Casper Manes at GFI wrote a great blog post that I'm crossposting here.
Welcome back to our series for people looking to break into the Infosec field or just learn more about information security: The security 101 series. Last month, we talked about the Ten Immutable Laws of Security, a fifteen year old set of rules first put forth by Microsoft security researcher (now a Director at Microsoft) Scott Culp. Culp also wrote a post called “10 Immutable Laws of Security Administration” which, while it doesn’t get quite as much press as the first article does, is no less important for sysadmins of any system to know, and for Infosec professionals to get tattooed on their (…). Well, let’s just say these are critical for anyone working in Infosec and leave it at that. Let’s look at these ten and discuss what they can mean to you.
Law #1: Nobody believes anything bad can happen to them, until it does.
Today, the leading minds in security advocate a “presume breach” mindset. In other words, start with the premise that you’ve already been hacked, because odds are good that you have been, and move forward from there. Truly, it is not a matter of if you will be hacked, but simply when. Look at the most notorious hacks of the last year: Target, the IRS, the OPM, Home Depot, Sony. In all of those cases, the bad guys didn’t slip in Friday night and get discovered by an intrepid engineer who noticed something funny Saturday morning. The attackers had been on the network and accessing data for months to a year or more. Every single case! Bad things happen. How you recover from them, learn from them, and ensure they don’t happen again is the key.
Law #2: Security only works if the secure way also happens to be the easy way.
If you make something foolproof, evolution will provide you with a greater fool. Security through complexity is the wrong way to go. When you make someone create a 23-character password that must start with a number, end with a punctuation mark, and include both upper and lower case letters, you know they are going to have to write it down. Even people with no problem using long and complex passwords have problems when you force a pattern on them (which is also bad because the bad guys have less to do if you are forcing a pattern). If security is easy, then it is easy to be secure. Make sure the right way is the easy way, and design your security around your users as much as possible!
Law #3: If you don’t keep up with security fixes, your network won’t be yours for long.
Testify! In all the years I have been doing this, the only zero-day I have ever experienced is Sasser. I’ve been called in to clean up after plenty of incidents though, and of those, probably 90% were the result of an attack exploiting aknown vulnerability for which a patch existed! Seriously, short of disconnecting the Ethernet cable from the back of the system, the single easiest and most effective thing you can do to prevent security incidents is to patch.
Law #4: It doesn’t do much good to install security fixes on a computer that was never secured to begin with.
Of course, patches don’t fix applications with default passwords, poorly written apps, too broad a set of permissions, the Guest account enabled, remote access software with easily guessed credentials, etc. Think defense in depth, or layered defense, or any of the other terms that reminds you that security is an entire lifestyle; not a single effort thing.
Law #5: Eternal vigilance is the price of security.
Think you’re done? Not even for a moment! Security is not something you worry about on “Patch Tuesday,” or the monthly change window, or just before the quarterly audit, or only during the annual shutdown. Security must be front of mind 24x7x365, and should be factored in to every system you build, app you deploy, program you write, or web page you publish. Seriously, there is no down time with security.
Law #6: There really is someone out there trying to guess your passwords.
And they are running automatic systems that are probing your ingress points, VPN concentrators, web portals, applications, and every other potential way into your network around the clock. They may not even know you are you, but they found an ip.addr and it responded to a probe, so they are hammering away.
Law #7: The most secure network is a well-administered one.
That’s a critical point far too many people just don’t understand. A well administered network is one that is fully patched, kept up to date, properly configured, and monitored. Not only are things logged; those logs are checked. Policies and procedures are documented and followed, and good change control is pervasive. Sysadmins are trained and know what they are doing, and take a personal sense of ownership in the systems they administer. The workload is such that people have the time to do it right, the first time. Sprinkle in some good security policies, multi-factor authentication, email and web filtering, and end-user training, and you will find not only a very well-administered network, but also one without any easy ways in.
Law #8: The difficulty of defending a network is directly proportional to its complexity.
If there is one thing worse than security through obscurity, then it’s security through complexity. When sysadmins and security personnel make the network so complex in an effort to secure it, layer on multiple tiers of firewall and adding in solutions based on technologies that no one on staff really understands, or they put in such cumbersome requirements that no one wants to deal with adding a new system anymore, then they are not adding security. They are hindering business.
Law #9: Security isn’t about risk avoidance; it’s about risk management.
Think about that one very closely for a moment. The threat-hackers from Elbonia are going to try to break into the network over the Internet. The mitigation – disconnect the Internet. Problem solved, amiright? Of course, if your business depends upon the Internet, that won’t really work out for you, will it? You cannot avoid risk, but you can manage it, mitigate it, transfer it…and then ultimately the business can accept it. Your job as a security professional is to make sure you can mitigate the risks as much as you can, and ensure the business makes an informed decision about the risks they are accepting with every system.
Law #10: Technology is not a panacea.
There is nothing (nothing!), more important to information security than the people who use the systems and administer the systems. There is no technology you can deploy that cannot be circumvented by either a user making a mistake, or an admin taking a shortcut. Never forget that.
Combine the Ten immutable laws of security with the Ten immutable laws of security administration and you have an excellent foundation for moving forward.