I agree with you on all counts; however, in my defense, these rules are statements that have been boiled down from more lengthy discussions of the problem. I have also assumed certain out-of-the-box configurations of consumer PCs which normally include some flavor of Internet security suite that would have anti-virus and client firewall software.

That said, I intend to review my book and make it very clear what is assumed to be in place prior to the application of the Golden Rules.

Your help is greatly appreciated and you can be sure that your company’s products will be mentioned in the “Resources” section of the book.

Ken

For example, you encourage people to go through all the effort of running Virtual Machines to protect themselves from malware, but you don’t actually encourage them to run Anti-Virus software. Which basically, unfortunately, means you’re violating rule #1 and much more likely to run into rule #12.

Likewise, you recommend a NAT router for home use, but no client firewall software. So, if you’ve got 3 machines at home and one gets infected, they likely all will be…

Your advice on password security is good (#4), but you should add “Don’t reuse passwords – for example on websites, etc”.

#13 – WPA with TKIP has been cracked already (WEP has been broken for years). Use WPA2 with AES, and turn off beaconing when possible. Use secure passwords for your wireless networks.

Lastly, was surprised to not see “When in doubt, a default closed policy is better than a default open one when it comes to security”. Lock down your firewall policy, don’t run as administrator, etc, etc.

A good list of security practices though, in general…

Michael, Security Analyst, Sophos
[A href="http://www.sophos.com"]www.sophos.com[/A]