If you run a web site, you need to limit what visitors can do. You should only allow a program on your site if you wrote it yourself, or if you trust the developer who wrote it. But that may not be enough. If your web site is one of several hosted on a shared server, you need to be extra careful. If a bad guy can compromise one of the other sites on the server, it’s possible he could extend his control to the server itself, in which case he could control all of the sites on it including yours. If you’re on a shared server, it’s important to find out what the server administrator’s policies are.
Law #5: Weak passwords trump strong security. The purpose of having a logon process is to establish who you are. Once the operating system knows who you are, it can grant or deny requests for system resources appropriately. If a bad guy learns your password, he can log on as you. In fact, as far as the operating system is concerned, he is you. Whatever you can do on the system, he can do as well, because he’s you. Maybe he wants to read sensitive information you’ve stored on your computer, like your email. Maybe you have more privileges on the network than he does, and being you will let him do things he normally couldn’t. Or maybe he just wants to do something malicious and blame it on you. In any case, it’s worth protecting your credentials.
Always use a password it’s amazing how many accounts have blank passwords. And choose a complex one. Don’t use your dog’s name, your anniversary date, or the name of the local football team. And don’t use the word “password”! Pick a password that has a mix of upper- and lower-case letters, number, punctuation marks, and so forth. Make it as long as possible. And change it often. Once you’ve picked a strong password, handle it appropriately. Don’t write it down. If you absolutely must write it down, at the very least keep it in a safe or a locked drawer the first thing a bad guy who’s hunting for passwords will do is check for a yellow sticky note on the side of your screen, or in the top desk drawer. Don’t tell anyone what your password is. Remember what Ben Franklin said: two people can keep a secret, but only if one of them is dead.
Finally, consider using something stronger than passwords to identify yourself to the system. Windows 2000, for instance, supports the use of smart cards, which significantly strengthens the identity checking the system can perform. You may also want to consider biometric products like fingerprint and retina scanners.
Law #6: A machine is only as secure as the administrator is trustworthy. Every computer must have an administrator: someone who can install software, configure the operating system, add and manage user accounts, establish security policies, and handle all the other management tasks associated with keeping a computer up and running. By definition, these tasks require that he have control over the machine. This puts the administrator in a position of unequalled power. An untrustworthy administrator can negate every other security measure you’ve taken. He can change the permissions on the machine, modify the system security policies, install malicious software, add bogus users, or do any of a million other things. He can subvert virtually any protective measure in the operating system, because he controls it. Worst of all, he can cover his tracks. If you have an untrustworthy administrator, you have absolutely no security.
When hiring a system administrator, recognize the position of trust that administrators occupy, and only hire people who warrant that trust. Call his references, and ask them about his previous work record, especially with regard to any security incidents at previous employers. If appropriate for your organization, you may also consider taking a step that banks and other security-conscious companies do, and require that your administrators pass a complete background check at hiring time, and at periodic intervals afterward. Whatever criteria you select, apply them across the board. Don’t give anyone administrative privileges on your network unless they’ve been vetted and this includes temporary employees and contractors, too.
Next, take steps to help keep honest people honest. Use sign-in/sign-out sheets to track who’s been in the server room. (You do have a server room with a locked door, right? If not, re-read Law #3). Implement a “two person” rule when installing or upgrading software. Diversify management tasks as much as possible, as a way of minimizing how much power any one administrator has. Also, don’t use the Administrator account instead, give each administrator a separate account with administrative privileges, so you can tell who’s doing what. Finally, consider taking steps to make it more difficult for a rogue administrator to cover his tracks. For instance, store audit data on write-only media, or house System A’s audit data on System B, and make sure that the two systems have different administrators. The more accountable your administrators are, the less likely you are to have problems.
Law #7: Encrypted data is only as secure as the decryption key. Suppose you installed the biggest, strongest, most secure lock in the world on your front door, but you put the key under the front door mat. It wouldn’t really matter how strong the lock is, would it? The critical factor would be the poor way the key was protected, because if a burglar could find it, he’d have everything he needed to open the lock. Encrypted data works the same way no matter how strong the cryptoalgorithm is, the data is only as safe as the key that can decrypt it.
