Exploiting Defaults
When you install a software/application it comes with some default settings like default installation path, passwords, folder names, etc.
Many compliance suggest you to avoid this situation. Use customizes option as much as possible. Try to avoid installing operating systems into the default drives and folders. Don't install applications and other software into their default locations.
Man-in-the-Middle Attacks
The man-in-the middle attack intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication.
The protection techniques, avoid clicking on links found in e-mails and always verify that links from Web sites stay within trusted domains or still maintain SSL encryption. Deploy IDS (Intrusion Detection System) systems to monitor network traffic as well as DNS and local systems.
Stealing Passwords
Multi-factor authentication is the best possible & recommended ways to protect. However, there are many places which are still depended only on passwords. With the increasing capacity of computers passwords can be cracked easily by the use of Dictionary attacks, brute force attacks, and hybrid attacks (few example). Other factor involve with human capacity. As a human we can remember only some length & as a result human may write their password at different places. There are other factors like insecure protocols that transfer passwords in clear text, keystroke loggers, shoulder surfing/video surveillance, same password at different places, etc which would create this risk. Password theft, password cracking, and even password guessing are still serious threats to IT.
The best protection against these threats is to deploy multifactor authentication systems and to train personnel regarding safe password behavior.
Trojan Horses
Trojan horse is defined as a "malicious, security-breaking program that is disguised as something benign". For example, you download what appears to be a movie or music file, but when you click on it, you unleash a dangerous program that erases your disk, sends your credit card numbers and passwords to a stranger, or lets that stranger hijack your computer to commit illegal denial of service attacks. A Trojan horse could be delivered via e-mail as an attachment, it could be presented on a Web site as a download, or it could be placed on a removable media (memory card, CD/DVD, USB stick, floppy, etc.).
In any case, protection is automated malicious code detection tools, such as modern anti-virus system and other specific forms of malware scanners, and user training.
Extensive Learning
External hackers, learn how to overcome your security barriers by researching your organization. This process can be called reconnaissance, discovery, or footprinting. Ultimately, it is intensive, focused research into all information available about your organization from public and non-so-public resources.
If you've done any research or reading into warfare tactics, you are aware that the most important weapon you can have at your disposal is information. Hackers know this and spend considerable time and effort acquiring a complete weapon store. What is often disconcerting is how much your organization freely contributes to the hacker's weapon stockpile. Most organizations are hemorrhaging data; companies freely give away too much information that can be used against them in various types of logical and physical attacks. Here are just a few common examples of what a hacker can learn about your organization in very less time:
• The names of your top executives and any flashy employees you have by perusing your archive of press releases.
• The company address, phone number, and fax number from domain name registration.
• The service provider for Internet access through DNS lookup and traceroute.
• Employee home addresses, phone numbers, employment history, family members, previous addresses, criminal record, driving history, and more by looking up their names in various free and paid background research sites.
• The operating systems, major programs, programming languages, specialized platforms, network device vendors, and more from job site postings.
• Physical weaknesses, vantage points, lines of sight, entry ways, covert access paths, and more from satellite images of your company and employee addresses.
• Usernames, e-mail addresses, phone numbers, directory structure, filenames, OS type,Web server platform, scripting languages,Web application environments, and more from Web site scanners.
• Confidential documents accidentally posted to a Web site from archive.org and Google hacking.
• Flaws in your products, problems with staff, internal issues, company politics, and more from blogs, product reviews, company critiques, and competitive intelligence services.
A hacker will spend over most of their time in information-gathering activities. The more the attacker learns about you, the easier the subsequent attack becomes.
As for defense, you are ultimately at a loss—mainly because it is already too late. Once information is out on the Internet, it is always out there. You can obviously clean up and sterilize any information resource currently under your direct control. You can even contact third-party information repositories to request that they change your information. Some online data systems, such as domain registrars, offer privacy and security services (for a fee, of course). You can also control or limit the output of information in the future by being more discrete in your announcements, product details, press releases, etc.
However, it is the information that you can't change or remove from the Internet that will continue to erode your security.
The only way to manage uncontrollable information is to make changes to your environment so that it is no longer correct or relevant.
Social Engineering
Firewalls, IDS’s, IPS’s, and anti-malware scanners have made intrusions and hacking a difficult task.
However, the bad news is many hackers have expanded their idea of what hacking means to include social engineering: hackers are going after the weakest link in any organization's security—the people.
