Chapter 2. Out-of-the-Box Security

Subsystems should be disabled by default, so that the user (hopefully) learns about what he is enabling before he enables it. This may not be obvious when talking about one or two subsystems, but when the subsystem count reaches into the hundreds... one cannot expect an entire generation of systems engineers to spend half their working lives turning the same things off on every machine.

Theo de Raadt, Security Researcher, The OpenBSD Project

You have been conducting your business on the Internet for a year and have just turned a profit. Things are finally taking off! You think how lucky you are to be one of the first to get your business up and running and turning a profit on the Web. You leaped into a new territory that was unknown to most the Internet. It reminds you of the early pioneers who took a chance and crossed the country because they heard there might be riches thousands of miles away in California. They struck gold. You are one of the early Internet pioneers about to strike gold!

You have so much work scheduled that it looks like you might not get a vacation for a long time. You think how lucky you are to have an Internet Service Provider (ISP). Your ISP opened the door to business on the World Wide Web. Even better, your ISP stores and maintains all your business information, including your World Wide Web home page. You don't waste time supporting systems or figuring out how to build a Web page and connect to the Internet. You honestly have no idea how computers work in the first place, and you couldn't care less that's why you pay your ISP!

Daydreaming aside, you have work to do. It's time to increase prices. Now you can demand higher fees for your consulting services because of the market demand. It's almost midnight, but you decide to log in and make the changes before morning. You try to reach your Web page, but you can't get to it. You try again and again. No luck! What's going on? Is traffic on the Net so bad you can't get to your own Web page? You try to call your ISP, but the number's busy. You can't get to your own Web page and your ISP's lines are all busy. You toss and turn all night wondering what's going on.

Unfortunately, your luck just ran out. The next morning, you learn that a hacker broke into your ISP. The hacker shut down their systems and destroyed all their data. Wait! That's your data! Even worse than the shutdown, you find that your most critical business information and home page can't even be recovered, because your ISP never backed up the disk on which your data was stored.

Now what? All your customer information has been permanently lost! Do you think that's impossible? Think again.

Whether you're storing your precious numbers on an isolated intranet or braving the uncertainty of the Web, you should be able to trust your data's integrity and your ISP's ability to protect your assets. They know how to install systems and protect your data. Right? That is, of course, part of the service you're paying for. Unfortunately, the rapid growth of information technology and the need for otherwise technologically challenged businesses to participate has not spawned a concurrent growth in the depth of security training among professionals.

With all the media hype, most people today know that connecting a system to the Internet without security controls is a lot like playing Russian roulette it's only a matter of time before someone gets shot. Given that, why would a professional ISP install systems right out-of-the-box and play Russian roulette with their customers' data? Don't they care about their customers' data?

If you still believe that most information brokers, system administrators, and ISPs are security savvy, just consider …