News Stay informed about the latest enterprise technology news and product updates.

Mad As Hell V -- Is the CIA PC?

Schwartau looks at PC security in the context of confidentiality, availability and integrity.

Disgusted by security issues and poor performance, Winn Schwartau makes the switch from Windows to the Mac and details the bumps in the road along the way in his "Mad as Hell" series.

Now that we all understand and agree on the basics, let's relate that to my concerns about security on PCs, Mac and WinTel.

Yes, I can secure a WinTel box. Well, secure as far as is reasonable and practical. Nothing is perfect. One reader said all I needed was a firewall. That's crazy. Sure, my network router has a firewall, and sure my XP box and Mac have firewalls. But please do not make the same mistake at home or in SOHO that Corporate America made in the 1990s.

The non-techie Boss: "Hey, get us a firewall and we'll be secure. Then have Marge in accounting set it up. I hear she knows how to use Word really well."

A firewall, if properly installed, will make you and your network invisible to the bad guys and this is a good thing. But that is a far cry from the kind of security that you need today on any PC.

The concerns that really drove me over the edge did not focus on the issues of Confidentiality. To the best of my knowledge, no one has ever broken into any of my desktops or laptops. Good password practices accomplish a lot. I remember getting one harmless virus in 1995, because I screwed up and forgot to auto update my signature files.

My real issue is with Availability. I want my machine to work all of the time. Much of the discussion on this blog has been

More Mad as Hell

MacIntosh vs. Windows: Choosing to take a bite of the Apple
Disgusted by security issues and poor performance, Winn Schwartau makes the switch from Windows to the Mac and details the bumps in the road along the way in this exclusive intro to his "Mad as Hell" series.

Mad as Hell archive

about traditional security thinking; hacking, viruses, malware, etc., and while tremendously important as part of any security awareness effort [lest we get sloppy], I am really not concerned about them for me -- albeit still ever a pain in the tuccous to buy and maintain.

To me, this discussion is more about availability as a prime security consideration.

If my screen goes blue I can't use my computer, access my data or my resources. I am out of business until I can reconstitute the system. If my PowerPoint crashes in the middle of a rocking presentation, my audience will be annoyed… but not as annoyed as I'll be. If my O/S bsods on me, I have to spend time to figure it out and hopefully rectify it. But that is not a sure thing. [What about Ma&Pa? How many of us had to sooth them in some way?]

Look at availability [security] from this standpoint:

  • How many times does your OS crash in one month? If never, cool. You're doing something really right.

  • If your WinTel crashes, how much time do you need to spend to repair the crash and rebuild the applications, etc.?

  • When your application crashes [or the OS], how much data have you lost that must be regenerated?

  • How much time does it take to pout things back the way they were?

I know that the answers to this will be all over the place: Bell curves rule. You and your PC experience will fit somewhere on that curve from "Never a Problem" to "Mad as Hell" and every flavor in between.

Not having access to your machine or your data is a critical security problem for critical infrastructures and is measured in real dollars. DDoS attacks have cost billions. If a bank's systems go down, they know how many dollars per minute they are losing. Availability. If eBay or any Net-based commerce site goes down, it costs the owners lost revenues and profits. So they invest in backup, fault tolerance and redundancy.

A virus infection in a company can bring it to its knees: no availability of desktops and network services.

From the PC perspective, it's the same thing.

Ma&Pa will likely not lose millions or even thousands of dollars if their PC fails. But they will lose time. As you will continue to see in this series, the most measurable metric we have in security is Time, and we have developed ways to quantify the Good, Bad and Ugly of computing environments using Time as the prime metric.

Hobbyists, who like to open the case and get under the hood of the OS, decompile apps and tweak the hardware, perhaps don't care about how much time they spend at it. For them, it's fun. I do care. It ain't fun no more.

Many of my friends and neighbors don't want to waste time on endless repairs. Every business I know cares about availability and recognizes the potential for real losses if the 'A' in CIA collapses.

So, now that we understand that the majority of my issues with WinTel is about Availability and to some degree Integrity when systems go down, I am going to look a bit more at complexification as a key security component.

About the author
Winn Schwartau is one of the country's leading experts on information security, infrastructure protection and electronic privacy. Schwartau is president and founder of Interpact Inc., The Security Awareness Company, which develops information security awareness programs for private, public and government organizations.

Dig Deeper on Alternative operating system security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.