Steve Riley on Security
Formerly of Microsoft's Trustworthy Computing Group.
conferences and seminars
home and family security
infosec as a profession
the trade press
things that make me angry
things that make me laugh
things that make me worried
Browse by Tags
Steve Riley on Security
Tagged Content List
Who should do your security audits? Or, how do you organize the security department?
An interesting question came up today. The group responsible for configuring and maintaining the firewalls at a customer also believes that they should be the only ones to audit their configurations. Others in the security department are uneasy with this, and prefer that someone else do the auditing...
7 Feb 2008
What's your data worth? More importantly, to whom?
This week, I'm attending and spoke at a cybercrime conference in Singapore. One of the presenters made a very good point, and I want to share it with you. When considering how to protect your data, don't consider how valuable it might be to an attacker. Always, instead, consider how valuable it is to...
25 Oct 2007
Why administrative passwords will never be like nuclear missile launchers
During the past few months many people have lamented that Windows lacks a nuclear missile style control option for administrator passwords. Surely you've read about or seen photographs of missile silos where two operators, separated by a distance greater than the span of a single human's arms, must each...
21 Nov 2006
It's time to stop playing war games in the name of "security"
Really interesting article. Military mindset no longer applicable in our line of work http://searchsecurity.techtarget.com/columnItem/0,294698,sid14_gci1171862,00.html My favorite bit: "Obviously, secrecy is important to business, as is the ability to trust messages to the military, but these two...
14 Mar 2006
It's me, and here's my proof: why identity and authentication must remain distinct
My February Security Management column is posted: http://www.microsoft.com/technet/community/columns/secmgmt/sm0206.mspx No matter what kinds of technological or procedural advancements occur, certain principles of computer science will remain -- especially those concerning information security...
16 Feb 2006
Return on security investment
Soon I will begin a research project into quantifying and expressing return on security investment. From conversations I've had with many conference attendees, there's a need for developing a basic understanding of how to measure ROSI so that budget money for security magically becomes unlocked. I plan...
3 Jan 2006
Lousy security is all around us, and I'm not even thinking about airport security here (which, I admit, i love griping about). Here I have in mind lousy computer security. And lest you think I'm proceeding to engage in naval-gazing introspection, no -- I'm not going to write about our own products. ...
13 Sep 2005
August article: 802.1X on wired networks considered harmful
Several months ago I learned from Svyatoslav Pidgorny, Microsoft MVP for security, about a problem in 802.1X that makes it essentially useless for protecting wired networks from rogue machines. Initially I was a bit skeptical, but the attack he described is in fact true -- I've seen it myself now. So...
11 Aug 2005
Airport security silliness
So today (Thursday 21 July 2005) I flew from Seattle to Dallas for a customer meeting. Since it's a short one-day affair, I packed my small carry-on size suitcase. In it was a pair of shoes, one pants, one shorts, two shirts, a toiletry bag, and my collection of wall warts (AC adpaters). Seems normal...
21 Jul 2005
New column - debunking security myths
There is a lot at stake in security configuration guidance. First, it is easy to understand why people are clamoring for it. Everyone can see the benefit in turning on some setting and blocking an attack. In some environments, doing so is not even an option. A system must be configured in accordance...
12 Apr 2005
Page 1 of 1 (10 items)
© 2013 Microsoft Corporation.
Privacy & Cookies