January 30, 2001, 3:53 PM — There seem to be two kinds of people in the world: those who think computer security is fun and exciting, and those who think it is arcane and scary. Professional system administrators who read their logs will tell you computer security is actually long periods of boredom punctuated by intervals of sleeplessness, panic, and frantic activity.
For months, you read logs that basically consist of the same sequence of messages. Then one morning, you see a different message. Your first thought tends to be "I've been hit!" You want to determine whether the attack was successful. You comb through logs and examine files on your systems, looking for signs of abnormal behavior. There are none; maybe the attack has failed. But perhaps the attacker was smarter than you. For days or weeks you remain unsure if your system's defenses were penetrated. Eventually, you forget about it and move on to a new crisis.
I think driving is an excellent metaphor for computer security, on a number of levels: Some people think driving is enjoyable and exciting, but some think it is dangerous and scary. I insure my vehicle, follow the rules of the road, wear my seatbelt, stay out of harm's way, keep my eyes on the road, and perform regular maintenance. Let's take a look at how each of those steps applies to computer security.
First, a warning: most of computer security is nontechnical, just as most driving doesn't require a detailed understanding of internal combustion engines. Good driving also means boring and predictable driving, which may not be much fun. Computer security requires lots of plodding, methodical examination of details that will hopefully result in boring and predictable computers. Neither safe driving nor safe computing tax your technical abilities; their goal is to keep you out of harm's way in the first place. Think of this article as a defensive driving course for the information superhighway.
Most states won't even let you get on the road without insurance, which is a very old method of distributing and managing risk. By climbing into an automobile, you increase your risk of death or serious injury, but most people still drive to work. Likewise, connecting a computer to a network puts you at risk for theft or loss of data, but most people are loath to permanently disconnect their systems from the Internet. As a Linux system administrator, I work not to eliminate risk, but to manage it.
I need to know the nature of a risk before I can manage it. Car insurance typically covers medical bills, damage to your car, accident-related lawsuits, and theft. When you put a computer on the Internet, what do you put at risk?