People are always the biggest problem with security because they are the only element within the secured environment that has the ability to choose to violate the rules. People can be coerced, tricked, duped, or forced into violating some aspect of the security system in order to grant a hacker access. The age-old problem of people exploiting other people by taking advantage of human nature has returned as a means to bypass modern security technology.
Protection against social engineering is primarily education. Training personnel about what to look for and to report all abnormal or awkward interactions can be effective countermeasures. But this is only true if everyone in the organization realizes that they are a social engineering target. In fact, the more a person believes that their position in the company is so minor that they would not be a worthwhile target, the more they are actually the preferred targets of the hacker.
Keeping an eye on new Vulnerabilities
Hackers always keep any eye on development of vulnerabilities using web search, blogs, etc. The more the hacker can discover about possible attack points, the more likely it is that they can discover a weakness you have not patched, protect, or even become aware of. To combat vulnerability research on the part of the hacker, you have to be just as attentive as the hacker.
You have to monitor developments on new vulnerabilities by checking blogs, discussion forums, etc. and you need to watch the third-party security oversight discussion groups and web sites to learn about issues that vendors are failing to make public or that don't yet have easy solutions. These include places like securityfocus.com, US CERT, CVE, etc.
Insider
All too often when hacking is discussed, it is assumed that the hacker is some unknown outsider. However, studies have shown that a majority of security violations actually are caused by internal employees. So, one of the most effective ways for a hacker to breach security is to be an employee. This can be read in two different ways. First, the hacker can get a job at the target company and then exploit that access once they gain the trust of the organization. Second, an existing employee can become displeased and choose to cause harm to the company as a form of revenge or retribution.
In either case, when someone on the inside decides to attack the company network, many of the security defenses erected against outside hacking and intrusion are often ineffective. Instead, internal defenses specific to managing internal threats need to be deployed. This could include keystroke monitoring, tighter enforcement of the principle of least privilege, preventing users from installing software, not allowing any external removable media source, disabling all USB ports, extensive auditing, host-based IDS/IPS, and Internet filtering and monitoring.
Information Security Policy
Every organization should have IS policy in place which would deal with Risk Management, Crisis Management, Incident Management, etc. These types of policies ensure that you have right things at the right place.
Having only policy won’t help you but you should ensure that your organization adhere those policies. Organisation should have proper team & department for information security. After all, information is the most vital piece for organization success.
Monday, August 30, 2010
Friday, August 27, 2010
Wednesday, August 25, 2010
Cloud Computing Risk Assessment
Sometime back I came across this paper from ENISA and found really informative. While could computing is still an emerging market, I feel there is worth to review this risk assessment & it should be reviewed if you are a Cloud Provider, Cloud Customer, vendor or may have interest to explore cloud computing security. Below you will find top risk assessed and you may visit ENISA site for details.
TOP SECURITY RISKS
LOSS OF GOVERNANCE: in using cloud infrastructures, the client necessarily cedes control to the Cloud Provider (CP) on a number of issues which may affect security. At the same time, SLAs may not offer a commitment to provide such services on the part of the cloud provider, thus leaving a gap in security defences.
LOCK-IN: there is currently little on offer in the way of tools, procedures or standard data formats or services interfaces that could guarantee data, application and service portability. This can make it difficult for the customer to migrate from one provider to another or migrate data and services back to an in-house IT environment. This introduces a dependency on a particular CP for service provision, especially if data portability, as the most fundamental aspect, is not enabled..
ISOLATION FAILURE: multi-tenancy and shared resources are defining characteristics of cloud computing. This risk category covers the failure of mechanisms separating storage, memory, routing and even reputation between different tenants (e.g., so-called guest-hopping attacks). However it should be considered that attacks on resource isolation mechanisms (e.g.,. against hypervisors) are still less numerous and much more difficult for an attacker to put in practice compared to attacks on traditional OSs.
COMPLIANCE RISKS: investment in achieving certification (e.g., industry standard or regulatory requirements) may be put at risk by migration to the cloud:
if the CP cannot provide evidence of their own compliance with the relevant requirements
if the CP does not permit audit by the cloud customer (CC).
In certain cases, it also means that using a public cloud infrastructure implies that certain kinds of compliance cannot be achieved (e.g., PCI DSS (4)).
