Microsoft's Security Response Center gets lots of calls for help with security problems, and the security experts there say all of the calls fall into one of three categories. First is the one we hear about the most: software flaws resulting in vulnerabilities. Second is the misuse or poor configuration of software. Third are the basic security mistakes that companies and individuals make every day.
That last category is probably the most critical, but it is also the most neglected. At the same time, it is the easiest threat category that we, as individual managers, can address... sometimes at little or no cost.
Vulnerabilities can be patched, but the other two problems can only be addressed through education, either hiring better-trained people to configure software properly or conducting better in-house training.
The last category requires that everyone learn a bit more about the basics of security and that at least one person in the IT department become a real expert. Here are some facts you can depend on:
- Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.
- Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
- Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
- Law #4: If you allow a bad guy to upload programs to your Web site, it's not your Web site any more.
- Law #5: Weak passwords trump strong security.
- Law #6: A computer is only as secure as the administrator is trustworthy.
- Law #7: Encrypted data is only as secure as the decryption key.
- Law #8: An out of date virus scanner is only marginally better than no virus scanner at all.
- Law #9: Absolute anonymity isn't practical, in real life or on the Web.
- Law #10: Technology is not a panacea.
If you don't understand why these are important or how they apply to your business, go to the Microsoft Web page where each one is discussed in detail.
Law 1 doesn't just apply to CDs or floppies, or to keeping people away from your computers; it also means not downloading Java or Active-X from untrusted Web sites. Law 6 is vital and often ignored. What kind of security check did you go through before starting your job as an administrator? Law 7, we recently saw violated by the way Microsoft Word and Excel handle edited files.
Probably the one rule that's most often ignored by the people who complain about Microsoft is the last one – "Technology is not a panacea." Relying on Microsoft or any other vendor for 100% of your security needs is a serious mistake.
I've often been called in to assess the damage caused by a software vulnerability that the company thinks may have been exploited. After walking into the server room, sitting down, and flipping on a terminal, I can see that everything is almost within arm's reach from the chair - a terminal that is either not password protected because it's in the server room, or with the password prominently displayed (I kid you not); a handy rack of software, and usually some blank media; one or more sets of backups and a shelf of manuals. Almost always there is also a fairly solid door with a lock (the one I had just come through because it hadn't been locked) so someone could work in complete privacy.
Don't assume security is simple or obvious. Hire or designate a chief security officer and give him or her authority to enforce basic security procedures at all levels of the business, including the executive suite.
Show this Microsoft list to upper management. No matter how good you are, you can't fix security problems without having them on your side and getting their full cooperation.
I know, I know, you've heard it all before, but that doesn't make the 10 laws any less true or any less important. If you don't think that they need to be repeated loudly and often, then you aren’t cut out to manage security, because I see all of these rules broken on a regular basis.
Also watch for:
- Introduced last week in the Commerce Committee, House Bill HR29 (2005) aims to outlaw hidden spyware. That wasn’t a typo; the bill doesn’t outlaw spyware – instead, it would actually require spyware to be easy to detect and remove, sort of like requiring James Bond to always wear a "Kiss me I’m a SPY" tee-shirt. Only politicians would think that they can require "spyware" to be clearly marked and still be considered spyware.
- Vnunet.com reports that malware cost to businesses doubled from 2003 to 2004, reaching an astounding $166 billion last year, or about $300 for each Windows machine, although the malware costs weren’t limited to Windows systems. The estimates came from security firm mi2g.
- Secunia reports a "less critical" vulnerability in RealPlayer 10.x.
- Apple computers using OSX 10 have a serious vulnerability in the ColorSync utility due to a buffer overrun. This is Security Update 2005-001, the first of the year.
- Nine vulnerabilities in FireFox, Mozilla, and Thunderbird are detailed on Secunia.com.