Evolution of laws
120 views
Skip to first unread message
Kurt Buff
Nov 6, 2023, 6:42:37 PM11/6/23
to ntsys...@googlegroups.com
I have a colleague who hadn't heard of the Ten Immutable Laws of Computer Security, from Microsoft. I went searching for them. I remember the first set, but had a bit of difficulty finding them - they seem to have evolved a bit.
However, I'm especially fond of #5 from the first set.
The evolution of Microsoft's 10 immutable laws of computer security
Version 1.0, from 2000
Law #1: Nobody believes anything bad can happen to them, until it does
Law #2: Security only works if the secure way also happens to be the easy way
Law #3: If you don’t keep up with security fixes, your network won’t be yours for long
Law #4: It doesn’t do much good to install security fixes on a computer that was never secured to begin with
Law #5: Eternal vigilance is the price of security
Law #6: There really is someone out there trying to guess your passwords
Law #7: The most secure network is a well-administered one
Law #8: The difficulty of defending a network is directly proportional to its complexity
Law #9: Security isn’t about risk avoidance; it’s about risk management
Law #10: Technology is not a panacea
Version 2.0, from the mid-2000s, I think.
Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as the decryption key.
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all.
Law #9: Absolute anonymity isn’t practical, in real life or on the Web.
Law #10: Technology is not a panacea.
Version 3.0, recently
Law #1: Security success is ruining the attacker ROI
Version 1.0, from 2000
Law #1: Nobody believes anything bad can happen to them, until it does
Law #2: Security only works if the secure way also happens to be the easy way
Law #3: If you don’t keep up with security fixes, your network won’t be yours for long
Law #4: It doesn’t do much good to install security fixes on a computer that was never secured to begin with
Law #5: Eternal vigilance is the price of security
Law #6: There really is someone out there trying to guess your passwords
Law #7: The most secure network is a well-administered one
Law #8: The difficulty of defending a network is directly proportional to its complexity
Law #9: Security isn’t about risk avoidance; it’s about risk management
Law #10: Technology is not a panacea
Version 2.0, from the mid-2000s, I think.
Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as the decryption key.
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all.
Law #9: Absolute anonymity isn’t practical, in real life or on the Web.
Law #10: Technology is not a panacea.
Version 3.0, recently
Law #1: Security success is ruining the attacker ROI
- Security can’t achieve an absolutely secure state so deter them by disrupting and degrading their Return on Investment (ROI). Increase the attacker’s cost and decreasing the attacker’s return for your most important assets.
Law #2: Not keeping up is falling behind,
- Security is a continuous journey, you must keep moving forward because it will continually get cheaper and cheaper for attackers to successfully take control of your assets. You must continually update your security patches, security strategies, threat awareness, inventory, security tooling, security hygiene, security monitoring, permission models, platform coverage, and anything else that changes over time.
Law #3: Productivity always wins.
- If security isn’t easy for users, they'll work around it to get their job done. Always make sure solutions are secure and usable.
Law #4: Attackers don't care.
- Attackers will use any available method to get into your environment and increase access to your assets including compromising a networked printer, a fish tank thermometer, a cloud service, a PC, a Server, a Mac, a mobile device, influence or trick a user, exploit a configuration mistake or insecure operational process, or just ask for passwords in a phishing email. Your job is to understand and take away the easiest and cheapest options as well as the most useful ones (for example, anything that leads to administrative privileges across many systems).
Law #5: Ruthless Prioritization is a survival skill.
- Nobody has enough time and resources to eliminate all risks to all resources. Always start with what is most important to your organization, most interesting to attackers, and continuously update this prioritization.
Law #6: Cybersecurity is a team sport.
- Nobody can do it all, so always focus on the things that only you (or your organization) can do to protect your organization's mission. For things that others can do better or cheaper, have them do it (security vendors, cloud providers, community).
Law #7: Your network isn’t as trustworthy as you think it is.
- A security strategy that relies on passwords and trusting any intranet device is only marginally better than no security strategy at all. Attackers easily evade these defenses so the trust level of each device, user, and application must be proven and validated continuously starting with a level of zero trust.
Law #8: Isolated networks aren’t automatically secure.
