It’s tempting to approach host security as a checklist of do’s and don’t’s for computers and networks. After all, to damage a computer, an attacker must have access. So in theory, to operate a secure system, all you need to do is to block all of the venues by which an attacker can get access, and the resulting system will be secure.

In practice, however, it has proved nearly impossible to have a computer that offers services over the network and yet still denies all access to attackers. Often access comes through unintended holes, such as a carelessly coded CGI script (see Chapter 16), or a buffer overflow attack that is known to the attacker but not the computer’s operators.

Instead of approaching host security as a laundry list of specific technical action items, it’s better to look at the kinds of practices that make computers less secure, and then explore the specific policy initiatives that you can implement to improve your security outlook.

For more than a decade, there have been nine widespread practices on the Internet that make host security far worse than it needs to be. These practices are: