[PLUG] Microsoft's Ten Immutable Laws of Security

Ron Braithwaite ron at braithwaites.net
Wed Feb 2 16:37:13 UTC 2005 

This was on the SANS list this morning. As much as I hate to give any
credit to M$, these "laws" are pretty good. Of course, they weren't
quite complete, so the SANS editors made some changes to make them more
inclusive. Which goes to show that even when M$ does something right, it
is generally a day late and a dollar short.

-Ron

***

Microsoft's Ten Immutable Laws of Security

Please provide examples of real security incidents that illustrate any
of these laws.  Other examples of security breaches caused by sysadmins
errors are equally welcome. Email them to info at sans.org Subject: 10Laws
(Original source and more details:
http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx}

We've made a few changes [in brackets] to make them a little more
inclusive.

Law #1: If a bad guy can persuade you to run his program on your
computer, it's not your computer anymore

Law #2: If a bad guy can alter the operating system on your computer,
it's not your computer anymore

Law #3: If a bad guy has unrestricted physical access to your computer,
[or data] it's not your computer anymore

Law #4: If you allow a bad guy to upload programs to your website, it's
not your website any more

Law #5: Weak [or weakly protected] passwords trump strong security

Law #6: A computer is only as secure as the administrator is trustworthy
[and is aware of threats and countermeasures]

Law #7: Encrypted data is only as secure as the decryption key

Law #8: An out of date virus scanner is only marginally better than no
virus scanner at all

Law #9: Absolute anonymity isn't practical, in real life or on the Web

Law #10: Technology is not a panacea

Law 1 example
A sysadmin at one e-commerce company received an email that looked like
a security alert and contained a url that seemed to go to Microsoft for
patches. He clicked on the hyperlink, taking him to the fake Microsoft
site. He downloaded the fake patch and infected his system with a
keystroke logger that recorded his passwords and account names for every
system to which he had access. More than a dozen of the servers he
managed were later used by the attackers as pornography servers.

Law 5 example
A sysadmin for an aerospace contractor posted sensitive Department of
Defense files on a computer in the DMZ that also had a configuration
weakness.  The files were stolen and a major DoD investigation ensued.

We look forward to receiving your examples.

-- 
Ron Braithwaite
Technical Consulting Services
ron at braithwaites.net
+01-503-267-3250
4110 SE Hawthorne Blvd #228, Portland, OR 97214 USA
1917 W 4th Ave #549, Vancouver, B.C. V6J 1M7 Canada

More information about the PLUG mailing list