Stories by: Roger A. Grimes

Good computer security is driven by role-based, least-privilege access control. Each user should be given only the access that is necessary to perform their job -- no, make that the specific task they are performing at a specific point in time.

Amit Klein recently released details on DNS server cache poisoning attacks that affect both BIND (Berkeley Internet Name Domain) and Windows DNS servers. It goes to show that every time you think a problem with a well-known protocol or service has been solved, it may not be.

The recent OS X-specific Mac Trojan ignited many hot conversations on various security mailing lists last week. Supposedly, the excitement regarding the Trojan is that it is the first time profit-seeking criminals have paid attention to the OS X platform, versus script kiddies and the hobbyists. Personally, I don't know what the big deal is; Mac-based computers have been host to all the normal types of malware for more than two decades, albeit not as frequently as Microsoft Windows PCs.

Server-side polymorphism is a challenging problem for anti-malware software vendors. Much of today's malware, such as the Storm worm, creates tens of thousands of variants each month, a development that has made many anti-virus software programs that use static signatures significantly less accurate.

I've often said in my columns how client-side attacks should be most administrators' No. 1 exploit worry. It's less and less common for attackers to break in through the front door. If I want to steal from a company over the Internet, it's much harder (these days) to find an exploit on the company's Web site or back-end database server. This is not to say that these types of attacks don't happen; they do, as any day's headlines will reveal. But it's not the most common way my clients are reporting. It's more likely that an end-user accidentally launched a worm or a bot that led to the compromise.

I travel the world helping people make their computers and networks more secure. A question I get asked every week is, "What are the best steps I can take to protect my network?"

A few of my previous columns discussed my vision of creating a more secure Internet. It involved replacing the Internet's default anonymity with pervasive authentication, from the hardware initialization, through the OS and all applications, the user, and ending with a verifiable network stream. It is my strong belief that without a complete overhaul of default authentication, malicious hacking is going to continue indefinitely.

Continuing the theme from my previous column on the relative security of Internet Information Service (IIS) vs. Apache, I've come across more studies to support my initial conclusion.

One of the best security defenses you can have is a fully patched computer. Not just the OS, but all applications -- large and small -- should be completely up to date. But making sure you have the latest patches isn't enough. You have to check and see if the older, vulnerable versions of the software you patched aren't still installed and available. Unfortunately, many well-known applications, when patched, do not remove the older versions. Malicious Web sites can often choose which version your client runs, so while you think you're safe with the latest patches, the older versions of your software can be called, instead, to execute a known vulnerability you had long ago stopped worrying about.

This is the fourth in a series of columns exploring the possibility of building a next-generation secure Internet.

As a Microsoft employee, I try to avoid writing on areas that blatantly promote Microsoft. However, I think this question is generic enough to involve Microsoft in the discussion: Can IP addresses ever be used for statistical analysis of malicious Web sites?