News Stay informed about the latest enterprise technology news and product updates.

Failing security 101: Pwn3rship of the n00b

Even after two years working on, I'm still susceptible to even the most transparent schemes. Read about my experiences and the myth of Windows security.

If you had asked me what "Windows security" meant as a recent college grad, I'd have thought you were talking about the act of taping up your home's windows to prepare for a hurricane. As I've grown in this field and learned what Microsoft Windows security is all about, I'm realizing one predominant truth.

Microsoft Windows security is a myth.

I'll tell you what Windows security is. It's Captain Ahab's white whale. It's Sisyphus's boulder. It's the coyote's roadrunner. Windows security is the mountain that gets two feet taller for every foot you climb.

Every day, security professionals work toward eliminating Windows security threats, new and old. However, no matter how many measures admins take, be they permanent or temporary, new vulnerabilities emerge to take the place of the old. Perhaps I'm guilty of being an optimist here, but every security vulnerability is an opportunity to learn, a chance to practice solving a problem that we will inevitably face another day. And when that day comes, we'll be better prepared for it.

At least, I'd like to think that.

Now, I know my fair share about security threats, patch management and file permissions. But, like Chris Webber calling a non existent timeout in the Final Four, I too am susceptible to mental gaffs.

I returned home one night from a hard day of work, helping to bring our readers the greatest security content the Web can offer, and decided to check my email one last time for the evening. I found a message from my email provider outlining changes to their site's policies and that I needed to change my password.

I know, I know. But, judge not lest ye be judged.

"Odd," I thought. I had had this same email provider for more than five years and never once been asked to change my password. I even said aloud to myself, "This is probably some phishing scam."

Sure enough I plugged in a new password, confirmed the change and signed out of my email account. The next day, when I went to check it again, I could not get into my account. Big surprise.

The irony was not lost on me. Bill Buckner still has no idea how he missed that grounder in the 1986 World Series. Scott Norwood has no idea how he missed the kick against the Giants in 1991. The world has no idea why, for a time, we were all "Livin la vida loca" and loving it. I have no idea how I fell victim to a basic phishing attack. Some things are just inexplicable. I'm such a n00b.

I'm making a point, of course. Such a mistake could most likely never happen to a trained security professional. (If it does, please email me at and let me know so that I can feel better about myself.) Basically, all of you reading this column today are fully aware of such an attack and others like it and know how to prevent or avoid them.

Unfortunately, though, you're not protecting your networks from yourselves. You're protecting it from people like me.

The world of Windows security vulnerabilities is growing so fast that an entire army of trained and educated hacker assassins can't possibly keep up with it. How can someone with no experience or knowledge of the subject be expected to be secure?

The point is that, as a security professional, you can't possibly know enough about your craft, especially in today's world. It's not like the worst thing that can happen to a Windows machine is a pop up ad or some pesky adware anymore. At least when I erroneously changed my password, all I had to deal with was a brief hassle and a little embarrassment. But what if this happened to a user in your network? Your company could lose thousands or even millions of dollars!

If there's one thing to think about going into next year, it's that your network is only as safe as its weakest link. In each network, this link is different. As a security pro, it is your duty to keep not only yourselves but your users as up-to-speed with the latest security issues as possible. You never know what can happen.

So who's in the mood for a shameless plug?

In 2008, will continue to work toward helping you accomplish this very task. Continue to check us out next year for the latest info on Windows security patches, network security, what's new in Windows security, malware, Web security, end-user education, you name it. For now though, thanks to all of you who have been checking out the site this year and keeping me employed! Have a happy and safe holiday!

Dig Deeper on Windows Server troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.