Contact:http://www.packetnexus.com
By Scott Culp November 2000 We recently published the Ten Immutable Laws of Security, a listing of ten facts of life regarding computer security. We realized that administrators have their own set of immutable laws, one that's entirely separate from the list for users. So, we canvassed the network administrators, security gurus, and other folks here at Microsoft, and developed the list that follows, which encapsulates literally hundreds of years of hard-earned experience. As in the case of the immutable laws for users, the laws on this list reflect the basic nature of security, rather than any product-specific issue. Don't look for a patch from a vendor, because these laws don't result from a technology flaw. Instead, use common sense and thorough planning to turn them to your advantage. Law #1: Nobody believes anything bad can happen to them, until it does. Many people are unwilling partners in computer security. This isn't because they're deliberately trying to endanger the network – they simply have a different agenda than you do. The reason your company has a network is because it lets your company conduct business, and your users are focused on your company's business rather than on the vagaries of computer security. Many users can't conceive why someone might ever go to the trouble of sending them a malicious email or trying to crack their password, but an attacker only needs to find one weak link in order to penetrate your network. As a result, relying on voluntary measures to keep your network secure is likely to be a non-starter. You need the authority to mandate security on the network. Work with your company's management team to develop a security policy that spells out specifically what the value of the information on your network is, and what steps the company is willing to take to protect it. Then develop and implement security measures on the network that reflect this policy. Law #2: Security only works if the secure way also happens to be the easy way. As we discussed in Law #1, you need the authority to mandate security on the network. However, the flip side is that if you turn the network into a police state, you're likely to face an uprising. If your security measures obstruct the business processes of your company, your users may flout them. Again, this isn't because they're malicious – it's because they have jobs to do. The result could be that the overall security of your network would actually be lower after you implemented more stringent policies. There are three key things you can do to prevent your users from becoming hackers' unwitting accomplices. Make sure your company's security policy is reasonable, and strikes a balance between security and productivity. Security is important, but if your network is so secure that nobody can get any work done, you haven't really performed a service for your company. Look for ways to make your security processes have value to your users. For instance, if you have a security policy that calls for virus signatures to be updated once a week, don't expect your users to do the updates manually. Instead, consider using a "push" mechanism to do it automatically. Your users will like the idea of having up to date virus scanners, and the fact that they didn't have to do anything makes it doubly popular. In cases where you must impose a restrictive security measure, explain to your users why it's necessary. It's amazing what people will put up with when they know it's for a good cause. Law #3: If you don't keep up with security fixes, your network won't be yours for lo