Thu, Jul 28 2005 13:09
The last law of security
Law #10: Technology is not a panacea
Technology can do some amazing things. Recent years have seen the development of ever-cheaper and more powerful hardware, software that harnesses the hardware to open new vistas for computer users, as well as advancements in cryptography and other sciences. It's tempting to believe that technology can deliver a risk-free world, if we just work hard enough. However, this is simply not realistic.
Perfect security requires a level of perfection that simply doesn't exist, and in fact isn't likely to ever exist. This is true for software as well as virtually all fields of human interest. Software development is an imperfect science, and all software has bugs. Some of them can be exploited to cause security breaches. That's just a fact of life. But even if software could be made perfect, it wouldn't solve the problem entirely. Most attacks involve, to one degree or another, some manipulation of human nature—this is usually referred to as social engineering. Raise the cost and difficulty of attacking security technology, and bad guys will respond by shifting their focus away from the technology and toward the human being at the console. It's vital that you understand your role in maintaining solid security, or you could become the chink in your own systems' armor.
The solution is to recognize two essential points. First, security consists of both technology and policy—that is, it's the combination of the technology and how it's used that ultimately determines how secure your systems are. Second, security is journey, not a destination—it isn't a problem that can be "solved" once and for all; it's a constant series of moves and countermoves between the good guys and the bad guys. The key is to ensure that you have good security awareness and exercise sound judgment. There are resources available to help you do this. The Microsoft Security website, for instance, has hundreds of white papers, best practices guides, checklists and tools, and we're developing more all the time. Combine great technology with sound judgment, and you'll have rock-solid security.
The last law of security is a perfect introduction to a new series of blog posts I'm going to be posting about my [notice the word MY] thoughts about the risks of SBS. This is actually a lead up to two presentations that will be given at SMBnation [one by myself and Dana on how compliant is SBS, talking about checklists and comparing it to baselines and along the lines of his Security hardening presentation] and another presenter [and I'll put his name as soon as I can find it...I'm so blonde sometimes and searching isn't coming up with it] comparing SBS to 'the best practices'.
While Dana will tell you that from a Security standpoint SBS sucks [bear with me... keep reading] as it breaks all the security laws in the book [all on the same location...no separation of services....and let's face it ... I have no doubt whatsoever that if someone from Blackhat wanted to specifically target a SBS box, they'd probably find a way in especially if you have Win98s in the mix or post it notes with the passwords stuck on the monitor], the reality is that the risks we take are very managable and very acceptable. It's one of those things that you just have to say...what's your budget and where would you rather spend it on. And honestly, I still feel that my budget and energy is better spent on the desktop [and now days other mobile devices] than the server.
Like take for example risks that I've historically faced that I consider to be one of my greatest in SBSland..that of physical security... we lost a desktop computer to a robbery and thanks to Dr. Jesper Johansson I didn't have a domain admin password on that system, and now take my recent risk where there is a user's password saved on an Audiovox phone. In that case, that's an end user issue where if the device gets stolen, the first thing I'm doing is changing the password of his access.
As I'll talk about how SBS breaks all the rules, I'll also talk about why I think...especially for a small office, that in many cases those 'rules' of security are best broken [and I”ll explain why I think that too]. I still arguethat the best thing I can do is make my users aware, enable them to be paranoid, ensure they have the tools and knowledge they need to make the right decisions.
Stay tuned... for why breaking the rules is a good thing...
Filed under: Security