MANAGEMENT INTERFACE COMPROMISE: customer management interfaces of a public cloud provider are accessible through the Internet and mediate access to larger sets of resources (than traditional hosting providers) and therefore pose an increased risk, especially when combined with remote access and web browser vulnerabilities.
DATA PROTECTION: cloud computing poses several data protection risks for cloud customers and providers. In some cases, it may be difficult for the cloud customer (in its role as data controller) to effectively check the data handling practices of the cloud provider and thus to be sure that the data is handled in a lawful way. This problem is exacerbated in cases of multiple transfers of data, e.g., between federated clouds. On the other hand, some cloud providers do provide information on their data handling practices. Some also offer certification summaries on their data processing and data security activities and the data controls they have in place, e.g., SAS70 certification.
INSECURE OR INCOMPLETE DATA DELETION: when a request to delete a cloud resource is made, as with most operating systems, this may not result in true wiping of the data. Adequate or timely data deletion may also be impossible (or undesirable from a customer perspective), either because extra copies of data are stored but are not available, or because the disk to be destroyed also stores data from other clients. In the case of multiple tenancy and the reuse of hardware resources, this represents a higher risk to the customer than with dedicated hardware.
MALICIOUS INSIDER: while usually less likely, the damage which may be caused by malicious insiders is often far greater. Cloud architectures necessitate certain roles which are extremely high-risk. Examples include CP system administrators and managed security service providers.
Source: http://www.enisa.europa.eu/
TOP SECURITY RISKS
LOSS OF GOVERNANCE: in using cloud infrastructures, the client necessarily cedes control to the Cloud Provider (CP) on a number of issues which may affect security. At the same time, SLAs may not offer a commitment to provide such services on the part of the cloud provider, thus leaving a gap in security defences.
LOCK-IN: there is currently little on offer in the way of tools, procedures or standard data formats or services interfaces that could guarantee data, application and service portability. This can make it difficult for the customer to migrate from one provider to another or migrate data and services back to an in-house IT environment. This introduces a dependency on a particular CP for service provision, especially if data portability, as the most fundamental aspect, is not enabled..
ISOLATION FAILURE: multi-tenancy and shared resources are defining characteristics of cloud computing. This risk category covers the failure of mechanisms separating storage, memory, routing and even reputation between different tenants (e.g., so-called guest-hopping attacks). However it should be considered that attacks on resource isolation mechanisms (e.g.,. against hypervisors) are still less numerous and much more difficult for an attacker to put in practice compared to attacks on traditional OSs.
COMPLIANCE RISKS: investment in achieving certification (e.g., industry standard or regulatory requirements) may be put at risk by migration to the cloud:
if the CP cannot provide evidence of their own compliance with the relevant requirements
if the CP does not permit audit by the cloud customer (CC).
In certain cases, it also means that using a public cloud infrastructure implies that certain kinds of compliance cannot be achieved (e.g., PCI DSS (4)).
MANAGEMENT INTERFACE COMPROMISE: customer management interfaces of a public cloud provider are accessible through the Internet and mediate access to larger sets of resources (than traditional hosting providers) and therefore pose an increased risk, especially when combined with remote access and web browser vulnerabilities.
DATA PROTECTION: cloud computing poses several data protection risks for cloud customers and providers. In some cases, it may be difficult for the cloud customer (in its role as data controller) to effectively check the data handling practices of the cloud provider and thus to be sure that the data is handled in a lawful way. This problem is exacerbated in cases of multiple transfers of data, e.g., between federated clouds. On the other hand, some cloud providers do provide information on their data handling practices. Some also offer certification summaries on their data processing and data security activities and the data controls they have in place, e.g., SAS70 certification.
INSECURE OR INCOMPLETE DATA DELETION: when a request to delete a cloud resource is made, as with most operating systems, this may not result in true wiping of the data. Adequate or timely data deletion may also be impossible (or undesirable from a customer perspective), either because extra copies of data are stored but are not available, or because the disk to be destroyed also stores data from other clients. In the case of multiple tenancy and the reuse of hardware resources, this represents a higher risk to the customer than with dedicated hardware.
MALICIOUS INSIDER: while usually less likely, the damage which may be caused by malicious insiders is often far greater. Cloud architectures necessitate certain roles which are extremely high-risk. Examples include CP system administrators and managed security service providers.
