Monday, September 03, 2007

Perfect Security Is Impossible

I saw this post on securosis.com and it seemed like a great launching point for a discussion here. I want to take one point that he makes, that people seem to ask "what can I do to fix problems after the fact?" The fact that people ask this question hides a couple of addressable assumptions they often make about computer security.

The first of these is that computer problems should be addressed reactively, rather than proactively. Some people take the stance that they will always be vigilant, but many realize that they don't always do what they should. For example, most people know that they should have their vehicles serviced regularly for a multitude of maintenance issues, such as oil changes, brake replacement, tire rotation, check fluids, etc. But many of the drivers out there do not take these precautions as often as they should. Instead, they may take the attitude of "I'll fix it if it breaks." This may not necessarily be conscious decision, either; it may be that the "out of sight, out of mind" rule takes over, or that the owner is too busy to attend to it at the moment.

The reactive attitude also assumes that everything can be fixed and put back perfectly in place as it was. This assumption runs a little bit deeper in most people, because they do not really know how computers operate. On a car, a bent frame is not perfectly repairable; in our bodies, a removed organ does not grow back; in the universe, time flows only in one direction. Yet even mechanics, doctors, and scientists may not really understand that a computer can be broken in a way that is irreparable.

Fortunately, with computers we can address problems proactively. Computer security deals with protecting Confidentiality, Integrity, and Availability (the so-called C.I.A. triad). These are the three aspects of the rest of our lives that most of us attempt to protect, as well. It follows, then, that we should view our responsibilities towards our computers safe as we do our responsibilities to keeping ourselves safe.

Using caution applies to technology as with anything. Stay away from the seedier side of the Internet as you would stay away from the seedier side of the city you live in. If you need a hand deciding which are the well-lit streets and which are the back alleys, there are tools to help. McAfee Site Advisor is an excellent tool, and tends to err on the side of caution. K9 Web Protection will actually block many sites that you may wish to avoid, though it's not fool proof.

Be observant of your surroundings. If something seems not quite right, don't be afraid to be suspicious. If your computer is acting strangely or if the email from the IRS sounds fishy (phishy), then investigate the problem.

Be ready to take action. When you have determined that something strange is definitely going on, make sure you know what to do. If you don't know what to do, then know who you can speak with to find out. But more importantly, when you have figured out the proper action to take, don't delay! Many issues are exacerbated by doing nothing when you should be doing something (or vice-versa).

Finally, be prepared to fix or workaround the problem. Something will happen someday that will compromise the C.I.A. of your computer. Whether that means you delete the wrong files, you get a virus, or your house burns down, something will happen to your digital life someday. No one, even us geeks, is immune. Have backups, antivirus, etc. ready when you need them.

All of these lessons can, and should, be applied to the real world. Most of us understand this, even if we don't practice it every day. But too many people don't seem to realize that computers are not immune from the same physical realities of everything else. Either that or they are afraid to ask about these things. But Murphy's Law still applies, as does the principle that anyone can learn how to defend themselves against it.