- While air-gapped networks can offer strong security when maintained correctly, successful examples are extremely rare because each node must be completely isolated from outside risk. If security is critical enough to place resources on an isolated network, you should invest in mitigations to address potential connectivity via methods such as USB media (for example, required for patches), bridges to intranet network, and external devices (for example, vendor laptops on a production line), and insider threats that could circumvent all technical controls.
Law #9: Encryption alone isn’t a data protection solution.
- Encryption protects against out of band attacks (on network packets, files, storage, etc.), but data is only as secure as the decryption key (key strength + protections from theft/copying) and other authorized means of access.
Law #10: Technology doesn't solve people and process problems.
- While machine learning, artificial intelligence, and other technologies offer amazing leaps forward in security (when applied correctly), cybersecurity is a human challenge and will never be solved by technology alone.
Law #2: Not keeping up is falling behind,
- Security is a continuous journey, you must keep moving forward because it will continually get cheaper and cheaper for attackers to successfully take control of your assets. You must continually update your security patches, security strategies, threat awareness, inventory, security tooling, security hygiene, security monitoring, permission models, platform coverage, and anything else that changes over time.
Law #3: Productivity always wins.
- If security isn’t easy for users, they'll work around it to get their job done. Always make sure solutions are secure and usable.
Law #4: Attackers don't care.
- Attackers will use any available method to get into your environment and increase access to your assets including compromising a networked printer, a fish tank thermometer, a cloud service, a PC, a Server, a Mac, a mobile device, influence or trick a user, exploit a configuration mistake or insecure operational process, or just ask for passwords in a phishing email. Your job is to understand and take away the easiest and cheapest options as well as the most useful ones (for example, anything that leads to administrative privileges across many systems).
Law #5: Ruthless Prioritization is a survival skill.
- Nobody has enough time and resources to eliminate all risks to all resources. Always start with what is most important to your organization, most interesting to attackers, and continuously update this prioritization.
Law #6: Cybersecurity is a team sport.
- Nobody can do it all, so always focus on the things that only you (or your organization) can do to protect your organization's mission. For things that others can do better or cheaper, have them do it (security vendors, cloud providers, community).
Law #7: Your network isn’t as trustworthy as you think it is.
- A security strategy that relies on passwords and trusting any intranet device is only marginally better than no security strategy at all. Attackers easily evade these defenses so the trust level of each device, user, and application must be proven and validated continuously starting with a level of zero trust.
Law #8: Isolated networks aren’t automatically secure.
- While air-gapped networks can offer strong security when maintained correctly, successful examples are extremely rare because each node must be completely isolated from outside risk. If security is critical enough to place resources on an isolated network, you should invest in mitigations to address potential connectivity via methods such as USB media (for example, required for patches), bridges to intranet network, and external devices (for example, vendor laptops on a production line), and insider threats that could circumvent all technical controls.
Law #9: Encryption alone isn’t a data protection solution.
- Encryption protects against out of band attacks (on network packets, files, storage, etc.), but data is only as secure as the decryption key (key strength + protections from theft/copying) and other authorized means of access.
Law #10: Technology doesn't solve people and process problems.
- While machine learning, artificial intelligence, and other technologies offer amazing leaps forward in security (when applied correctly), cybersecurity is a human challenge and will never be solved by technology alone.
Kurt
Ken Dibble
Nov 7, 2023, 9:15:43 AM11/7/23
to ntsys...@googlegroups.com
Typically for MS, much of this (especially in the last set) is oriented
toward very large organizations, and is irrelevant or impractical for
small ones.
Ken Dibble
www.stic-cil.org
Ken Dibble
www.stic-cil.org
At 06:42 PM 11/6/2023, Kurt Buff wrote:
I have a colleague who hadn't heard of the Ten Immutable Laws of Computer Security, from Microsoft. I went searching for them. I remember the first set, but had a bit of difficulty finding them - they seem to have evolved a bit.
However, I'm especially fond of #5 from the first set.