Source: http://www.enisa.europa.eu/
Tuesday, August 24, 2010
Discover Unstructured processes
These are five possible ways to discover Unstructured Processes.
Regulatory and Compliance processes - People-intensive processes that are kicked off as a result of an external regulatory body and these processes tend to be ad-hoc & on-going change, but if not followed they necessitate some type of penalty , they entail the ability to be tracked and monitored. Some examples are Health, Safety and Environment processes (HSE).
Exceptions and Escalation processes - People-intensive processes resulting from the need to handle an exception to an existing structured process, or an escalation needed to solve an issue outside the scope of the normal systems. They tend to involve a wide variety of different individual, depending on the exact nature of the issue. For example, fraud escalation is kicked off by the normal fraud detection systems and requires that more human investigation be done to solve the problem. One interesting side effect of these unstructured processes is that they can be used “early warning systems” of changes in the organization and client environment.
Decision Implementation processes - Once decisions have been taken, they should kick off a set of processes to implement those decisions. How many times has your company made decisions that dissipate and never get implemented since there was no way to track and monitor the progress made? An example is the minutes of a board of directors meeting - the executable decisions kick off a set of unstructured processes to implement those decisions.
Audit processes - Internal audits of different organizational activities and adherence to guidelines where negotiation is involved before findings are published. Tracking and monitoring these negotiations can ensure that the audit process stays on track and on target. Once the findings are accepted and published, there is the need to track the processes that were kicked off to address the findings.
Complex Project Management processes - Managing a project is all about managing and coordinating the people involved. Gantt charts and project plans aren’t enough, since they don’t track the actual interactions between the people involved in the project. Once the work gets kicked off, there is the need to be able to track, control and coordinate the people processes involved in the actual execution of project.
Source: http://www.zdnetasia.com
Regulatory and Compliance processes - People-intensive processes that are kicked off as a result of an external regulatory body and these processes tend to be ad-hoc & on-going change, but if not followed they necessitate some type of penalty , they entail the ability to be tracked and monitored. Some examples are Health, Safety and Environment processes (HSE).
Exceptions and Escalation processes - People-intensive processes resulting from the need to handle an exception to an existing structured process, or an escalation needed to solve an issue outside the scope of the normal systems. They tend to involve a wide variety of different individual, depending on the exact nature of the issue. For example, fraud escalation is kicked off by the normal fraud detection systems and requires that more human investigation be done to solve the problem. One interesting side effect of these unstructured processes is that they can be used “early warning systems” of changes in the organization and client environment.
Decision Implementation processes - Once decisions have been taken, they should kick off a set of processes to implement those decisions. How many times has your company made decisions that dissipate and never get implemented since there was no way to track and monitor the progress made? An example is the minutes of a board of directors meeting - the executable decisions kick off a set of unstructured processes to implement those decisions.
Audit processes - Internal audits of different organizational activities and adherence to guidelines where negotiation is involved before findings are published. Tracking and monitoring these negotiations can ensure that the audit process stays on track and on target. Once the findings are accepted and published, there is the need to track the processes that were kicked off to address the findings.
Complex Project Management processes - Managing a project is all about managing and coordinating the people involved. Gantt charts and project plans aren’t enough, since they don’t track the actual interactions between the people involved in the project. Once the work gets kicked off, there is the need to be able to track, control and coordinate the people processes involved in the actual execution of project.
Source: http://www.zdnetasia.com
Monday, August 23, 2010
Employees with a Certified Information Security Manager (CISM) Certification
Employees with a Certified Information Security Manager (CISM
) Certification PayScale:
http://www.payscale.com/research/US/Certification=Certified_Information_Security_Manager_(CISM)/Salary
) Certification PayScale:http://www.payscale.com/research/US/Certification=Certified_Information_Security_Manager_(CISM)/Salary
CISA/CISM article from Computer World
Great and long artilce on the CISA and CISM. Worth a look.http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9011038&pageNumber=1
Windows 7 Security Feature
Well, with Windows 7, Microsoft has introduced the features which would be useful for end users & administrators. Here is the closer look on the same.
BitLocker & BitLocker To Go
Introduced in Windows Vista and now available in Windows 7, BitLocker is a security feature that is designed to prevent data theft via unauthorized access of a desktop or from a lost/stolen laptop. As you may know, BitLocker takes the Encrypting File System (EFS) feature to the next level in that BitLocker uses a hardware-level encryption on the hard disk, thus protecting not only the actual data files, but the system files too, as well as the bits and the pieces of data lingering in such places as the temporary files, swap files, and even hibernation files.
