Sunday, September 09, 2007

10 Immutable Laws of Security (Microsoft)

An excellent Coding Horror post, about which I'll comment later, pointed to a handy (Microsoft?!) set of security principles. I omitted the stupidly obvious ones that were added so they'd have a list of 10 (Microsoft!):
Microsoft TechNet: 10 Immutable Laws of Security

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore Law
Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
Law #5: Weak passwords trump strong security
Law #6: A computer is only as secure as the administrator is trustworthy
Law #7: Encrypted data is only as secure as the decryption key
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
Law #9: Absolute anonymity isn't practical, in real life or on the Web
There's nothing here that should be novel to any geek, but it's a nice set to be able to reference. Law #3 is the one most people forget. Even Macintouch fell into the trap of thinking a hack that allows admin access to any OS X machine was a major security breach. That hack requires physical access, so the admin workaround is a trivial security breach. (OS X user account encryption will provide decent security, provided you don't put the password in your keychain!)

Also, Law #8 is a bit dated. Most geeks are giving up on virus scanners for XP/Vista, and OS X doesn't need one (yet).

No comments: