash and rebuild the applications, etc.?



• When your application crashes [or the OS], how much data have you lost that must be regenerated?



• How much time does it take to pout things back the way they were?

I know that the answers to this will be all over the place: Bell curves rule. You and your PC experience will fit somewhere on that curve from "Never a Problem" to "Mad as Hell" and every flavor in between.

Not having access to your machine or your data is a critical security problem for critical infrastructures and is measured in real dollars. DDoS attacks have cost billions. If a bank's systems go down, they know how many dollars per minute they are losing. Availability. If eBay or any Net-based commerce site goes down, it costs the owners lost revenues and profits. So they invest in backup, fault tolerance and redundancy.

A virus infection in a company can bring it to its knees: no availability of desktops and network services.

From the PC perspective, it's the same thing.

Ma&Pa will likely not lose millions or even thousands of dollars if their PC fails. But they will lose time. As you will continue to see in this series, the most measurable metric we have in security is Time, and we have developed ways to quantify the Good, Bad and Ugly of computing environments using Time as the prime metric.

Hobbyists, who like to open the case and get under the hood of the OS, decompile apps and tweak the hardware, perhaps don't care about how much time they spend at it. For them, it's fun. I do care. It ain't fun no more.

Many of my friends and neighbors don't want to waste time on endless repairs. Every business I know cares about availability and recognizes the potential for real losses if the 'A' in CIA collapses.

So, now that we understand that the majority of my issues with WinTel is about Availability and to some degree Integrity when systems go down, I am going to look a bit more at complexification as a key security component.

About the author
Winn Schwartau is one of the country's leading experts on information security, infrastructure protection and electronic privacy. Schwartau is president and founder of Interpact Inc., The Security Awareness Company, which develops information security awareness programs for private, public and government organizations.

Tags: Alternative OS security: Mac, Linux, Unix, etc.,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Alternative OS security: Mac, Linux, Unix, etc. Machiavelli Mac OS X rootkit unveiled at Black Hat How secure is 'Platform as a Service (PaaS)?' Security comparison: Mac OS X vs. Windows Mac OS memory flaws pose challenges for enterprise endpoint protection Rootkit Hunter demo: Detect and remove Linux rootkits Oracle to buy Sun Microsystems for $7.4 billion How to harden Linux operating systems Serious holes in Mac OS X memory, researcher shows What is the best operating system for an FTP server implementation? Black Hat DC 2009: Mac OS attack method Alternative OS security: Mac, Linux, Unix, etc. Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary