The Ten Immutable Laws of Computer Security

Privacy - The Ten Immutable Laws of Computer Security

In order to protect your privacy, your assets, and indeed, almost everything that's important to you, it has become vital that you take the most stringent measures possible to close the front and back doors to your personal and business life. Scott Culp of the Microsoft Security Response Center gives us ten low-tech, commonness laws to live by.

Here at the Microsoft Security Response Center, we investigate thousands of security reports every year. In some cases, we find that a report describes a bona fide security vulnerability resulting from a flaw in one of our products. When this happens, we develop a patch as quickly as possible to correct the error. In other cases, reported problems simply result from a mistake someone made in using the product. Many security problems, however, don't result from product flaws, but from how you manage your computer.
Over the years, we've identified a number of critical computer management issues, which we call the Ten Immutable Laws of Security. Don't hold your breath waiting for a patch that will protect you from these issues. It isn't possible for Microsoft, or any software vendor, to "fix" them, because they result from the way computers work.
Essentially, sound judgment is the key, and if you keep these ten laws in mind, you can significantly improve the security of your system.

Law No. 1:
If someone can persuade you to run his program on your computer, it's not your computer anymore.

It's an unfortunate fact of computer science: when a computer program runs, it will do what it's programmed to do, even if it is programmed to be harmful. When you choose to run a program, you are making a decision to turn over to it [the program] the control of your computer. Once a program is running, it can do anything, up to the limits of what you yourself can do on the machine. It could monitor your keystrokes and send them to a web site. It could open every document on the machine, and change the word "will" to "won't", in all of them. It could send rude emails to all your friends. It could install a virus. It could create a "back door" that lets someone remotely control your machine. It could dial up an ISP in Kathmandu. Or it could just reformat your hard drive.

That's why it's important to never run, or even download, a program from an untrustworthy source. By "source", I mean the person who wrote it, not the person who gave it to you.
There's a nice analogy between running a program and eating a sandwich. If a stranger walked up to you and handed you a sandwich, would you eat it? Probably not. How about if your best friend gave you a sandwich? Maybe you would, maybe you wouldn't, it depends on whether she made it or found it lying in the street. Apply the same critical thought to a program that you would to a sandwich, and usually you will be safe.

Law No. 2:
If someone can alter the operating system on your computer, it's not your computer anymore.

In the end, an operating system is just a series of ones and zeroes that, when interpreted by the processor, cause the machine to do certain things. Change the ones and zeroes, and it will do something different. Where are the ones and zeroes stored? Why, on the machine, right along with everything else! They're just files, and if other people who use the machine are permitted to change those files, it's "game over".

To understand why, consider that operating system files are among the most trusted ones on the computer, and they generally run with system-level privileges. That is, they can do absolutely anything. Among other things, they're trusted to manage user accounts, handle password changes, and enforce the rules governing who can do what on the computer.
If someone, other than yourself, can change them, the now-untrustworthy files will do his bidding, and there's no limit to what he can do. He can steal passwords, make himself an administrator on the machine, or add entirely new functions to the operating system.
To prevent this type of attack, make sure that the system files (and the registry, for that matter) are well protected. (The security checklists on the Microsoft Security web site will help you do this).

Law No. 3:
If someone has unrestricted physical access to your computer, it's not your computer anymore.

Oh, the things a bad guy can do if he can lay his hands on your computer! Here's a sampling, going from Stone Age to Space Age:

* He could mount the ultimate low-tech denial of service attack, and smash your computer with a sledgehammer.

* He could unplug the computer, haul it out of your building, and hold it for ransom.

* He could boot the computer from a floppy disk, and reformat your hard drive. Wait, you say, I've configured the BIOS on my computer to prompt for a password when I turn the power on. No problem; if he can open the case and get his hands on the system hardware, he could just replace the BIOS chips. (Actually, there are even easier ways).

* He could remove the hard drive from your computer, install it into his computer, and read it.

* He could make a duplicate of your hard drive and take it back to his lair. Once there, he'd have all the time in the world to conduct brute-force attacks, such as trying every possible log-on password. Programs are available to automate this and, given enough time, it's almost certain that he would succeed. Once that happens, Laws No. 1 and No. 2 apply.

* He could replace your keyboard with one that contains a radio transmitter. He could then monitor everything you type, including your password.

Always make sure that your computer is physically protected in a way that's consistent with its value. Remember that the value of a machine includes not only the value of the hardware itself but the value of the data on it, and the value of the access to your network, if you are connected to one. If you travel with a laptop, it's absolutely critical that you protect it. The same features that make laptops great to travel with, small size, light weight, and so forth, also make them easy to steal.

There are a variety of locks and alarms available for laptops. Some models allow you to remove the hard drive and carry it with you. If someone succeeded in stealing your computer, to mitigate the damage, you can use features like the Encrypting File System in Windows 2000.

