Posted by: Ken Harthun
Secure Computing, Security, Security management, Security policy, Security practice
I search the web constantly for security-related news and content. One day last month, I came across a series of articles on TechNet buried in the archive. Microsoft prefaces the articles with this statement: “Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.” Well, I find the content interesting and relevant, certainly worthy of bringing to your attention. Here are the 10 Immutable Laws of Security according to Microsoft with my comments included:
We tend to take the programs and utilities we run for granted. We trust them to work as advertised and not harm our systems or corrupt our data. What we often don’t consider is that our computer is being controlled by the programs it’s running and those in control of it are the programmers who wrote the software. This isn’t a problem with normal software since we tell it when to run, what data to manipulate, and when to quit; we are able to exercise a measure of control. We still “own” our computer. With malware, “To run or not to run, that is the question” and those are our only two options.
As in #1, there’s a degree of trust that the operating system is doing what it’s supposed to be doing. If the OS is altered by a bad guy, then it’s doing his bidding, not yours.
Physical security isn’t complicated. My Security Maxim #8 covers it admirably.
That’s an understatement. Not only is it not your website anymore, but you’ve just become an unwitting accomplice in whatever havoc the bad guy wreaks. There is no reason in the world to allow anyone to upload programs to your website before you have the chance to vet them.
I am reminded of a friend who was baffled when he discovered that his PC was part of a P2P network being used to transfer pirated music. He couldn’t understand why his firewall “quit working” suddenly (he had P2P blocked on his router). Long story short, his teenage son had guessed the router password and changed the configuration. Heed my advice and make your passwords unguessable.
If you can’t trust the admin, you can’t trust the PC. The administrator can install anything he wants.
Make sure that your decryption key is kept in a secure place, not on your computer. It’s best to memorize it, but if you can’t, store it on a memory card and put it in your wallet. Make two copies and keep one in some other physically secure place. The first place the bad guy is going to look is on the hard drive.
Out-of-date malware scanners of any kind won’t protect you against the inevitable new variants that come along.
As it says in the article: “All human interaction involves exchanging data of some kind. If someone weaves enough of that data together, they can identify you.”
No matter how sophisticated the hardware and software become, they’ll never replace common sense and sound security policies and practices.