Rule 4: Do It Right Before Someone Does It Wrong For You

Computer security can never be implemented in a vacuum. Simply establishing security mechanisms doesn't guarantee that they will work as planned. Security policies and mechanisms must account for the legitimate needs of users: i.e., they must be done right. An organization can decree that no users will have Internet access only to find that savvy users can buy cheap modems to circumvent this policy, thus greatly increasing the organization's vulnerability. It would be better to set more realistic policies and provide for monitored, controlled access to the net in the first place. A firewall administrator may decide to implement a fascist firewall that only allows HTTP/web access via port 80, leaving users that need Telnet access to the outside out of luck. Alternately, these users may discover that it's possible to encapsulate forbidden protocols in HTTP packets. The administrator would be better off providing for legitimate needs rather than encouraging workarounds that can create substantial and unknown risks. It's better to set things up properly yourself than to wait for someone to do it wrong for you.