Many operating systems and cryptographic software products give you an option to store cryptographic keys on the computer. The advantage is convenience you don’t have to handle the key but it comes at the cost of security. The keys are usually obfuscated (that is, hidden), and some of the obfuscation methods are quite good. But in the end, no matter how well-hidden the key is, if it’s on the machine it can be found. It has to be after all, the software can find it, so a sufficiently-motivated bad guy could find it, too. Whenever possible, use offline storage for keys. If the key is a word or phrase, memorize it. If not, export it to a floppy disk, make a backup copy, and store the copies in separate, secure locations.
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all. Virus scanners work by comparing the data on your computer against a collection of virus “signatures”. Each signature is characteristic of a particular virus, and when the scanner finds data in a file, email, or elsewhere that matches the signature, it concludes that it’s found a virus. However, a virus scanner can only scan for the viruses it knows about. It’s vital that you keep your virus scanner’s signature file up to date, as new viruses are created every day.
The problem actually goes a bit deeper than this, though. Typically, a new virus will do the greatest amount of damage during the early stages of its life, precisely because few people will be able to detect it. Once word gets around that a new virus is on the loose and people update their virus signatures, the spread of the virus falls off drastically. The key is to get ahead of the curve, and have updated signature files on your machine before the virus hits.
Virtually every maker of anti-virus software provides a way to get free updated signature files from their web site. In fact, many have “push” services, in which they’ll send notification every time a new signature file is released. Use these services. Also, keep the virus scanner itself that is, the scanning software updated as well. Virus writers periodically develop new techniques that require that the scanners change how they do their work.
Law #9: Absolute anonymity isn’t practical, in real life or on the web. All human interaction involves exchanging data of some kind. If someone weaves enough of that data together, they can identify you. Think about all the information that a person can glean in just a short conversation with you. In one glance, they can gauge your height, weight, and approximate age. Your accent will probably tell them what country you’re from, and may even tell them what region of the country. If you talk about anything other than the weather, you’ll probably tell them something about your family, your interests, where you live, and what you do for a living. It doesn’t take long for someone to collect enough information to figure out who you are. If you crave absolute anonymity, your best bet is to live in a cave and shun all human contact.
The same thing is true of the Internet. If you visit a web site, the owner can, if he’s sufficiently motivated, find out who you are. After all, the ones and zeroes that make up the web session have be able to find their way to the right place, and that place is your computer. There are a lot of measures you can take to disguise the bits, and the more of them you use, the more thoroughly the bits will be disguised. For instance, you could use network address translation to mask your actual IP address, subscribe to an anonymizing service that launders the bits by relaying them from one end of the ether to the other, use a different ISP account for different purposes, surf certain sites only from public kiosks, and so on. All of these make it more difficult to determine who you are, but none of them make it impossible. Do you know for certain who operates the anonymizing service? Maybe it’s the same person who owns the web site you just visited! Or what about that innocuous web site you visited yesterday, that offered to mail you a free $10 off coupon? Maybe the owner is willing to share information with other web site owners. If so, the second web site owner may be able to correlate the information from the two sites and determine who you are.
Does this mean that privacy on the web is a lost cause? Not at all. What it means is that the best way to protect your privacy on the Internet is the same as the way you protect your privacy in normal life – through your behavior. Read the privacy statements on the web sites you visit, and only do business with ones whose practices you agree with. If you’re worried about cookies, disable them. Most importantly, avoid indiscriminate web surfing – recognize that just as most cities have a bad side of town that’s best avoided, the Internet does too. But if it’s complete and total anonymity you want, better start looking for that cave.
Law #10: Technology is not a panacea. Technology can do some amazing things. Recent years have seen the development of ever-cheaper and more powerful hardware, software that harnesses the hardware to open new vistas for computer users, as well as advancements in cryptography and other sciences. It’s tempting to believe that technology can deliver a risk-free world, if we just work hard enough. However, this is simply not realistic.
Perfect security requires a level of perfection that simply doesn’t exist, and in fact isn’t likely to ever exist. This is true for software as well as virtually all fields of human interest. Software development is an imperfect science, and all software has bugs. Some of them can be exploited to cause security breaches. That’s just a fact of life. But even if software could be made perfect, it wouldn’t solve the problem entirely. Most attacks involve, to one degree or another, some manipulation of human nature this is usually referred to as social engineering. Raise the cost and difficulty of attacking security technology, and bad guys will respond by shifting their focus away from the technology and toward the human being at the console. It’s vital that you understand your role in maintaining solid security, or you could become the chink in your own systems’ armor.
