Поделиться через


Ten Immutable Laws Of Security (Version 2.0)

You might have known the 10 Immutable Laws Of Security since quite a while. It is kind of the “collected non-technical wisdom” of what we see in security respeonse being it in Microsoft Security Response Center or in our Security Product Support.

There is now a version 2, which is still as important as version 1 was. The 10 Laws are:

Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn't practically achievable, online or offline.
Law #10: Technology is not a panacea.

Just make sure that you keep them in mind – there is no “patch” for them Smile. The whole set of explanations can be found here: Ten Immutable Laws Of Security (Version 2.0)

Roger

Comments

  • Anonymous
    January 01, 2003
    thank you
  • Anonymous
    July 31, 2014
  1. So what about sandboxed code, or code running in a VM?
    4. Same as 1, this may not necessarily apply to sandboxed content.
  • Anonymous
    January 11, 2015
    @ajedi32, Running inside a VM isn't the same as #1. it's not really 'your computer' but a 'guest' computer.
  • Anonymous
    August 14, 2015
    The comment has been removed
  • Anonymous
    October 08, 2015
    @Gene So "if a bad guy can persuade you to run his program on your VM, then it's not solely your VM anymore"? ;-) Makes sense.