"Anything that can go wrong will." -- Murphy
"Murphy was an optimist." -- Paul Dickson, "The Official Rules"
We computer people love laws. Mr. Murphy's (whoever he was) law is probably the most often quoted law in computers. We have lots of other laws, for instance, "Ninety percent of the work takes ninety percent of the time. The other ten percent of the work takes ninety percent of the time."
Submitted for your inspection: ten laws about computer security. Read them slowly and as you read each one, think about how true each of them is. Don't rush through them like some fast food lunch eaten in haste. As you read them, savor them like a good steak or a fine wine.
Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Law #4: If you allow a bad guy to upload programs to your web site, it's not your web site any more.
Law #5: Weak passwords trump strong security.
Law #6: A machine is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as the decryption key.
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all.
Law #10: Technology is not a panacea.
Say, these are pretty good, aren't they? Whoever thought these up was really on the old ball. Would you be surprised if I told you these came from Microsoft? Yes, that Microsoft. Oh, you don't believe me. It can't come from the same Microsoft that put out Internet Information Server and Microsoft Bob. Check it out for yourself.
Look at Law #1 again. There's lots of ways the bad guys can make this happen. One way is through a virus sent via email with a macro embedded in it. Another way to do this is to exploit a vulnerability in a program, such as Internet Explorer or a protocol such as Universal Plug and Play (UPNP).
That's exactly what the chaps at eeye.com did. They found a weakness in UPNP and came up with not one, not two, but three (count'em, three) ways to exploit this as a system remote exploit to obtain elevated privileges, a denial-of-service attack and distributed denial-of-service attack in Windows XP. But wait, isn't Windows XP supposed to be better at security than any thing Microsoft has ever done before? Only time will tell on that score, but this does not bode well for it to have such a security flaw so early out of the starting gate.
This leads up to:
Law #11: Computer security must come from the top down.
The only way computer security happens is when someone high up in the organization's structure is committed to it. Preferably, this is someone like the president of the company or it's CIO. Those-In-High-Places have to be committed to computer security and that commitment has to flow down to all members of the company like water from a mountain spring covering a hillside.
Just as water doesn't like to flow uphill, computer security will never come about from the bottom up. I know; I've tried. It just doesn't work. You'd be better off trying to put toothpaste back in the tube.About the author
Gary Smith has been working with UNIX since 1987 and in this time has provided his security expertise for companies such as Digital Equipment Corporation, SGE-Thomson Microelectronics and Raytheon. He currently works at Motorola, where he is deeply involved in a number of Open Source projects. Gary writes a monthly column for the Dallas-Fort Worth Unix Users Group's newsletter, "The Heart of Darkness", that is devoted to computer security issues. He also heads up the Security SIG for the DFWUUG. Gary holds two certifications from the SANS Institute; one is the Security Essentials certification (GSEC) and the other is the Firewall/VPN Analyst certification(GCFW).
This was first published in January 2002