Be aware, though, that the only way you can know with 100% certainty that your data is safe, and the hardware hasn't been tampered with, is to, at all times, keep the laptop on your person while traveling.

Law No. 4:
If you allow someone to upload programs to your web site, it's not your web site any more.

This is basically Law No. 1 in reverse. In that scenario, the bad guy tricks his victim into downloading a harmful program onto his machine, and running it. In this one, the bad guy uploads a harmful program to a machine and runs it himself.

Although this scenario is a danger anytime you allow strangers to connect to your machine, web sites are involved in the overwhelming majority of these cases. Many people who operate web sites are too hospitable for their own good, and allow visitors to upload programs to the site and run them. As we've seen, unpleasant things can happen if a bad guy's program is allowed to run on your machine.

If you operate a web site, you need to limit what visitors can do. You should only allow a program on your site if you wrote it yourself, or if you trust the developer who wrote it. Of course, that may not be enough. If your web site is one of several that are hosted on a shared server, you need to be extra careful. If a bad guy can compromise one of the other sites on the server, it's possible he could extend his control to the server itself, in which case he could control all of the sites on the server, including yours.

If you're on a shared server, it's important to find out what the server administrator's policies are. (By the way, before opening your site to the public, make sure you've followed the security checklists for IIS 4.0 and IIS 5.0).

Law No. 5:
Weak passwords trump strong security.

The purpose of having a log-on process is to establish who you are. Once the operating system knows who you are, it can appropriately grant or deny requests for system resources. If someone learns your password, he can log on as you. In fact, as far as the operating system is concerned, he is you. Because he is you, whatever you can do on the system, he can do as well. Maybe he wants to read sensitive information you've stored on your computer, like your email. Maybe you have more privileges on the network
than he does, and being you, he will be able do things he normally couldn't. Or maybe he just wants to do something malicious and blame it on you. In any case, it's worth protecting your credentials.

Always use a password. It is amazing how many accounts have blank passwords. Choose a complex one. Don't use your dog's name, your anniversary date, or the name of the local football team. Don't use the word "password"! Pick a password that has a mix of upper- and lower-case letters, numbers, punctuation marks, and so forth. Make it as long as possible. Change it often.

Once you've developed a strong password, handle it appropriately. Don't write it down. If you absolutely must write it down, at the very least, keep it in a safe or a locked drawer. The first thing someone who is hunting for passwords will do, is check for a yellow sticky note on the side of your screen, or in the top desk drawer. Don't tell anyone what your password is. Remember what Ben Franklin said: two people can keep a secret, but only if one of them is dead.

Finally, to identify yourself to the system, consider using something stronger than passwords . Windows 2000, for instance, supports the use of smart cards, which significantly strengthens the identity-checking the system can perform. You may also want to consider biometrics products like fingerprint and retina scanners.

Law No. 6:
A computer only is as secure as the administrator is trustworthy.

Every computer must have an administrator: someone who can install software, configure the operating system, add and manage user accounts, establish security policies, and handle all the other management tasks associated with keeping a computer up and running.

By definition, these tasks require that he have control over the machine. This puts the administrator in a position of unequaled power. An untrustworthy administrator can negate every other security measure you've taken. He can change the permissions on the machine, modify the system security policies, install malicious software, add bogus users, or do any of a million other things. He can subvert virtually any protective measure in the operating system, because he controls it. Worst of all, he can cover his tracks. If you have an untrustworthy administrator, you have absolutely no security.

Make it a policy, therefore, to check out anyone who does anything to your computer, which could include any number of people who have previously used his services.

Law No. 7:
Encrypted data is only as secure as the decryption key.

Suppose you installed on your front door, the biggest, strongest, most secure lock in the world , but you put the key under the front door mat. It wouldn't really matter how strong the lock is, would it? The critical factor would be the poor way the key was protected. If a burglar could find it, he'd have everything he needed to open the lock. Encrypted data works the same way. No matter how strong the crypto-algorithm is, the data is only as safe as the key that can decrypt it.

Many operating systems and cryptographic software products give you an option to store cryptographic keys on the computer. The advantage is convenience, you don't have to handle the key, but it comes at the cost of security.

The keys are usually obfuscated (that is, hidden), and some of the obfuscation methods are quite good. In the end, no matter how well-hidden the key is, if it's on the machine it can be found. After all, the software can find it, so a sufficiently-motivated bad guy could find it, too. Whenever possible, for encryption keys, use off-line storage. If the key is a word or phrase, memorize it. If not, export it to a floppy disk, make a back-up copy, and store the copies in separate, secure locations.

Law No. 8:
An out of date virus scanner is only marginally better than no virus scanner at all.

Virus scanners work by comparing the data on your computer against a collection of virus "signatures". Each signature is characteristic of a particular virus. When the scanner finds data in a file, email, or elsewhere, that matches the signature, it concludes that it's found a virus. However, a virus scanner can only scan for the viruses it knows about. As new viruses are created every day, it's vital that you keep your virus scanner's signature file up to date.

