It has been said, quite correctly, that the only totally secure computer is one that is not connected to any network and is locked in a bank vault without power and set into a block of concrete. Of course, this would not be a very useful system. In the real world, we have to trade theoretical,  "ultimate" security for practical ease-of-use.

It is our opinion, that the most important threats to computer security are:

• Physical security. If someone can get unrestricted access to a computer, they can do anything they want, regardless of the hardware and software security measures.
• Lack of security awareness by users. If users can be tricked into revealing their security identifiers such as user names and passwords, there is no way for the server to distinguish the "good guys" from the "bad guys" and security is compromised. Also, if users or attackers can alter the system settings, hardware or software, they can totally compromise the system.
• Having hostile users or applications, such as viruses, running on computers on the inside, trusted local network.  To be usable, the server, by definition, must provide services, and that is also its greatest weakness: any service is potentially a "back door" that can bypass security measures.
• Allowing unknown users from the Internet to interact with the server in arbitrary ways. A well-configured proxy firewall can limit this exposure, but cannot totally eliminate it.

A steel bank vault would not be very secure if the combination were posted on the door. Surprisingly, many computers have a sticky note with the "vault combination" posted on the monitor.

It's important to understand that information security is not a product or a service. It is not something that can be installed. Security is an ongoing process that involves constant training, care and vigilance by the customer, all the users and us.