Information Security 101 - the Rules of Thumb

ken bbrow07 at students.bbk.ac.uk
Wed Jun 24 14:13:18 BST 2009 

These are some very corny old rules - but they are still relevant

1) Back it up

2) Be careful

Although there are nasty crackers out there who just want to 
hack into your system, there aren't that many of them.  By far 
the most common cause of damage to information systems is 
*legitimate* *users* *making* *mistakes*. The person most likely 
to mess up your system is yourself... be careful!

3) Don't panic

4) You need a friend.

In practice you need to trust someone.

No system is safe from its own operators or anyone else with 
both access to the hardware and either money or skills. Or from 
8-year-old children,

So  you need to trust someone.  That someone might include the 
professionals who designed the systems you are using, or who 
manage or maintain them for you.  No amount of technical skill 
replaces personal and relationships.

No system is going to be entirely safe from a full-scale focused 
attack by the CIA or GCHQ or the KGB or the Mafia anyone else 
who is able to put large amounts of both skill and money into 
breaking it. (If only because they can buy it from you if they 
pay enough) No system you are likely to be able to design or 
afford is safe from a focused attack by anyone who is able to 
put large amounts of either skill OR money into breaking it. 
Especially if they have access to the hardware.

5) Don't run what you don't need.

6) Enforce separation of powers.

Even if you are the only person who ever logs on to a machine or 
service it is a good idea to have an admin userid to do admin 
jobs and a normal userid for getting on with real work.  Don't 
do regular work from an admin id.  All legitimate users 
(including yourself) should have accounts  with sufficient 
privileges to get their job done but no more.

7) You did remember to back it up, didn't you?

8) Keep it simple.

9) Be wary of "helpful" people giving you advice  (yes, even 
me). Never, ever, give them any password or user account or any 
other access they don't need to have..

10) Oh, and back it up.

More information about the ukcrypto mailing list