Stories by Roger A. Grimes

Should vendors close all security holes?

In the past I have argued that vendors should close all known security holes. This week a reader wrote me with a somewhat interesting argument that I'm still slightly debating, although my overall conclusion stands: Vendors should close all known security holes, whether publicly discussed or not. The idea behind this is that any existing security vulnerability should be closed to strengthen the product and protect consumers. Sounds great, right?

How to become an exceptional security manager

I recently listened to a wonderful science program on National Public Radio discussing a book called Better: A Surgeon's Notes on Performance along with its author, Dr. Atul Gawande. The book discusses the reasons why some practitioners excel while others just meet the standards or perform poorly.

DNS attack puts in perspective

A few years ago, I had the privilege of seeing some root DNS servers in action at VeriSign's main headquarters. It's something I had wanted to do for over a decade, and I was literally slightly shaking with excitement (yes, I am that big of a geek).

Handling password hashes

Many of today's computer passwords are stored and transmitted in a cryptographic hashed form. A strong password hash algorithm ensures that if the password hash is obtained by unauthorized parties that it is non-trivial to convert the hash back to the original plain text password (assuming the password is not trivial to guess at in the first place).

Microsoft's antimalware effort

Microsoft has a cadre of antimalware tools. Most are free, but some current and forthcoming options are commercial. Any marketplace entry by the Redmond-based company becomes an immediate formidable foe lessening competitor profits.

The sad state of computer security

I teach computer security for a living. Last week, a class of mine asked which vendor had the best security. I responded that they all are pretty bad. If you aren't using <a href="http://www.openbsd.org/" target="_blank">OpenBSD</a> or software by <a href="http://cr.yp.to/software.html" target="_blank">D.J. Bernstein</a>, then every other product in the world is pretty bad in comparison.

The end of antivirus?

I first heard that the antivirus scanner was dead in December 1989. Experts had postulated that the increase in the number of different computer viruses, which at the time numbered almost 200, would quickly outpace the ability of antivirus scanners to keep up.

Develop an enterprise encryption strategy

Here's a sobering prediction: One-third of all adults in the United States will have their personal identity information compromised or lost this year by a company that electronically stores the data, according to figures supported by the Privacy Rights Clearinghouse. Whether or not that number is perfectly accurate, the list of publicly known data breaches is staggering nonetheless.

Corporate security's evolution

Most security solutions are a trade-off of ease-of-use versus security. As computer security measures grow in importance, previously uninterrupted legitimate processes get reined in or stopped altogether -- like my recommendation of not allowing non-admin users to install software without management approval. As companies grow more valuable, they are willing to accept higher levels of default security as measured against legitimate needs.

Password size does matter

I was recently contacted by the company that manages my stock to open up a new Web site log-on account. During new account creation, it asked me to input a secure password. So, I put in my normal password that is 21 characters long followed by 10 characters that are unique per Web site, but only uses lowercase letters. The length of the base password prevents basic password cracking and guessing, while the additional characters make the overall password (or pass phrase) unique so that no two resources ever have the same password.

Unauthorised apps are still bad

As expected, I caught a lot of flak for last week's column suggesting that one of the better, real security solutions an administrator could implement is to prevent unauthorised programs from executing on business-owned computers.

Effective security isn't easy

Last week, the curmudgeon in me had a bad day. After reading about new exploit after new exploit while people keep recommending the same old security solutions, I lost it.

The real security solution

I had yet another computer journalist call me to ask if Vendor X's security solution was THE security product to solve all our security problems. I get a call or e-mail like this about once every two weeks. Usually they've read the vendor's own PR, another newspaper article, or even my own column touting a particular product.

How SSL-evading trojans work

SSL-evading trojans bypass the secure and authenticated tunnel mechanisms that are the safety backbone of today's Internet banking and financial institutions. As with any trojan, this type can do anything allowed by the user's security permissions.