How many vulnerabilities are there really?

Just in case your are of the vulnerability counting type, you may be interested in an analysis posted by my friend Jeff Jones in his blog. Jeff has done some pretty amazingly detailed analysis of the number of vulnerabilities in each of several products.


Resources from U.S. Security Summits

Many of the attendees from the recently concluded Security Summit series in the U.S. have been asking for the slides. Since we will be doing web casts of the presentations we are not making the slides availble. What many people want though are simply the resources listed in the slides. To attempt to achieve at least some…


Please don’t disable security features, at least while we are testing them

I couldn’t tell you how many times I have either had the question “how do I turn off User Account Control” or heard the statement “boy, I sure hate all those annoying user account control popups in Vista.” Yeah, security sucks, it gets in the way of doing things, some bad, some good, but that’s…


Are You A People Person?

As my family keeps reminding me, I’m not much of a people person. It could just be that I am projecting myself onto others, but I am pretty sure that much of the IT industry is like me, which raises a number of serious security problems. If you are interested in reading about them, I…


Structuring Infosec Organizationally

Last week I visited a customer and was greeted by two people who introduced themselves, respectively, as the “Chief Information Security Officer” and the “Chief IT Security Officer.” Yes, they had two separate functions for this, one to secure information, and one to secure IT. This immediately seemed like something that would be logical for…


Free Security Support Number For Your Region

At an event in Germany today the issue came up how to access the free security support in your region. For a couple of years now Microsoft has offered no-charge support for security issues. However, the number is different in different regions. To find the number in your region, go to:


What is a "zero-day"?

Once again, it seems misguided reporters have appropriated a technical term and are misusing it in ways to confuse the field. “Hacker” was not the first term they ruined, but it is still the one that irks me the most. The primary definition of “Hacker,” is of course “a person who creates and modifies computer…


I Really Do Not Hate Hardening Guides

Unfortunately, it seems that people are getting the impression that I hate hardening guides. A few people told me that after I delivered the “Security Myths” presentation at Microsoft’s Federal Security Summit West last week. It is really not the case. I do not hate hardening (or security) guides. In fact, I really like them -…


Going Wild With Administrative Accounts

Today I got a question that reminded me that I have not written a whole lot about how to manage the accounts used by system administrators. The question was whether I could think of any reasons why you would share an administrative account between several people, other than for the sheer convenience of it. My…


Are we too simplistic in how we think about risk?

Yesterday I had a fascinating meeting where we discussed a number of theoretical concepts, including how we think about risk. Risk, of course, should be the driver in everything we do in information security, and risk management should be the discipline that guides us. The problem with risk is that it is a very nebulous concept….