Advertisement
Promo

Security threats Toolkit

Ten security laws you can rely on

John McCormick

Published: 07 Feb 2005 18:15 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Microsoft's Security Response Center gets lots of calls for help with security problems, and the security experts there say all of the calls fall into one of three categories. First is the one we hear about the most: software flaws resulting in vulnerabilities. Second is the misuse or poor configuration of software. Third are the basic security mistakes that companies and individuals make every day.

That last category is probably the most critical, but it is also the most neglected. At the same time, it is the easiest threat category that we, as individual managers, can address... sometimes at little or no cost.

Vulnerabilities can be patched, but the other two problems can only be addressed through education, either hiring better-trained people to configure software properly or conducting better in-house training.

The last category requires that everyone learn a bit more about the basics of security and that at least one person in the IT department become a real expert. Here are some facts you can depend on:


  • Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.
  • Law #2:If a bad guy can alter the operating system on your computer, it's not your computer anymore.
  • Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
  • Law #4: If you allow a bad guy to upload programs to your Web site, it's not your Web site any more.
  • Law #5: Weak passwords trump strong security.
  • Law #6: A computer is only as secure as the administrator is trustworthy.
  • Law #7: Encrypted data is only as secure as the decryption key.
  • Law #8: An out of date virus scanner is only marginally better than no virus scanner at all.
  • Law #9: Absolute anonymity isn't practical, in real life or on the Web.
  • Law #10: Technology is not a panacea.

If you don't understand why these are important or how they apply to your business, go to the Microsoft Web page where each one is discussed in detail.

Law 1 doesn't just apply to CDs or floppies, or to keeping people away from your computers; it also means not downloading Java or Active-X from untrusted Web sites. Law 6 is vital and often ignored. What kind of security check did you go through before starting your job as an administrator? Law 7, we recently saw violated by the way Microsoft Word and Excel handle edited files.

Probably the one rule that's most often ignored by the people who complain about Microsoft is the last one – "Technology is not a panacea." Relying on Microsoft or any other vendor for 100 percent of your security needs is a serious mistake.

I've often been called in to assess the damage caused by a software vulnerability that the company thinks may have been exploited. After walking into the server room, sitting down, and flipping on a terminal, I can see that everything is almost within arm's reach from the chair - a terminal that is either not password protected because it's in the server room, or with the password prominently displayed (I kid you not); a handy rack of software, and usually some blank media; one or more sets of backups and a shelf of manuals. Almost always there is also a fairly solid door with a lock (the one I had just come through because it hadn't been locked) so someone could work in complete privacy.

The Fix
Don't assume security is simple or obvious. Hire or designate a chief security officer and give him or her authority to enforce basic security procedures at all levels of the business, including the executive suite.

Show this Microsoft list to upper management. No matter how good you are, you can't fix security problems without having them on your side and getting their full cooperation.

Final word
I know, I know, you've heard it all before, but that doesn't make the ten laws any less true or any less important. If you don't think that they need to be repeated loudly and often, then you aren’t cut out to manage security, because I see all of these rules broken on a regular basis.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
16 out of 49 people found this useful


In association with HP

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:




Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

Official Organizations Losing Data

How does this article from earlier today make you feel? How many more government, health service, or military officials are going to lose pen drives, DVDs, USB hard disks and even entire... More

1 comment

Twitter hack was DNS redirect

Twitter has said an attack on Thursday which took the site offline for many users was the result of a DNS redirect. A group calling itself the Iranian Cyber Army redirected users... More

1 comment

McKinnon lawyers seek judicial review

Lawyers seeking a judicial review for Nasa hacker Gary McKinnon lodged fresh evidence of his psychiatric state at the High Court on Thursday. Karen Todner, McKinnon's solicitor,... More

1 comment

Win a BlackBerry with Vlingo voice recognition

Win a BlackBerry with Vlingo voice recognition

What is ZDNet UK's usual tagline?

Competition closes - 14 Jan 2010


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters