61Cyber Security
Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer
anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer
anymore.
Law #4: If you allow a bad guy to upload programs to your website, it’s not your website
anymore.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data are only as secure as the decryption key.
Law #8: An out-of-date virus scanner is only marginally better than no virus scanner at all.
Law #9: Absolute anonymity isn’t practical, in real life or on the web.
Law #10: Technology is not a panacea.
References
Bowen, P., Hash, J., and Wilson, M. 2006. Information security handbook: A guide for
managers. NIST special publication 800-100.
Conrad, E. 2011. CISSP study guide. Waltham, MA: Syngress.
Dey, M. 2011. Business continuity planning (BCP) methodology—Essential
for every business. IEEE GCC Conference and Exhibition, February 19–22,
pp.229–232.
Evans, D., Bond, P., and Bement, A. 2004. Standards for security categorization of fed-
eral information and information systems. FIPS PUB 199, February 2004.
Felten, E. 2008. What’s the cyber in cyber-security? Freedom to Tinker, July 24, 2008,
https://freedom-to-tinker.com/blog/felten/whats-cyber-cyber-security/
(retrieved August 12, 2012).
Gregory, P. 2010. CISSP guide to security essentials. Boston: Course Technology, Cengage
Learning.
Jaeger, T. 2008. Operating systems security. San Rafael, CA: Morgan & Claypool.
Khan, M., and Zulkernine, M. 2008. Quantifying security in secure software devel-
opment phases. Annual IEEE International Computer Software Applications
Conference.
King, R. 2009. Lessons from the Data Breach at Heartland. Bloomberg Business Week,
July, 6, 2009, http://www.businessweek.com/stories/2009-07-06/lessons-from-
the-data-breach-at-heartlandbusinessweek-business-news-stock-market-and-
nancial-advice (retrieved August 9, 2012).
Locke, G., and Gallagher, P. 2009. Recommended security controls for federal
information systems and organizations. NIST special publication 800-53.
Martin, B., Brown, M., Paller. A., and Kirby, D. 2011. 2011 CWE/SANS top 25 most
dangerous software errors. The MITRE Corporation.
Microsoft. 2012. 10 Immutable laws of security. http://technet.microsoft.com/
library/cc722487.aspx (retrieved September 8, 2012).
Payne, J. 2010. Integrating application security into software development. IT
Professional 12 (2): 6–9.
Sims, S. 2012. Qualitative vs. quantitative risk assessment. SANS Institute, http://
www.sans.edu/research/leadership-laboratory/article/risk-assessment
(retrieved December 27, 2012).