The 10 Immutable Laws of Security
Article Source: http://technet.microsoft.com/library/cc722487.aspx
1. When you choose to run a program, you are making a decision to turn over control of your computer to it. Once a program is running, it can do anything, to the limits of what you can do on the machine.
2. In the end, an operating system is just a series of ones and zeros that, when interpreted by the processor, cause the machine to do certain things. If you change the ones and zeros, and it will do something different. The ones and zeros are stored in files on the computer, and if an attacker can access and change these files, substantial damage can be done.
3. If someone has physical access to your computer, that person has full control over the computer and can do anything to it, such as modifying data, stealing data, taking the hardware, or physically destroying the computer.
4. If you run a Web site, you should limit what visitors can do. You should allow a program on your site only if you wrote it or if you trust the developer who wrote it. But even this policy may not be enough. If your Web site is one of several hosted on a shared server, you must take extra precautions. If an attacker can compromise one of the other sites on the server, it is possible that he can extend his control to the server itself and thus control all the sites on it, including yours.
5. If a hacker can compromise your password, he can log on to your computer and do anything on your computer that you can do. Always use a password. It is amazing how many accounts have blank passwords. Always choose a complex password. Do not use the name of your pet, your anniversary date, or the name of a local football team. And do not use the word password.
6. An untrustworthy administrator can negate every other security measure you take. The administrator can change the permissions on the computer, modify the system security policies, install malicious software, add fictitious users, and so on. He can subvert virtually any protective measure in the operating system because he controls it. Worst of all, he can cover his tracks. If you have an untrustworthy administrator, you have absolutely no security.
7. Many operating systems and cryptographic software products give you an option to store cryptographic keys on the computer. The advantage is convenience because you don’t have to handle the key, but this convenience comes at the cost of security. The keys are usually hidden. However, no matter how well hidden the key is, if it is on the computer, it can be found. Whenever possible, use offline storage for keys.
8. Antivirus software works by comparing the data on your computer against a collection of virus signatures. Each signature is characteristic of a particular virus, and when the program finds data in a file, in an e-mail, or elsewhere that matches the signature, it concludes that it has found a virus. However, antivirus software can only scan for the viruses it knows about. It is vital that you keep your antivirus software up to date because new viruses are created every day.
9. The best way to protect your privacy on the Internet is the same way you protect your privacy in normal life: through your behavior. Read the privacy statements on the Web sites that you visit, and do business only with Web sites whose privacy practices you agree with. If you are worried about cookies, disable them. Most important, avoid indiscriminate Web surfing
10. Perfect security requires a level of perfection that does not exist and is not likely to ever exist. Software development is an imperfect science, and virtually all software has bugs. Some bugs can be exploited to cause security breaches. But even if software could be made perfect, it would not solve the security problem entirely. This is because most attacks involve, to some degree to another, manipulation of human nature, often in the form of social engineering.
For more information about this topic, see “10 Immutable Laws of Security” on the Microsoft TechNet Web site.