Home | My Links | About Me | My Twitter | Email: rodolfojreregia[at]yahoo.com

Wednesday, November 5, 2008

The Laws Microsoft has set on Computer Security

This information is quite old yet just want to post it and share it again.

The Microsoft Security Response Center has received before a lot of reports with regard to users experiencing a lot of errors and breach of security even they have updated their anti-virus softwares and they always turn on their firewall. And with their investigation, they found out that most of these cases were because of the owner's fault. As a step to help prevent future problems like these, Microsoft has released a list on what they think is the fact with regard to computer security. They called the list The 10 Immutable Laws of Security.

The following is the content of that specific list.

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

It is true that a program is designed to run as what it was supposedly programmed to do even it would be something negative. It is also a fact that when a program is running, it could do a lot of changes on your computer, changes that even could go beyond the limit of what you can do for your computer. But it is also a fact that a program cannot run without one's approval. That is the reason why it is not advisable to install, run or even download softwares and computer programs from a untrusted source.

Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore

Operating Systems is just running with a series of ones and zeroes, and if it would break down, one cannot blame the OS, because it was right all along to follow inputs. Therefore it is always best to give restrictions and privileges to other users of your computer, to ensure that only trusted individuals can alter and make changes on your computer's operating system.

Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

I mean, why the hell would you let your computer to be used by an untrusted individual!

Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more

See rule #1, only in this case, uploading untrusted files to your site is the case. The end result of these is that there actually no difference between users that has been tricked and users who has voluntarily did it.

Law #5: Weak passwords trump strong security

In choosing a password, it is advised the we develop a complex one, one that is not easily forgot and not to be able to be guessed by others. And please don't use predictable passwords like you dog's name, or you favorite superhero, anniversary dates and worse, your name! Consider special character enriched passwords and random capitalized or not capitalized letters and numbers. A good password contains atleast one capital letter, another letter which is not capitalized, two numbers and, importantly, atlease one special character.

Always remember, even though you have the best security in your computer but you do not have a strong password, you are as marginally vulnerable as those who do not have security at all.

Law #6: A computer is only as secure as the administrator is trustworthy

Microsoft has stated that "Every computer must have an administrator: someone who can install software, configure the operating system, add and manage user accounts, establish security policies, and handle all the other management tasks associated with keeping a computer up and running." Thus, a computer is secured when its administrator is someone who warrants trust. Take steps to keep honest people honest. Diversify task as effectively as possible, it is always best to divide task to more than one administrator, limited to only a few number of people.

Law #7: Encrypted data is only as secure as the decryption key

No better way to say this than how it was posted in the Microsoft website about the 10 Immutable Laws of Security which goes:

"Suppose you installed the biggest, strongest, most secure lock in the world on your front door, but you put the key under the front door mat. It wouldn't really matter how strong the lock is, would it? The critical factor would be the poor way the key was protected, because if a burglar could find it, he'd have everything he needed to open the lock. Encrypted data works the same way—no matter how strong the crypto algorithm is, the data is only as safe as the key that can decrypt it.

Many operating systems and cryptographic software products give you an option to store cryptographic keys on the computer. The advantage is convenience – you don't have to handle the key – but it comes at the cost of security. The keys are usually obfuscated (that is, hidden), and some of the obfuscation methods are quite good. But in the end, no matter how well-hidden the key is, if it's on the computer it can be found. It has to be – after all, the software can find it, so a sufficiently-motivated bad guy could find it, too. Whenever possible, use offline storage for keys. If the key is a word or phrase, memorize it. If not, export it to a floppy disk, make a backup copy, and store the copies in separate, secure locations. (All of you administrators out there who are using Syskey in "local storage" mode—you're going to reconfigure your server right this minute, right?)"
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

One should make it a standard operating procedure to always update your virus archive signatures as often as everyday if possible. Not only that, one should also update the anti virus itself on a period of time that would range from three months until eighteen months, the more often, the better. While, it is a must to have this software, keep it as minimal as possible. By this, I mean it is also unwise to install five different softwares on your computer, in which would be a reason why your computer would be very vulnerable to the outside world.

Law #9: Absolute anonymity isn't practical, in real life or on the Web

Human interaction in the web is as safe as we want it to be. It is not always recommended, although at times it is best, to stay anonymous. As long as one would only give information, personal and pertinent, to trusted individuals and sites, one does not have to fear about violation of privacy.

Law #10: Technology is not a panacea

Technology can do many great things. It can be very very helpful, especially in our world today that computing and communication's best medium is technology. But just like, everything, it is not perfect. Nothing in technology is perfect. Even the most secured computer will have flaws. Even if it is paired with the best administrator.

Keep your expectations low on your security and high on its vulnerability.; But always keep in mind the two main things that would keep a good security, its technology and its policies.

There you have it guys. For more related information, it is best to check the 10 Immutable Laws of Security in Microsoft. Yadda!

No comments:

Post a Comment