The evolution of Microsoft's 10 immutable laws of computer security
Version 1.0, from 2000
Law #1: Nobody believes anything bad can happen to them, until it does
Law #2: Security only works if the secure way also happens to be the easy way
Law #3: If you don’t keep up with security fixes, your network won’t be yours for long
Law #4: It doesn’t do much good to install security fixes on a computer that was never secured to begin with
Law #5: Eternal vigilance is the price of security
Law #6: There really is someone out there trying to guess your passwords
Law #7: The most secure network is a well-administered one
Law #8: The difficulty of defending a network is directly proportional to its complexity
Law #9: Security isn’t about risk avoidance; it’s about risk management
Law #10: Technology is not a panacea
Version 2.0, from the mid-2000s, I think.
Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as the decryption key.
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all.
Law #9: Absolute anonymity isn’t practical, in real life or on the Web.
Law #10: Technology is not a panacea.
Version 3.0, recently
Law #1: Security success is ruining the attacker ROI
 - Security can’t achieve an absolutely secure state so deter them by disrupting and degrading their Return on Investment (ROI). Increase the attacker’s cost and decreasing the attacker’s return for your most important assets.
Law #2: Not keeping up is falling behind,
- Security is a continuous journey, you must keep moving forward because it will continually get cheaper and cheaper for attackers to successfully take control of your assets. You must continually update your security patches, security strategies, threat awareness, inventory, security tooling, security hygiene, security monitoring, permission models, platform coverage, and anything else that changes over time.
Law #3: Productivity always wins.
- If security isn’t easy for users, they'll work around it to get their job done. Always make sure solutions are secure and usable.
Law #4: Attackers don't care.
- Attackers will use any available method to get into your environment and increase access to your assets including compromising a networked printer, a fish tank thermometer, a cloud service, a PC, a Server, a Mac, a mobile device, influence or trick a user, exploit a configuration mistake or insecure operational process, or just ask for passwords in a phishing email. Your job is to understand and take away the easiest and cheapest options as well as the most useful ones (for example, anything that leads to administrative privileges across many systems).
Law #5: Ruthless Prioritization is a survival skill.
- Nobody has enough time and resources to eliminate all risks to all resources. Always start with what is most important to your organization, most interesting to attackers, and continuously update this prioritization.
Law #6: Cybersecurity is a team sport.
- Nobody can do it all, so always focus on the things that only you (or your organization) can do to protect your organization's mission. For things that others can do better or cheaper, have them do it (security vendors, cloud providers, community).
Law #7: Your network isn’t as trustworthy as you think it is.
- A security strategy that relies on passwords and trusting any intranet device is only marginally better than no security strategy at all. Attackers easily evade these defenses so the trust level of each device, user, and application must be proven and validated continuously starting with a level of zero trust.
Law #8: Isolated networks aren’t automatically secure.
- While air-gapped networks can offer strong security when maintained correctly, successful examples are extremely rare because each node must be completely isolated from outside risk. If security is critical enough to place resources on an isolated network, you should invest in mitigations to address potential connectivity via methods such as USB media (for example, required for patches), bridges to intranet network, and external devices (for example, vendor laptops on a production line), and insider threats that could circumvent all technical controls.
Law #9: Encryption alone isn’t a data protection solution.
- Encryption protects against out of band attacks (on network packets, files, storage, etc.), but data is only as secure as the decryption key (key strength + protections from theft/copying) and other authorized means of access.
Law #10: Technology doesn't solve people and process problems.
- While machine learning, artificial intelligence, and other technologies offer amazing leaps forward in security (when applied correctly), cybersecurity is a human challenge and will never be solved by technology alone.
Kurt
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce7EG%2Bs8ErdaoYnPv5SzaTsZiWVTt_pqq8QGfaQtMgqQVw%40mail.gmail.com .
Melvin Backus
Nov 7, 2023, 9:32:40 AM11/7/23
to ntsys...@googlegroups.com
Security is always impractical. That’s why it works. The practical solution would be to rewire all the bad actors in the world to respect everyone else and stop doing things they shouldn’t do. Oh wait, that won’t work. Probably a conflict with the Prime Directive somewhere along the way.
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
¯\_(ツ)_/¯
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/654a468e.050a0220.8e411.0b84SMTPIN_ADDED_MISSING%40gmr-mx.google.com.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages