Nine principles of security architecture

“Security architecture is a new concept to many computer users. Users are aware of security threats such as viruses, worms, spyware, and other malware. They have heard of, and most use, anti-virus programs and firewalls. Many use intrusion detection. Architectural security, though, remains a mystery to most computer users.”

The truth is, anti-virus software, firewalls, and intrusion detection are only the surface of security. They are all reactive measures that attempt to respond to active threats, rather than proactive measures that anticipate threats and try to make them harmless. These applications have a major role to play, but are not enough in themselves.

Behind reactive security measures is the much broader field of architectural security: How to set up a secure system to prevent security breaches, how to minimize breaches if they occur, and how react to an intrusion and recover from it if it happens.

Architectural security is a subject that fills dozens of books. However, if you ignore the exact configuration techniques, you can break down architectural security into nine basic principles which are widely agreed upon by security architects. They apply whether you are programming, doing systems administration, or using desktop applications, and they apply whether you are managing a single home machine or a large network. They are not exact laws so much as methods of how you should think about security.

If you learn these basic principles, you can not only make more informed choices when installing and configuring software, but also learn more about your operating system. As a side benefit, you’ll also understand the reasoning behind claims that OpenBSD is more secure than GNU/Linux, or that both are more secure than Windows. (more…)

Security News Portal, computer networking security hacking and virus news alerts and advisories

New Internet Explorer Vulnerability leaves users at risk
Unfortunately MS says they don’t have a fix for it…
11-22-2005 1:56:23 PM CST — from the folks at Microsoft…

Microsoft is investigating new public reports of vulnerability in Microsoft Internet Explorer on Microsoft Windows 98, on Windows 98 Second Edition, on Windows Millennium Edition, on Windows 2000 Service Pack 4, and on Windows XP Service Pack 2. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected.
Microsoft has also been made aware of a proof of concept code targeting the reported vulnerability but they are not aware of any customer impact at this time. MS will continue to investigate these public reports. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
This issue was originally publicly reported in May as being a stability issue that caused the browser to close. Since then, new information has been posted that indicates remote code execution could be possible. Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone’s best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed….continued….

For more information visit the Microsoft site by clicking here….

Hmmmm… so the only advice that Microsoft has to offer is to ” encourage users to exercise caution when they open links in e-mail.”… Doh ! Too bad that back in May 2005 MS didn’t take the Denial of Service potential of this vulnerability more serious and instead chose to put it on their backburner. Which leaves us to wonder about how many other “things: are sitting on the MS backburner. And I am curious about those months that went by where no patches or only one patch was issued for the month. Why didn’t they get around to fixing the DOS problem during those patchless months ? The mind boggles at the questions that this revelation raises…