Browse by Tags

All Tags » risk mitigation   (RSS)
Who should do your security audits? Or, how do you organize the security department?
An interesting question came up today. The group responsible for configuring and maintaining the firewalls at a customer also believes that they should be the only ones to audit their configurations. Others in the security department are uneasy with this, Read More...
Posted 07 February 08 02:25 by Steve Riley | 4 Comments   
Filed under , ,
More on Autorun
Last month, in my post " Autorun: good for you? " I described why I believe you should disable Autorun on all computers in your organization. I also explained how you can do this for XP and Vista computers. Well, it turns out that Windows will override Read More...
Posted 30 October 07 03:12 by Steve Riley | 11 Comments   
Filed under , , ,
What's your data worth? More importantly, to whom?
This week, I'm attending and spoke at a cybercrime conference in Singapore. One of the presenters made a very good point, and I want to share it with you. When considering how to protect your data, don't consider how valuable it might be to an attacker. Read More...
Posted 24 October 07 11:49 by Steve Riley | 5 Comments   
Filed under , , ,
More on the necessity of antivirus software
A few days ago, I wrote a brief post about my non-use of antivirus software on my own computers. A number of people have asked me privately if I am recommending such a stance to other individuals or to organizations. Let me be perfectly clear: absolutely Read More...
Posted 25 September 07 10:53 by Steve Riley | 11 Comments   
Filed under , , ,
Autorun: good for you?
Yes, if you're a five-year-old and you're tired of always asking mom or dad how to start the game on the CD. No need to know how! Just pick up the disc (a little peanut butter on your fingers helps with the grip), slide it in the drive, and wait for the Read More...
Posted 22 September 07 10:29 by Steve Riley | 3 Comments   
Filed under , , ,
Antivirus software -- who needs it?
In the newsgroups a few weeks ago, someone asked about which anti-virus software is best for experts. This is a really curious question. I've been involved in computer security -- as a practitioner, a consultant, and an instructor/speaker -- for several Read More...
Posted 22 September 07 09:14 by Steve Riley | 16 Comments   
Filed under , , ,
Why administrative passwords will never be like nuclear missile launchers
During the past few months many people have lamented that Windows lacks a nuclear missile style control option for administrator passwords. Surely you've read about or seen photographs of missile silos where two operators, separated by a distance greater Read More...
Posted 21 November 06 02:16 by Steve Riley | 11 Comments   
Filed under , , , , , ,
Did you know that you ALREADY have an e-mail policy?
An email access policy can be expressed in one of two ways: E-mail is mission critical to our business. Therefore, we permit employees to read and compose e-mail from any location in the world where employees can access the Internet, using either company-issued Read More...
Posted 10 September 06 05:34 by Steve Riley | 7 Comments   
Filed under , , , ,
Configure your router to block DOS attempts
Some time ago I had a discussion with a friend. He disagreed with my recommendations on how to configure a border router and the firewall behind it. I claimed that in the border router between you and your ISP, configure the six rules to block most denial Read More...
Posted 10 July 06 01:27 by Steve Riley | 12 Comments   
Filed under , , , , ,
What do YOU need out of two-factor authentication?
Two-factor authentication continues to grow in popularity and emerge as a security requirement for many people I meet with. At Microsoft, we use smartcards internally for VPN access right now; soon we'll be requiring smartcards for domain logon, too. Read More...
Posted 20 April 06 03:37 by Steve Riley | 43 Comments   
Filed under , , , , , , ,
Domain controller security: it starts at layer zero
Recently I seem to have had the same conversation over and over again, in places as far apart as Jakarta, Winnipeg, and Berlin. The question is usually worded like this: "What happens if someone steals one of my domain controllers?" There is, essentially, Read More...
Posted 10 March 06 01:15 by Steve Riley | 8 Comments   
Filed under , , ,
It's me, and here's my proof: why identity and authentication must remain distinct
My February Security Management column is posted: http://www.microsoft.com/technet/community/columns/secmgmt/sm0206.mspx No matter what kinds of technological or procedural advancements occur, certain principles of computer science will remain -- especially Read More...
Posted 16 February 06 09:41 by Steve Riley | 7 Comments   
Filed under , , , , , ,
But I can't test! My boss won't let me
Yesterday I mentioned that there's no substitute for doing your own testing of updates. I mentioned virtualization is your friend -- building a model of your environment using Virtual PC and Virtual Server will save you a lot of money and it's something Read More...
Posted 09 November 05 01:19 by Steve Riley | 1 Comments   
Filed under , ,
When security breaks things
Now that the furor has waned, I want to comment on MS05-051. For those of you who don't memorize bulletin numbers (I am part of that set; Susan Bradley , for example, isn't, hehe), this is the security update that fixed a number of vulnerabilities found Read More...
Posted 08 November 05 10:05 by Steve Riley | 14 Comments   
Filed under , , ,
August article: 802.1X on wired networks considered harmful
Several months ago I learned from Svyatoslav Pidgorny, Microsoft MVP for security, about a problem in 802.1X that makes it essentially useless for protecting wired networks from rogue machines. Initially I was a bit skeptical, but the attack he described Read More...
Posted 11 August 05 10:55 by Steve Riley | 16 Comments   
Filed under , , , , , , ,
More Posts Next page »
Page view tracker