Observations about Microsoft, the world’s largest software vendor
Sign up now and get the best business technology insights direct to your inbox.
Topic: Windows Vista
Topic: Windows Vista
Danny Lieberman
says:
Kachina
Kudos on a thoughtful post on Microsoft UAC feature as a way to increase user awareness.
You quote Carl Weinschenk in a Feb interview:
"when his firm surveyed IT security pros at small companies and
enterprises, 20 percent had experienced a personal data breach and 20
percent had also experienced a data breach in their companies. The
consensus among those IT pros was that stronger security, specifically
two-factor, was necessary but not present within their IT departments.
And the breaches just keep happening."
There are number of painful vendor-sponsored quotes in the post that did
not receive critical analysis:
1) "The data breaches just keeep happining". The data breaches keep on
happening because data vulnerabilities continue to be unmitigated.
Most security breaches are due to attacks by insiders and most insider
attacks are made possible by people that exploit software application
vulnerabilities. UAC is an arguable step in increasing awareness but it
is not countermeasure to software vulnerabilities.
2)"two-factor, is necessary"
Two-factor authorization is not a relevant countermeasure for internally
launched threats when performed by authorized users (employees,
outsourcing contractors and authorized agents of the company).
It is understandable that vendors tout their wares at a vendor-sponsored
conference like RSA - and lest we forget, RSA has two-factor security
products and a vested interest in attempting to link these products to
customer pain.
As a matter of fact - the economics of the current security product
market are inverted to the needs of the customer organizations. RSA has
no economic incentive in reducing data breaches and mitigating
vulnerabilities, since that would reduce their product and service
revenue.
3) "white listing applications is an effective tactic"
At the RSA conference, Microsoft officials spoke of layering old-school
(but effective) offensive tactics like white-listing applications, as
well.
How is white-listing a vulnerable application supposed to reduce the
probability of authorized user using the application to steal data?
For example - an Oracle user organization would certainly white list the
Oracle Discover application since Oracle is a trusted ISV. However -
users with privileges to use Oracle Discover can access the database and
steal data. Application/database firewalls like Imperva do not have the
technical capability to detect or mitigate this exploit and therefore
are not an effective security countermeasure.
Vendor marketing collateral and FUD, riding the compliance bandwagon,
attempts to build a franchise around PCI DSS etc are simply not
replacements for identifying your vulnerabilities (human, technical and
software), identifying the threats to your most sensitive assets and
mitigating the threats with the right, cost-effective countermeasures
dictated by practical threat analysis - not by quotes from vendor
sponsored conferences.
Sincerely,
Danny Lieberman
www.software.co.il
Topic: Usage Management and Monitoring
Usage management and monitoring tracks who is using the network and what they are doing
Blog: A New Era of Application Provisioning Freedom
Article: IT Security Only as Strong as Your Weakest Link
White Paper: Shrink Your Internet Exposure: Nine Totally New Ways to Lower Your Network Risk
Related Topics
Microsoft, Network Security, Windows Vista
Lowering Your IT Costs with Oracle Database 11g Release 2This white paper identifies the key capabilities a database management solution needs to successfully deliver more information with higher quality of service, make more efficient use of IT budgets, and reduce the risk of change in data centers.
Software Forum: Information On Demand Virtual ExperienceThis interactive virtual forum presents leading IT experts providing the insights you need to turn your information into a strategic driver for innovation, business optimization and competitive differentiation.
Best practices, strategies and technologies to help you use security information and event log management efficiently and effectively in order to get business value in terms of increased security, reduced risk, regulatory compliance and increased business agility.
IT Security Manual TemplateImmediately download a customizable set of documents and templates that covers every aspect of IT Security. These templates are compliant with ISO27000, HIPPAA and Sarbanes oxley standards.
All About Reducing Your IT CostsLooking to cut costs? Use this research-driven Excel tool to pinpoint which IT cost reduction measures best fit your needs.
OK, so this addresses the MAC commercial!!! MAC doesn't have this because it is all proprietary and since no one else can make anything for a MAC, you loose the free enterprise and all the jobs!!! security is going to be a risk when you open up the playing field!