October 22, 2006
Back in 2000, Microsoft released its 10 Immutable Laws of Security & 10 Immutable Laws of Security Administration. 6 Years later, these laws are still true. I recently started reading the excellent book Protect Your Windows Network: From Perimeter to Data by Jesper Johansson & Steve Riley, and they include these laws in their appendix. If you have not read this book, buy it immediately! It is a well written introduction to the theory of network security, and is probably the best guide I’ve seen for those who are new to infosec. Although the book comes from Microsoft, and the title includes Windows, the book covers a wide range of topics including social engineering, patch management, and security policy management that can be applied to any environment.
After reading this book, I decided to write my own updated list of 10 Immutable Laws of Information Security. These 10 rules represent years of experience, hundreds of projects, and countless mistakes:
- There is no such thing as perfect security – Systems designed by humans are vulnerable to humans. Bugs exist. Mistakes are made. The things that make your computers useful, i.e. communication, calculation and code execution also make them exploitable. Information Security is the management of risk. A good infosec design starts with a risk profile, and then matches solutions to the likely threat.
- If you’re not part of the solution, you are part of the bot net – Failing to protect your systems is no longer an option. Firewalls, anti-virus, and patch management are required as a cost of doing business. Every system you fail to protect will quickly become a launching point for more attacks against others. Wide spread attacks such as Code Red and Nimbda spread because basic security mechanisms were not employed. Your mistakes threaten my systems, and my mistakes threaten you.
- Your defenses must be perfect every time; the attacker only needs to be lucky once – See rule 1. Attackers look for the easy way. The best firewall in the world will not prevent a hard drive from being stolen. Your security policy must take a holistic approach to your systems, and then minimize the impact of an exploit. A good place to start are the 10 security domains identified by the ISC2: Access Control, Application Security, Business Continuity & Disaster Recovery, Cryptography, Risk Management, Compliance, Operations Security, Physical Security, Security Architecture & Design, and Telecommunications & Network Security. Analyze each of these areas against the 11 Security Dimensions in the Open Source Security Testing Methodology Manual(OSSTMM) and you’ll be on your way to a solid defense: Visibility, Access, Trust, Authentication, Non-Repudiation, Confidentiality, Privacy, Authorization, Integrity, Safety & Alarm.
- Your data center is only as secure as your administrator’s PC – These days, most data centers have good physical security, but none of that matters if the administrator has full remote control of his systems. Install a key-logger on the admin box, and you own the network. Forcing privileged users to sit in an unrestricted cube farm with the rest of your employees is just asking for trouble.
- An unsupervised janitor is the richest guy in your company – See rule 4. As I’ve discussed before, a USB key with U3 and a PC with AutoPlay is all it takes to get passwords, install software, and generally 0wn a PC. Couple that with your administrator’s terminals and you have a recipe for disaster. Would you really trust your janitor to do the right thing if I offered him $1,000 to plug a USB drive into a PC for 10 minutes and then bring it back to me? Physical security extends beyond the data center to include every system that has privileged access. How secure are your admin’s home PCs? Your CIO’s?
- Everybody Lies – Your users lie when they say they didn’t open that attachment. Your administrators lie when they say they’ve verified all your backups. Your vendors lie when they say their solution will fix all your problems. The attacker on the phone claiming to be a help desk agent who needs your password is lying. Good security minimizes the capability to lie, and the impact of the lie.
- Usability increases security – The best security controls are the ones that are mandatory and transparent to the end user. The worst controls are difficult to use and require the user to change his/her behavior. Automatically redirecting your web pages to pages that use SSL increases privacy while being effortless on the part of your user. Requiring a user to have 36-character password with special characters, and forcing them to change it every 7 days, may seem more secure but it forces the user to write the new password down and tape it to their monitor just so they can remember how to log in. Don’t confuse complexity with security. Usually, the opposite is true.
- It is easier to design security upfront, than to bolt it on later – Often, small changes to an application or a network can yield big security returns. Making these changes once the system is in production, however, can be very costly. Adding a security review to the early stages of your projects will prevent many future headaches.
- If a defense can fail, it will – Murphy was right! Build redundancy and defense-in-depth into every design. Focus both on preventing a failure and on minimizing its impact. Storing confidential data encrypted inside a database will minimize the loss if the database authentication fails. Adding anti-virus firewalls to your network will help stop the spread of WORMS from personal (unprotected) laptops. Always assume the worst case and plan accordingly.
- A motivated attacker will always trump a diligent defender – See rule 1. If the bad guy wants in, and has enough motivation, he will get in. Period. Why do the best protected networks of the DOD and FBI still get compromised? Because the motivation to get in is high, and the attacker has unlimited time. Fortunately, the reverse is also true: An unmotivated attacker will always lose to a diligent defender. Hackers are lazy and they go after the low hanging fruit first. Minimize your public profile, and you will reduce the number of attacks. A web server that is filtered by a firewall and only allows port 80 & 443 looks a lot less attractive than an unprotected web server that also responds to a couple dozen other ports. Reducing the number of attack vectors reduces the number of attacks and attackers.
That’s my list. Ignore it at your peril! Leave me a comment with your top laws, and thanks for stopping by.