Microsoft’s Security Response Center gets lots of calls for
help with security problems, and the security experts there say all of the calls fall into
one of three categories. First is the one we hear about the most: software flaws
resulting in vulnerabilities. Second is the misuse or poor configuration of software.
Third are the basic security mistakes that companies and individuals make every

That last category is probably the most critical, but it is
also the most neglected. At the same time, it is the easiest threat category that we,
as individual managers, can address… sometimes at little or no cost.

Vulnerabilities can be patched, but the other two problems
can only be addressed through education, either hiring better-trained people to
configure software properly or conducting better in-house training.

The last category requires that everyone learn a bit more
about the basics of security and that at least one person in the IT department
become a real expert. Here are some facts you can depend on:

  • Law #1: If a bad guy can persuade you to run his
    program on your computer, it’s not your computer anymore.
  • Law #2: If a bad guy can alter the operating system
    on your computer, it’s not your computer anymore.
  • Law #3: If a bad guy has unrestricted physical access
    to your computer, it’s not your computer anymore.
  • Law #4: If you allow a bad guy to upload programs to
    your Web site, it’s not your Web site any more.
  • Law #5: Weak passwords trump strong security.
  • Law #6: A computer is only as secure as the
    administrator is trustworthy.
  • Law #7: Encrypted data is only as secure as the
    decryption key.
  • Law #8: An out of date virus scanner is only
    marginally better than no virus scanner at all.
  • Law #9: Absolute anonymity isn’t practical, in real
    life or on the Web.
  • Law #10: Technology is not a panacea.

If you don’t understand why these are important or how they
apply to your business, go to the Microsoft
Web page
where each one is discussed in detail.

Law 1 doesn’t just apply to CDs or floppies, or to keeping
people away from your computers; it also means not downloading Java or Active-X
from untrusted Web sites. Law 6 is vital and often
ignored. What kind of security check did you go through before starting your
job as an administrator? Law 7, we recently saw violated by the way Microsoft
Word and Excel handle edited files.

Probably the one rule that’s most often ignored by the people who
complain about Microsoft is the last one – “Technology is not a panacea.”
Relying on Microsoft or any other vendor for 100% of your security needs is a
serious mistake.

I’ve often been called in to assess the damage caused by a
software vulnerability that the company thinks may have been exploited. After walking into the server room, sitting down, and flipping on a terminal, I can see that everything is almost within arm’s reach from the chair – a terminal that is either not password protected because it’s in the server
room, or with the password prominently displayed (I kid you not); a handy rack
of software, and usually some blank media; one or more sets of backups and a
shelf of manuals. Almost always there is also a fairly solid door with a lock
(the one I had just come through because it hadn’t been locked) so someone
could work in complete privacy.


Don’t assume security is simple or obvious. Hire or
designate a chief security officer and give him or her authority to enforce
basic security procedures at all levels of the business, including the
executive suite.

Show this Microsoft list to upper management. No matter how
good you are, you can’t fix security problems without having them on your side
and getting their full cooperation.

Final word

I know, I know, you’ve heard it all before, but that doesn’t
make the 10 laws any less true or any less important. If you don’t think that
they need to be repeated loudly and often, then you aren’t cut out to manage
security, because I see all of these rules broken on a regular basis.

Also watch for:

  • Introduced last week in the Commerce
    Committee, House Bill HR29 (2005) aims to outlaw hidden spyware.
    That wasn’t a typo; the bill doesn’t outlaw spyware –
    instead, it would actually require spyware to be easy
    to detect and remove, sort of like requiring James Bond to always wear a
    “Kiss me I’m a SPY” tee-shirt. Only politicians would think that they can require
    “spyware” to be clearly marked and still be considered
  • reports
    that malware cost to businesses doubled from 2003 to
    2004, reaching an astounding $166 billion last year, or about $300 for each
    Windows machine, although the malware costs weren’t
    limited to Windows systems. The estimates came from security firm mi2g.
  • Secunia reports a “less critical”
    vulnerability in RealPlayer 10.x.
  • Apple computers using OSX 10 have
    a serious vulnerability in the ColorSync utility due to a buffer overrun. This
    is Security Update 2005-001, the first of the year.
  • Nine vulnerabilities in FireFox, Mozilla, and Thunderbird
    are detailed on