Ten Immutable Laws of Security: Thoughts

Dan Munro   Print   643 words   2019-01-10

The Laws

Originally posted way back in 2011 on Microsoft Technet, here they are:

  1. If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore.
  2. If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
  3. If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
  4. If you allow a bad guy to run active content in your website, it’s not your website any more.
  5. Weak passwords trump strong security.
  6. A computer is only as secure as the administrator is trustworthy.
  7. Encrypted data is only as secure as its decryption key.
  8. An out-of-date antimalware scanner is only marginally better than no scanner at all.
  9. Absolute anonymity isn’t practically achievable, online or offline.
  10. Technology is not a panacea.

An Observation on the Nature of Laws

First, let’s acknowledge that these are laws. Not suggestions. Not rules. Laws. And laws are differentiated from lesser impositions primarily by one characteristic. Namely, there are consequences for violations, including fines and jail time.

Of course, in the world of security, fines and jail time do not exist. However, unauthorized bank charges and credit lines are very real. And the hours spent on the phone disputing charges and closing fraudulently opened lines will never be reclaimed.

Good Security Tips Age Well

The second important immediate observation is when this article was published. Two thousand and eleven. Seven years is about lifespan of the average Javascript framework, or about 50 startup years. That the laws are still just as relevant today as when they were written is a testament to their quality and timelessness.

Trust, and Networks

Implicitly or explicitly, many of these laws are about trust. Maybe less obvious, but just as important, is the concept of chain of trust. If Bob trusts Alice, and Alice trusts Jane, then Bob trusts Jane. This is an important and crucial detail of how the internet works and often how identity is verified over networks.

How much do you trust the people who wrote the programs that run on your computer? What about the libraries they chose as dependencies when designing said programs? Or the hosting network that distributes the application binaries? Or the ad networks supporting those hosting networks?

It is in this way that the internet is a distributed network of trusted entities. Trust and identity are global currencies, and as such are subject to the same problems of manipulation, fraud, and outright theft. Good security requires vigilance. Adaptation. Learning. Good security also requires periodic re-authentication, as well as authorization for every request.

Humans Ruin Everything

Humans are really good at finding the easiest way to get a job done. We trust openly, we look for shortcuts, we leave things unlocked for convenient access. Something that worked yesterday, is expected to work the same tomorrow. Maintenance and investment is routinely deferred.

Simply put, humans are bad at security.

The Future: Zero Trust

That’s why so many of these laws are critical of us humans and the implicit trust we put in each other. As the internet grows, our trust policy must evolve to meet its changing needs. Never trust, always verify. Every session requires authentication, every request requires authorization. Requests that originate and terminate within a private network are no exception.

How can you improve? How can your company improve? Your profession?

As a profession, we have a lot of room to improve. We can start by remembering the lessons learned and compiled by those who came before us, and always striving to live up to the ideal of continuous improvement.

Originally written by Dan Munro on Sep 10, 2018 under Creative Commons Attribution 4.0 International license. You may need to ask for permission before redistributing.