The problem, though, actually goes a bit deeper than this. Typically, a new virus will do the greatest amount of damage during the early stages of its life, precisely because few people will be able to detect it. Once word gets around that a new virus is on the loose, and people update their virus signatures, the spread of the virus falls off drastically. The key is to get ahead of the curve, and have updated signature files on your machine before the virus hits.

Virtually every maker of anti-virus software provides a way to get free updated signature files from their web site. In fact, many have "push" services, in which they'll send notification every time a new signature file is released. Use these services. Also, keep the virus scanner itself - that is, the scanning software - updated as well. Virus writers periodically develop new techniques that require that the scanners change how they do their work.

Law No. 9:
Absolute anonymity isn't practical, in real life, or on the web.

All human interaction involves exchanging data of some kind. If someone weaves enough of that data together, they can identify you. Think about all the information that a person can glean in just a short conversation with you. In one glance, they can gauge your height, weight, and approximate age. Your accent will probably tell them what country you're from, and may even tell them from what region of the country. If you talk about anything other than the weather, you'll probably tell them something about your family, your interests, where you live, and what you do for a living.

It doesn't take long for someone to collect enough information to figure out who you are. If you crave absolute anonymity, your best bet is to live in a cave, and shun all human contact. The same thing holds true on the Internet. If you visit a web site, the owner can, if he's sufficiently motivated, find out who you are. After all, the ones and zeroes that make up the web session have to be able to find their way to the right place, and that place is your computer.

There are a lot of measures you can take to disguise the bits, and the more of them you use, the more thoroughly the bits will be disguised. For instance, you could use network address translation to mask your actual IP address; subscribe to an anonymizing service that launders the bits by relaying them from one end of the ether to the other; use a different ISP account for different purposes; surf certain sites only from public kiosks, and so on.

All of these methods make it more difficult for someone to determine who you are, but none of them make it impossible. Do you know for certain who operates the anonymizing service? Maybe it's the same person who owns the web site you just visited! Or what about that innocuous web site you visited yesterday, that offered to mail you a free $10 off coupon?

Maybe the owner is willing to share information with other web site owners. If so, the second web site owner may be able to correlate the information from the two sites and determine who you are. Does this mean that privacy on the web is a lost cause? Not at all. What it means is that the best way to protect your privacy on the Internet is the same as the way you protect your privacy in normal life - through your behavior.

Read the privacy statements on the web sites you visit, and only do business with those whose practices you agree. If you're worried about cookies, disable them. Most importantly, avoid indiscriminate web surfing. Recognize that just as most cities have a bad side of town that's best avoided, the Internet does too. If it's complete and total anonymity you want, better start looking for that cave.

Law No. 10:
Technology is not a panacea.

Technology can do some amazing things. Recent years have seen the development of ever-cheaper and more powerful hardware, software that harnesses the hardware to open new vistas for computer users, as well as advancements in cryptography and other sciences. It's tempting to believe that technology can deliver a risk-free world, if we just work hard enough. However, this is simply not realistic.

Perfect security requires a level of perfection that simply doesn't exist, and in fact isn't likely to ever exist. This is true for software as well as virtually all fields of human interest. Software development is an imperfect science, and all software has bugs. Some software can be manipulated to breach security . That's just a fact of life. Even if software could be made perfect, it wouldn't solve the problem entirely.

Most attacks involve, to one degree or another, some manipulation of human nature. This is usually referred to as social engineering. Raise the cost and difficulty of attacking security technology, and bad guys will respond by shifting their focus away from the technology, and toward the human being at the console. It's vital, therefore, that you understand your role in maintaining solid security, or you could become the chink in your own system's armour.

The solution is to recognize two essential points. First, security consists of both technology and policy. That is, it's the combination of the technology, and how it's used, that ultimately determines how secure your systems are.

Second, security is a journey, not a destination. It isn't a problem that can be "solved" once and for all; it's a constant series of moves and counter-moves between the good guys and the bad guys. The key is to ensure that you have good security awareness and exercise sound judgment There are resources available to help you do this.
The Microsoft Security web site, for instance, has hundreds of white papers, best practices guides, checklists and tools, and we're developing more all the time. Combine great technology with sound judgment, and you'll have rock-solid security.

For clarity and relevance, this article has been shortened and edited - Ed.

Thanks to Microsoft Corporation for the use of this article.
© 2000 Microsoft Corporation. All rights reserved.


"If someone learns your password, he can log on as you."

"Perfect security requires a level of perfection that simply doesn't exist."

"You could become the chink in your own system's armour."

Free Freebooter Newsletter

  • Click your mouse inside the input box, to set the cursor.
  • Enter your email address and click on the button labeled Subscribe.
  • We will not share your email address with anybody, period.

security banner