Security Experts:

The Immutable Laws of Security

I recently found two great security articles from 2000 from a well-respected Microsoft security guru, Scott Culp. Culp provided two sets of Immutable Laws of Security - one on the consumer side, and the other on the admin side. I found all of these laws still very applicable to today’s security world and wanted to pass along 7 of my favorites with Culp’s thoughts as well as my own spin. Hopefully you’ll find these laws helpful and perhaps even as immutable as Culp suggests. Here it goes:

• Law #1: Nobody believes anything bad can happen to them, until it does

Immutable Laws of Security	• Law #2: Security only works if the secure way also happens to be the easy way

• Law #3: If you don't keep up with security fixes, your network won't be yours for long

• Law #4: An out of date virus scanner is only marginally better than no virus scanner at all

• Law #5: Eternal vigilance is the price of security

• Law #6: Weak passwords trump strong security

• Law #7: Technology is not a panacea

Law #1: Nobody believes anything bad can happen to them, until it does

This law is true on several fronts. First, there is Lance Spitzner’s Security through Obscurity observation (The Tools and Methodologies of the Script Kiddie - Know Your Enemy) that says website owners believe their small footprint or low ranking in a Google search will keep them safe. The truth is that an automatic web search doesn’t care how big or popular you are - your site will be tested by hackers regardless. It will be tested over and over, by good hackers and script kiddies. You need to be ready. The second truth comes from the fact that the majority of your staff not only doesn’t know much about security, but they also don’t even believe anyone would go to any effort to steal your data. Trusting your staff to do the right security thing every time is naïve at best. Put security protections in place that require strict security – mandate security, don’t expect voluntary compliance.

Law #2: Security only works if the secure way also happens to be the easy way

Any company process or procedure that is viewed as more work than it is worth won’t get done – security is no exception. Your staff won’t maliciously ignore or circumvent your imposed security rules; they’ll just ignore or find ways around them because they have a job to do. Balance security with productivity, and make as many security measures as possible automatic – for example, push virus updates to your staff PCs, don’t require them to actively update virus protection themselves.

Law #3: If you don't keep up with security fixes, your network won't be yours for long

Security patches for operating systems, SQL databases and system level software are frequently issued; with hackers trolling the Web for systems that contain newly found vulnerabilities in these systems. Yes, installing patches and updates are a costly (time and money) pain in the butt, but a single unpatched system might cost you far more if you suffer a data breach. Manage you own internal systems or hire an outside firm to do this for you; but do stay current.

Law #4: An out of date virus and malware scanner is only marginally better than no scanner at all

A typical virus and malware scanner will contain thousands of virus and malware signatures, but it’s the new viruses and malware attacks that will get you. Hackers almost never reissue old viruses and malware, there’s no fun or profit it sending out something that everyone is already protected for. Keep your virus and malware signature list current by accepting ‘push’ updates from your protection vendor; and make sure your system can accept new versions of the base virus and malware engines. More importantly, even if you try your best, you’ll never avoid infected email or websites, so make sure you are using a current scanner from a quality security vendor – don’t skimp on cost.

Law #5: Eternal vigilance is the price of security

Culp approached this truth from the standpoint of system logs that record all network and system activity – then monitoring those logs to see who is attacking your systems. Putting the best security systems in place won’t keep hackers from attacking your environment, it will just stop them from getting in. But keep in mind the fact that hackers are patient; they will pose an attack one day, evaluate the results, and then attack again with knowledge gained from the day before. Sometimes these persistent attacks will take weeks or months before they finally succeed. Your system logs can be your most potent weapon, if can understand the nature of attacks you can better protect you system from future attacks. But you need to constantly check the logs in order to understand what threats are being launched.

I also like to think another truth behind this law in terms of the ‘Clean Desk’ philosophy of life. There are some whose desks are depressing clean, regardless of the time of day, work load and stress level. Then there are those of us whose desks see the light of day every few months, with the silly promise to ourselves it will stay that way. Security that is put in place, and then periodically ignored will eventually fail. Unless your offices have a vigilant security champion who is on top of your security, your systems will age, your protection software will fall out of warranty or some minor network security component will break down and no one will notice.

Law #6: Weak passwords trump strong security

Culp approaches this law from the literal side. His thoughts surround the unfortunate common use of obvious, short or even blank passwords. Regardless of the strength of the surrounding security infrastructure and quality of website applications, there always needs to be a set of administrative passwords that allow access to the heart of any IT system. Easily stolen or broken passwords allow a hacker directly into your systems and data.

My take on this is a bit more system oriented. Hackers will always shoot for the weakest link in any system. This may be weak passwords, but it can also be an unsecured server room, an unencrypted backup file or any number of soft spots in your IT environment. The lesson here should be a caution against obvious but overlooked – like building the most security system in the world, but forgetting the fact that cleaning people have lots of time at night to wander your offices.

Law #7: Technology is not a panacea

I found Culp’s words from his original articles to be a great summary for his lists and as well as mine: “Technology by itself isn't enough to guarantee security. That is, there will never be a product that you can simply unpackage, install on your network, and instantly gain perfect security. Instead, security is a result of both technology and policy—that is, it's how the technology is used that ultimately determines whether your network is secure … but only you and your corporate management can determine the right policies for your company. Plan for security early. Understand what you want to protect and what you're willing to do to protect it. Finally, develop contingency plans for emergencies before they happen. Couple thorough planning with solid technology and you'll have great security.”

Culp put his Immutable Laws of Security together 11 years ago, a lifetime in the world of security. Yet, as you could see, they still ring true today.

Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security - from evaluation to web development and remediation.