The first principle of computer security is the same as in the real world:
If what you have is perceived to be valuable, there will be people who will decide they want it.
So the first rule of security is to avoid making something look more valuable than it is.
(A derived rule is to try to make it appear less valuable, but such attempts are generally all too easy to read through, and thus backfire. Going that route should be reserved for special cases, not engaged in without careful planning, and definitely left alone if you haven't throughly understand all the principles of security.)
Think about the old MS/PC-DOS machines. Internal storage was small. Networking was primitive. Data tended to be stored off-line. The biggest security problems were computer viruses written mostly by kids who had no idea of the value of the data their toys were mucking around in.
Well, the data itself wasn't that valuable either, because it was hard to dig into, hard to aggregate, hard to interpret.
Security was not a big problem because of a lack of value, and a lack of perceived value.
To get a grip on perceived value, however, you need to know what you are protecting.
No comments:
Post a Comment