Many years ago Microsoft published a list of the “10 immutable laws of security”. The page has since been removed; however, another version popped up with very slight changes.
Read on the see the security principles from decades ago which are still prevelant today.
Immutable Laws of Security
In an effort to preserve this knowledge I am going to republish the laws here. The full revised list can be seen: Immutable Laws of Security.
Original Security Principles
By using the Wayback Machine I can track down the original post. If you try to go to the original site you get a “404 page not found” message. The page was made in 2011 but you will find not much has changed in 2019.
The original 10 Immutable laws of Security from 2007 reads as such:
- Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore
- Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore
- Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore
- Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more
- Law #5: Weak passwords trump strong security
- Law #6: A computer is only as secure as the administrator is trustworthy
- Law #7: Encrypted data is only as secure as the decryption key
- Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
- Law #9: Absolute anonymity isn’t practical, in real life or on the Web
- Law #10: Technology is not a panacea
Additionally, for you sysadmins out there, the following points are made:
- Law #1: Nobody believes anything bad can happen to them, until it does
- Law #2: Security only works if the secure way also happens to be the easy way
- Law #3: If you don’t keep up with security fixes, your network won’t be yours for long
- Law #4: It doesn’t do much good to install security fixes on a computer that was never secured to begin with
- Law #5: Eternal vigilance is the price of security
- Law #6: There really is someone out there trying to guess your passwords
- Law #7: The most secure network is a well-administered one
- Law #8: The difficulty of defending a network is directly proportional to its complexity
- Law #9: Security isn’t about risk avoidance; it’s about risk management
- Law #10: Technology is not a panacea
The above points are the prelude to the security laws. There are so many good points here which have standed the test of time. It turns out that the humans are often the weak link in a security breach.
Revised Security Principles
The revised security principles are very slightly different from the above list.
- Law #1: If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore.
- Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
- Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
- Law #4: If you allow a bad guy to run active content in your website, it’s not your website any more.
- Law #5: Weak passwords trump strong security.
- Law #6: A computer is only as secure as the administrator is trustworthy.
- Law #7: Encrypted data is only as secure as its decryption key.
- Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
- Law #9: Absolute anonymity isn’t practically achievable, online or offline.
- Law #10: Technology is not a panacea.
Examination of Security Principles
Let’s now break down some of the security principles and points made above.
If a bad guy can persuade you to run a program, modify the OS, run active content then you’ve been pwned.
Not much needs to be said here. If it reaches this point you are likely doomed. Prevention didn’t work so the best you can hope for is detection. Remember, security is a layered approach and not a single mechanism.
Once a system is penetrated the next phase is privilege escalation. From there the sky is the limit. Now the bad guys are free to roam and look for desireable data. Operating system files are among the most trusted files on a computer.
Physical access is still a big vulnerability
Image what an attacker could do to system they can literally get their hands on. There is no limit once they have physical access. Make sure physical security is part of your hardening plan.
- They can install a keylogger and malware to phone home with data.
- They can unscrew the case / blade and take the hard disks for some offline analysis
- They can spill diet Coke all over the server, physically mutiliate it, or set it on fire.
Always make sure that a computer is physically protected in a way that is consistent with it’s value. Here we mean hardware and, most importantly, software. Your data is king.
Weak passwords trump strong security.
As long as humans generate passwords this will be a key vulnerability and attack vector. We are simply incapable of generating the hundeds of logins we all have to be unique, long, and sufficiently complex. Not to mention changing your passwords every so often…
A computer is only as secure as the administrator is trustworthy.
Insiders often prove to be the biggest and most undetected threat that organizations face protecting their data. Disgruntled workers can leak data for all sorts of reasons:
- Getting back at their employer before leaving the company
- Can be bribed to provide some intelligence
- Can be threatened or extorted to provide intel
- Can be really careless and leave the front door open with the key under the mat.
Take steps to keep people honest. Have signout sheets for data center access. Track privilege escalation requests. Monitor logs to detect any tampering.
Encrypted data is only as secure as its decryption key.
Encryption is one of the strongest methods for ensuring the confidentiality and integrity of our data. However, it is not without weak points. The strongest encryption is useless if private key is compromised. It would be like installing a strong physical barrier to your house while putting the key under the door mat.
Out of data software renders you vulnerable
The main emphasis here is on Anti-Virus software and Anti-Malware software. However, it also includes Operating System patches, security hotfixes, application vulnerabilities, etc. Always make sure to keep your software updated as best you can.
Total security or anonymity is not achievable. Technology is not a magic bullet
Some people get discouraged when they realize you cannot absolutely preserve your security or anonymity. The experienced perspective acknowledges this but still works to secure what they can. Make it harder and more undesirable if you can. “Don’t let perfect be the enemy of good”.
Additional Tips for Planning a Security Solution
Nobody believes anything bad can happen to them, until it does
True indeed – I cannot tell you how many people’s environments I’ve worked on which did not have backups of their, supposedly, important data. Disks fail. So do network cards, memory, CPUs, etc. It’s not a matter of “if” hardware fails but rather “when” it fails.
Security must be easy enough for people to use. Usability trumps security at every opportunity it is given.
If the security solution is too cumbersome then people will not use it. When organizations provide strict password change policies what ends up happening is people write their passwords on a sticky note and place it on their monitor. Give them better solutions for conforming to your password policy e.g. a password management system.
You can never stop securing your systems
Eternal vigilance is the price of security. Bad guys are constantly coming up with new exploits to unleash. Security is a means and not an end.
Concluding Thoughts on Security Principles
The back and forth of securing a system and breaching it plays out like a game of pinball. You play for the intrinsic pleaseure of it. There is no such thing as winning – it’s just that if you perform well enough you get to play more / again. Keep playing!
Thanks for reading!
If you liked this post then you might also like: The Security Theater of Chip Cards
One thought on “Security Principles – Time Tested and Immutable”
[…] Tackle the basics to prevent leakage e.g. use a password manager, use a VPN, use MFA where you can […]