With Windows 7, BitLocker has been extended in that it can now be used to protect removable storage (USB flash drives) with the new BitLocker To Go feature. This means that if you lose a USB flash drive, which is all too easy, your data is safe.
Keep in mind that BitLocker and BitLocker To Go are available only in the Ultimate and Enterprise editions of Windows 7. To learn more about BitLocker and BitLocker To Go, check out this demo on the Microsoft TechNet site.
Direct Access
Working in conjunction with Windows Server 2008 R2, Windows 7’s new DirectAccess feature makes it easier for end users to connect to the corporate network without VPN. Using DirectAccess, which automatically establishes a secure bi-directional connection from mobile systems to a corporate network, mobile workers can securely connect to the enterprise network anywhere they have Internet Access without the need for a VPN connection. With DirectAccess IT professionals are relieved of the extra overhead required to provide and maintain VPN configurations.
ActiveX Installer Service
As you know, ActiveX controls are self-registering COM objects that are used by Internet Explorer, Office, and Windows Media Player, just to name a few, in order to provide a more interactive user experience. Because ActiveX controls are often distributed in .cab files, users with standard accounts do not have permission to install them. However, in Windows 7, the new ActiveX Installer Service is enabled by default and is designed to enable administrators to more easily deploy ActiveX controls by using Group Policy to configure the Trusted sites zone to identify Web sites that can install ActiveX controls without intervention. This reduces unnecessary support calls as well as the additional time-consuming operations of repackaging and distributing the needed ActiveX controls.
Multiple Active Firewall Policies
As you may know, the Windows Firewall policies in Vista are based on the type of network connection established (Public, Home, and Work/Domain) and can only work on one connection type at a time. Unfortunately, this sort of limitation can cause all sorts of problems if additional connections are made that require different firewall policies, such as when a mobile user accesses a public network and then launches a VPN connection to a corporate network.
In order to accommodate these types of scenarios, Windows 7’s new firewall feature allows multiple firewall policies to be enabled at the same time, so that no matter what type of connection is being used, the appropriate firewall policy will be in effect, thus ensuring that mobile/remote users are protected and have access to the appropriate networks. On the other end of the equation, the new Multiple Active Firewall Policies feature means that security professionals only need to maintain one set of rules for both mobile/remote system and physically connected systems.
AppLocker
A new security feature being introduced with Windows 7 is AppLocker, which provides a security professional with the ability to control the installation and use of applications in the enterprise. Keep in mind that AppLocker is available only in the Ultimate and Enterprise editions of Windows 7 and is designed to work closely with Windows Server 2008 R2.
AppLocker works by allowing you to create rules that are based on file attributes derived from a file’s digital signature. These rules can be used to control how users access and use any type of executable file. Of course, to be a flexible tool, you can also create exceptions to AppLocker rules. You can then assign rules to an entire security group or be more precise and assign a rule to an individual user. To learn more about and see AppLocker in action, check out this demo on the Microsoft TechNet site.
User Account Control
As you know, the advent of User Account Control wasn’t very well received in Vista; however, it’s still an important security tool that is designed to prevent the inadvertent running of malicious software by displaying an “are you sure” type of prompt along with requiring an elevation of privileges before a potentially dangerous action can be initiated. In Windows 7, UAC has been improved and toned down a bit.
For example, certain types of tasks that were previously UAC protected can now be performed by a standard user without administrator approval, thus making UAC less of a hassle for end users and ultimately less of a burden on administrators. And speaking of administrators, an already security conscious administrator can now adjust the level of or even disable UAC protection in the Control Panel. Furthermore, there are now new local security policies that can be used to alter the way that UAC interacts with local administrators and standard users.
And there’s more…
While I’ve touched on the new security features in Windows 7, there are many more improvements in existing security features. For example, the Encrypting File System (EFS) architecture has been adapted to incorporate Elliptic Curve Cryptography (ECC), which makes it compliant with Suite B encryption requirements defined by the National Security Agency.
