Attacks against integrity

I’ve been mentioning this frequently during my talks in the last 12 months: that accidental or malicious data modification is yet something else we need to defend against. Richard Bejtlich wrote last year about attack progressions, and this year summarized an accidental integrity error that created minor havoc at Veteran’s Affairs health centers. Richard’s progression…


Updated Microsoft Security Assessment Tool

Greetings. In case you haven’t already read about it, we recently updated the Microsoft Security Assessment Tool (MSAT). Version 4.0 hit the web on 31 October. It’s been four years since the initial release, and two years since the prior version. Between then and now your security world has evolved a lot, and the tool…


Plan now to eliminate "power users" from your domains

I’ve seen some conversations lately about the Power Users group — how powerful is it, really, and why did we remove the group from Windows Vista? That group had rights install software and drivers. And if you can install software and drivers, then you can elevate yourself to Administrator or SYSTEM. Vista includes a signed…


Who should do your security audits? Or, how do you organize the security department?

An interesting question came up today. The group responsible for configuring and maintaining the firewalls at a customer also believes that they should be the only ones to audit their configurations. Others in the security department are uneasy with this, and prefer that someone else do the auditing. I’ve encountered similar tension before, and it…


What’s your data worth? More importantly, to whom?

This week, I’m attending and spoke at a cybercrime conference in Singapore. One of the presenters made a very good point, and I want to share it with you. When considering how to protect your data, don’t consider how valuable it might be to an attacker. Always, instead, consider how valuable it is to you….


More on the necessity of antivirus software

A few days ago, I wrote a brief post about my non-use of antivirus software on my own computers. A number of people have asked me privately if I am recommending such a stance to other individuals or to organizations. Let me be perfectly clear: absolutely not. For the vast majority of folks, the four…


Antivirus software — who needs it?

In the newsgroups a few weeks ago, someone asked about which anti-virus software is best for experts. This is a really curious question. I’ve been involved in computer security — as a practitioner, a consultant, and an instructor/speaker — for several years. I feel fairly confident in calling myself an expert. I don’t run anti-malware…


Password policies. Once again.

Recently in the newsgroups (, to be specific) the question of password polices and the out-of-box defaults came up. The poster lamented a number of things: that Microsoft doesn’t enable account lockout by default, that we don’t have a built-in mechanism for automatically disabling unused accounts, that the 42-day default expiration is troublesome. Here’s my…


When you say goodbye to an employee

…what do you do with his or her account? Recently this question came up — someone was asking for guidance on how to handle this very situation. And, as often happens, the question was more about process and policy than anything to do with the technical issues of account management. Those of you who’ve followed…


Enabling Secure Anywhere Access in a Connected World

A few times each year, Bill Gates or Steve Ballmer publish an executive memo. The first memo was Bill’s essay on trustworthy computing, in July 2002. Today Bill has a new memo, one that is very important for all of us who strive to achieve a balance between being secure and, well, getting work done. Some…