There’s a good article up on Microsoft TechNet about truths in computer security that never change. I’ve only listed the laws here, but the actual article has a good explanation of each one.

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore.

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.

Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more.

Law #5: Weak passwords trump strong security.

Law #6: A computer is only as secure as the administrator is trustworthy.

Law #7: Encrypted data is only as secure as the decryption key.

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all.

Law #9: Absolute anonymity isn’t practical, in real life or on the Web.

Law #10: Technology is not a panacea.