BitLocker & BitLocker To Go
Introduced in Windows Vista and now available in Windows 7, BitLocker is a security feature that is designed to prevent data theft via unauthorized access of a desktop or from a lost/stolen laptop. As you may know, BitLocker takes the Encrypting File System (EFS) feature to the next level in that BitLocker uses a hardware-level encryption on the hard disk, thus protecting not only the actual data files, but the system files too, as well as the bits and the pieces of data lingering in such places as the temporary files, swap files, and even hibernation files.
With Windows 7, BitLocker has been extended in that it can now be used to protect removable storage (USB flash drives) with the new BitLocker To Go feature. This means that if you lose a USB flash drive, which is all too easy, your data is safe.
Keep in mind that BitLocker and BitLocker To Go are available only in the Ultimate and Enterprise editions of Windows 7. To learn more about BitLocker and BitLocker To Go, check out this demo on the Microsoft TechNet site.
Direct Access
Working in conjunction with Windows Server 2008 R2, Windows 7’s new DirectAccess feature makes it easier for end users to connect to the corporate network without VPN. Using DirectAccess, which automatically establishes a secure bi-directional connection from mobile systems to a corporate network, mobile workers can securely connect to the enterprise network anywhere they have Internet Access without the need for a VPN connection. With DirectAccess IT professionals are relieved of the extra overhead required to provide and maintain VPN configurations.
ActiveX Installer Service
As you know, ActiveX controls are self-registering COM objects that are used by Internet Explorer, Office, and Windows Media Player, just to name a few, in order to provide a more interactive user experience. Because ActiveX controls are often distributed in .cab files, users with standard accounts do not have permission to install them. However, in Windows 7, the new ActiveX Installer Service is enabled by default and is designed to enable administrators to more easily deploy ActiveX controls by using Group Policy to configure the Trusted sites zone to identify Web sites that can install ActiveX controls without intervention. This reduces unnecessary support calls as well as the additional time-consuming operations of repackaging and distributing the needed ActiveX controls.
Multiple Active Firewall Policies
As you may know, the Windows Firewall policies in Vista are based on the type of network connection established (Public, Home, and Work/Domain) and can only work on one connection type at a time. Unfortunately, this sort of limitation can cause all sorts of problems if additional connections are made that require different firewall policies, such as when a mobile user accesses a public network and then launches a VPN connection to a corporate network.
In order to accommodate these types of scenarios, Windows 7’s new firewall feature allows multiple firewall policies to be enabled at the same time, so that no matter what type of connection is being used, the appropriate firewall policy will be in effect, thus ensuring that mobile/remote users are protected and have access to the appropriate networks. On the other end of the equation, the new Multiple Active Firewall Policies feature means that security professionals only need to maintain one set of rules for both mobile/remote system and physically connected systems.
AppLocker
A new security feature being introduced with Windows 7 is AppLocker, which provides a security professional with the ability to control the installation and use of applications in the enterprise. Keep in mind that AppLocker is available only in the Ultimate and Enterprise editions of Windows 7 and is designed to work closely with Windows Server 2008 R2.
AppLocker works by allowing you to create rules that are based on file attributes derived from a file’s digital signature. These rules can be used to control how users access and use any type of executable file. Of course, to be a flexible tool, you can also create exceptions to AppLocker rules. You can then assign rules to an entire security group or be more precise and assign a rule to an individual user. To learn more about and see AppLocker in action, check out this demo on the Microsoft TechNet site.
User Account Control
As you know, the advent of User Account Control wasn’t very well received in Vista; however, it’s still an important security tool that is designed to prevent the inadvertent running of malicious software by displaying an “are you sure” type of prompt along with requiring an elevation of privileges before a potentially dangerous action can be initiated. In Windows 7, UAC has been improved and toned down a bit.
For example, certain types of tasks that were previously UAC protected can now be performed by a standard user without administrator approval, thus making UAC less of a hassle for end users and ultimately less of a burden on administrators. And speaking of administrators, an already security conscious administrator can now adjust the level of or even disable UAC protection in the Control Panel. Furthermore, there are now new local security policies that can be used to alter the way that UAC interacts with local administrators and standard users.
And there’s more…
While I’ve touched on the new security features in Windows 7, there are many more improvements in existing security features. For example, the Encrypting File System (EFS) architecture has been adapted to incorporate Elliptic Curve Cryptography (ECC), which makes it compliant with Suite B encryption requirements defined by the National Security Agency.
Information Security
Welcome to my blog. This blog is dedicated to Information Security Professional and will provide details and information on the same.
Subscribe to:
Posts (Atom)