That last category is probably the most critical, but it is also the most neglected. At the same time, it is the easiest threat category that we, as individual managers, can address... sometimes at little or no cost.
Vulnerabilities can be patched, but the other two problems can only be addressed through education, either hiring better-trained people to configure software properly or conducting better in-house training.
The last category requires that everyone learn a bit more about the basics of security and that at least one person in the IT department become a real expert. Here are some facts you can depend on:
- Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.
- Law #2:If a bad guy can alter the operating system on your computer, it's not your computer anymore.
- Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
- Law #4: If you allow a bad guy to upload programs to your Web site, it's not your Web site any more.
- Law #5: Weak passwords trump strong security.
- Law #6: A computer is only as secure as the administrator is trustworthy.
- Law #7: Encrypted data is only as secure as the decryption key.
- Law #8: An out of date virus scanner is only marginally better than no virus scanner at all.
- Law #9: Absolute anonymity isn't practical, in real life or on the Web.
- Law #10: Technology is not a panacea.
If you don't understand why these are important or how they apply to your business, go to the Microsoft Web page where each one is discussed in detail.
Law 1 doesn't just apply to CDs or floppies, or to keeping people away from your computers; it also means not downloading Java or Active-X from untrusted Web sites. Law 6 is vital and often ignored. What kind of security check did you go through before starting your job as an administrator? Law 7, we recently saw violated by the way Microsoft Word and Excel handle edited files.
Probably the one rule that's most often ignored by the people who complain about Microsoft is the last one – "Technology is not a panacea." Relying on Microsoft or any other vendor for 100 percent of your security needs is a serious mistake.
I've often been called in to assess the damage caused by a software vulnerability that the company thinks may have been exploited. After walking into the server room, sitting down, and flipping on a terminal, I can see that everything is almost within arm's reach from the chair - a terminal that is either not password protected because it's in the server room, or with the password prominently displayed (I kid you not); a handy rack of software, and usually some blank media; one or more sets of backups and a shelf of manuals. Almost always there is also a fairly solid door with a lock (the one I had just come through because it hadn't been locked) so someone could work in complete privacy.
The Fix
Don't assume security is simple or obvious. Hire or designate a chief security officer and give him or her authority to enforce basic security procedures at all levels of the business, including the executive suite.
Show this Microsoft list to upper management. No matter how good you are, you can't fix security problems without having them on your side and getting their full cooperation.
Final word
I know, I know, you've heard it all before, but that doesn't make the ten laws any less true or any less important. If you don't think that they need to be repeated loudly and often, then you aren’t cut out to manage security, because I see all of these rules broken on a regular basis.
