Step 1: Believe You Will Be Attacked

The first step is all about taking security seriously. Everyone from the development team, to the management team, to the project sponsor must share the belief that the system will someday be attacked and for this reason it needs an investment in security. Without this belief, you won’t get the buy-in to use project resources on security features.

What systems are in danger of attack? The answer is every system. Web sites of large companies and government departments are obvious targets because many hackers would love to boast, “I defaced the Microsoft homepage” or “I broke into the FBI.” In fact, any computer simply connected to the Internet is in danger of attack—for example, when a virus like the SQL Slammer worm infects a machine, it continuously picks random TCP/IP addresses and tries to attack any computer at that address. Your computer will be attacked if its address is randomly chosen.

Systems running on an intranet also pose a security risk. Disgruntled staff, vindictive spouses who know their partner’s password, fired employees who still have access to the system, and vendors who harbor nefarious intents, all could intentionally attack the system. A bumbling operator who is not the sharpest pencil in the tray can make a mistake that costs a company millions and that good security features would have caught.

Obscurity is never a substitute for security. For example, don’t rely on the assumption that because no one knows the location of the SQL Server database no one will attack it. These types of details are simple to find out for anyone determined to intrude where they’re not supposed to. It’s cheaper to prevent an attack than to clean up afterwards. The bottom line is that when you go home from work at night, you always lock the door to your business. Having an insecure system that allows access to your company’s information is like leaving the door to your business unlocked.