The solution is to recognize two essential points. First, security consists of both technology and policy that is, it’s the combination of the technology and how it’s used that ultimately determines how secure your systems are. Second, security is journey, not a destination it isn’t a problem that can be “solved” once and for all; it’s a constant series of moves and countermoves between the good guys and the bad guys. The key is to ensure that you have good security awareness and exercise sound judgment. There are resources available to help you do this. The Microsoft Security web site, for instance, has hundreds of white papers, best practices guides, checklists and tools, and we’re developing more all the time. Combine great technology with sound judgment, and you’ll have rock-solid security.
“It is important for companies to do a thorough security audit of their computer systems and to keep these systems up-to-date in order to thwart computer hackers,” said Robert Hagens, director of Internet Engineering for MCI’s Data Services Division. “Computer hackers are constantly sharpening their skills and inventing new schemes to break into company computer systems. Businesses also need to ensure that they continue to stay one step ahead of the bad guys in securing their systems.”
According to MCI’s Internet Security Department, most of the successful computer break-ins are the result of exercising old, known weaknesses in operating systems which system administrators and managers have not remedied. Despite the best efforts of the Computer Emergency Response Team (CERT) and others, many system operators have shown remarkable complacence about security until they are hit by a hacker. MCI hopes this message will encourage more pro-active efforts by managers of systems on the Internet.
TOP 10 SECURITY PRECAUTIONS
Firewall Sensitive Systems. Ensure corporate systems are protected from Internet attacks. Deploy a firewall between these systems and the Internet to guard against network scans and intrusions.
Obtain Security Alert Information. Subscribe to security alert mailing lists to identify potential security exposures before they become problems. CERT (Computer Emergency Response Team at Carnegie Mellon University) is a good place to start. The URL for CERT’s Web site is cert-advisory-request@cert.org. The e-mail address is cert@cert.org.
Review System Audit Trails Regularly. Regularly check logging data and audit trails to look for unusual or suspicious activity.
Backup Data. Don’t be a victim of accidental or malicious data erasure. Backup all sensitive data on a regular basis.
Purchase and Deploy Anti-Virus Software. Computer viruses can spread throughout a system in minutes. Check systems for viruses on a regular basis.
Change Passwords On A Regular Rotational Basis. Don’t pick easy to remember passwords and change them often. Consider the use of one-time password tokens to avoid password compromise threats.
Deploy Vendor Security Patches. Consult with vendors and obtain any system security patches that can be used to add additional layers of protection.
Establish and Enforce A Security Policy. Develop and enforce a company-wide computer and physical security policy.
Employee Awareness. Ensure all employees and management are briefed regularly on security threats, policies, corrective measures and incident reporting procedures.
Make Use Of Public Domain Security Tools. A wide variety of public domain security tools exist on the Internet, many of which can be used to assist in the protection of computer systems.
Adams, Jon-K. Hacker Ideology (aka Hacking Freedom). http://node9.phil3.uni-freiburg.de/1998/hackers.html. 2 August 1998.
Culp, Scott. The Ten Immutable Laws of Security. Microsoft.com. http://www.microsoft.com/technet/security/10imlaws.asp . 23 October 2000.
Johnston, Margaret and Joris Evers. FBI warns e-commerce sites. Copyright (c) 2000 by InfoWorld Media Group, Inc., a subsidiary of IDG Communications, Inc. http://www.infoworld.com/cgi-bin/fixup.pl?story=http://www.infoworld.com/articles/hn/xml/01/03/09/010309hnfeds.xml&dctag=security. 9 March 2001.
Knight, Will. Political hackers are modern freedom fighters. ZDNet UK. http://www.zdnet.com.au/news/dailynews/story/0,2000013063,20208096,00.htm . 9 March 2001.
MCI’s Internet Security Department. How to Hacker-Proof Your Computer Systems. http://www.nsi.org/Library/Compsec/hackproof.html. 28 December 1995.
Mizrach, Steve. Is there a Hacker Ethic for 90s Hackers? Infowar.Com & Interpact, Inc. http://www.infowar.com/hacker/hackzf.html-ssi . 12 March 2001.
Sullivan, Bob. Big Brother is watching. MSNBC.com http://www.msnbc.com/news/483054.asp. 30 October 2000.
Sullivan, Bob. No genius needed to hack bad system. MSNBC.com http://www.msnbc.com/news/547084.asp?0nm=T21E . 20 March 2001.