02Nov The Laws Of Computer Network Security
Image via CrunchBase
Here at the Microsoft Security Response Center, we investigate thousands of security reports every year. In some cases, we find that a report describes a bona fide security vulnerability resulting from a flaw in one of our products; when this happens, we develop a patch as quickly as possible to correct the error. (See “A Tour of the Microsoft Security Response Center”). In other cases, the reported problems simply result from a mistake someone made in using the product. But many fall in between. They discuss real security problems, but the problems don’t result from product flaws. Over the years, we’ve developed a list of issues like these, that we call the 10 Immutable Laws of Security.
Don’t hold your breath waiting for a patch that will protect you from the issues we’ll discuss below. It isn’t possible for Microsoft—or any software vendor—to “fix” them, because they result from the way computers work. But don’t abandon all hope yet—sound judgment is the key to protecting yourself against these issues, and if you keep them in mind, you can significantly improve the security of your systems.
On This Page
Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore
Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore
Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more
Law #5: Weak passwords trump strong security
Law #6: A computer is only as secure as the administrator is trustworthy
Law #7: Encrypted data is only as secure as the decryption key
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
Law #9: Absolute anonymity isn’t practical, in real life or on the Web
Law #10: Technology is not a panacea
Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore
It’s an unfortunate fact of computer science: when a computer program runs, it will do what it’s programmed to do, even if it’s programmed to be harmful. When you choose to run a program, you are making a decision to turn over control of your computer to it. Once a program is running, it can do anything, up to the limits of what you yourself can do on the computer. It could monitor your keystrokes and send them to a website. It could open every document on the computer, and change the word “will” to “won’t” in all of them. It could send rude emails to all your friends. It could install a virus. It could create a “back door” that lets someone remotely control your computer. It could dial up an ISP in Katmandu. Or it could just reformat your hard drive.
That’s why it’s important to never run, or even download, a program from an untrusted source—and by “source,” I mean the person who wrote it, not the person who gave it to you. There’s a nice analogy between running a program and eating a sandwich. If a stranger walked up to you and handed you a sandwich, would you eat it? Probably not. How about if your best friend gave you a sandwich? Maybe you would, maybe you wouldn’t—it depends on whether she made it or found it lying in the street. Apply the same critical thought to a program that you would to a sandwich, and you’ll usually be safe.
Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore
In the end, an operating system is just a series of ones and zeroes that, when interpreted by the processor, cause the computer to do certain things. Change the ones and zeroes, and it will do something different. Where are the ones and zeroes stored? Why, on the computer, right along with everything else! They’re just files, and if other people who use the computer are permitted to change those files, it’s “game over”.
To understand why, consider that operating system files are among the most trusted ones on the computer, and they generally run with system-level privileges. That is, they can do absolutely anything. Among other things, they’re trusted to manage user accounts, handle password changes, and enforce the rules governing who can do what on the computer. If a bad guy can change them, the now-untrustworthy files will do his bidding, and there’s no limit to what he can do. He can steal passwords, make himself an administrator on the computer, or add entirely new functions to the operating system. To prevent this type of attack, make sure that the system files (and the registry, for that matter) are well protected. (The security checklists on the Microsoft Security website will help you do this).
Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore
Oh, the things a bad guy can do if he can lay his hands on your computer! Here’s a sampling, going from Stone Age to Space Age:
- He could mount the ultimate low-tech denial of service attack, and smash your computer with a sledgehammer.
- He could unplug the computer, haul it out of your building, and hold it for ransom.
- He could boot the computer from a floppy disk, and reformat your hard drive. But wait, you say, I’ve configured the BIOS on my computer to prompt for a password when I turn the power on. No problem – if he can open the case and get his hands on the system hardware, he could just replace the BIOS chips. (Actually, there are even easier ways).
- He could remove the hard drive from your computer, install it into his computer, and read it.
- He could make a duplicate of your hard drive and take it back his lair. Once there, he’d have all the time in the world to conduct brute-force attacks, such as trying every possible logon password. Programs are available to automate this and, given enough time, it’s almost certain that he would succeed. Once that happens, Laws #1 and #2 above apply.
- He could replace your keyboard with one that contains a radio transmitter. He could then monitor everything you type, including your password.
Always make sure that a computer is physically protected in a way that’s consistent with its value—and remember that the value of a computer includes not only the value of the hardware itself, but the value of the data on it, and the value of the access to your network that a bad guy could gain. At a minimum, business-critical computers like domain controllers, database servers, and print/file servers should always be in a locked room that only people charged with administration and maintenance can access. But you may want to consider protecting other computers as well, and potentially using additional protective measures.
If you travel with a laptop, it’s absolutely critical that you protect it. The same features that make laptops great to travel with – small size, light weight, and so forth—also make them easy to steal. There are a variety of locks and alarms available for laptops, and some models let you remove the hard drive and carry it with you. You also can use features like the Encrypting File System in Microsoft Windows® 2000 to mitigate the damage if someone succeeded in stealing the computer. But the only way you can know with 100% certainty that your data is safe and the hardware hasn’t been tampered with is to keep the laptop on your person at all times while traveling.
Related articles
- Threat to computers for industrial systems now serious
- Microsoft security maturing fast
- Microsoft to seek credit for finding vulnerabilities
- The Ethics of Vulnerability Research
- Microsoft rushes out emergency Windows security fix
- Hackers eye Macs, iPhones
- Microsoft’s urgent security update: What it means
- 10 essential (and free!) security downloads for Windows
- Intel’s Moorestown would make iPhone less secure
- The DNS Vulnerability
- Brian Gardner’s Revolution 2 - INCREDIBLE Premium WordPress Themes
- WordPress Showcase. Brightest WordPress Stars
- WordPress 2.7 Beta 1 available…
- WordPress 2.7 delayed (beta available)
- WordPress 2.7 Beta 1 is out, November 10 release gets delayed
