pragmatic security laws and rules to live by

This is an old compilation I made for a future post that never materialized. But I like the list, and have decided to just post it unfinished.

I’ve long compiled a list of what I would call “security laws.” These “laws” are principles that cyber security experts should be aware of, or outright aligned with. Some of them I’ll explain in more detail, but others I think speak for themselves. Getting oneself hung up on any of these laws can cause insecurity.

There is no silver bullet to security. – The IT and information landscape is so large, divergent among entities, and dynamic, that there is no silver bullet device, technology, or set of best practices that will offer a state of security.

Security events *will* happen. – Likewise, be aware of intolerance to the inevitability of a security breach. In other words, be aware when your culture or posture exhibits symptoms of assuming security events won’t happen.

You cannot “win” the security fight, but you can survive.

You can’t prevent/address what you don’t see.

Security is a cost; it rarely directly enables business. – Security enables business in only two conditions. 1) Your core business is security-related. 2) The business would absolutely not have been possible without the security, i.e. regulations, requirements, customer demands. Avoid twisting and tying that second condition into knots. (present edit: I’d also now add that security can be an enabler if it helps protect a business competitive advantage. And yes, I actually consider this bullet item to be discussion fodder.)

Compliance and regulations only help to achieve a common denominator; companies are economic entities and will tend to only do what is necessary to comply. This keeps overall security low. Structure your security posture in a way that compliance and regulations are met as a convenient result, not as the end goal of the posture. (present edit: This can also be discussion fodder.)

Security does not exist and has no need if there is not insecurity.

Trust, but verify. Or don’t trust, and verify.

Security bugs cost more to fix the longer they are allowed to exist.

Never assume, always check.

Management by fact trumps management by belief.

As humans, we make mistakes. – From errors in judgement, to misconfigurations, to mistakes, to creating fallible products.

Defense in depth, security in layers.

If you can’t do the fundamentals of security correctly, you won’t do any better with complex, automated tools. (Present edit: I have always found this tenet to be important, and it’s something I always tried to interview new hires for. If someone knows the fundamental building blocks, then they can wield and understand the big power tools…or the weaknesses they have!)

Customers do not pay for invisible security that they can neither touch nor see.

Attackers have far fewer laws, ethics standards, and constituents they need to answer to. They don’t necessarily need change mgmt and various layers and people to approve changes or operations. Attackers maintain an agility over slow-moving business due to the nature of business and large groups of stakeholders.

Security geeks with a strong security mindset will always want the best protections. No company can afford the dreams of a strong security geek. Tempering this tendency to consider the issue as a 0 or 1 is part of the battle of a security geek. Some call this battle the “alignment of security with business” or the move of security geeks to being more “non-tech-friendly.” There *are* exceptions, especially if you’re being paid to give the extreme security answers, even if you’re not always given the budget green light. Know when you are part of that role. This might be called reconciling your security ego and security id…  (present edit: Basically, I’m trying to say that the security in a business is a constant balance of the grey area between perfect security and no security. You put 10 security geeks in a room and ask them to design perfect security, you likely will get the same answer from all 10. But ask them to fit security into Company XYZ, and you’ll get 10 wildly different resultant answers.)

Do not let the media solely guide your security culture. – Cyber Security is the new darling of mass media. Since security is not absolute and will always be broken and security at some point has to trust something else without assurances, then security will always be potentially broken (no matter how insane or movie-script-like the scenario is). Likewise, security will always ultimately depend on fallible people. Thus, the media will forever have something to wave around when it comes to security, or insecurity incidents. And thus, the media should not be our guideline or focus when it comes to evaluating our security stances. The media only provides for measurements of security theater (which itself is important to keep in mind, but does itself not convey much real security value). Similar to “reality television,” media loves to point out failures in security.

Security is real-time, both in technology and actual incidents. Try not to live in the past, with past technologies, and only aware of past techniques.

Don’t forget the past. The past is a basis for our fundamentals, and the fundamentals still suck.

You WILL be the bad guy. Because for every security decision you make, someone can come back to you with, “But you *caaaaan* do it this insecure way, right?” Most often, security is a matter of a person or group of persons drawing a line. We love it when we can say something is not possible unless you do it secure, but hate when we only have “best practice” or “policy” or “security” as the only reason.

People (Users) follow the path of least resistance. If they’re allowed to do something, they’ll do it. People won’t police themselves when their convenience is impacted. They’ll keep doing it until you discover them doing it and provide some punishment (like parking in the visitor’s stall once…and then doing it until threatened otherwise.)

The packets never lie.

User education is a long-term behavior changing initiative. Don’t expect radical results in the short-term, but still take any moment you can to provide knowledge and advice to others.

Leave a Reply

Your email address will not be published.