While working within the security community, we have learned that the universe of security can be described by certain laws, much as the physical universe is described by certain absolute statements.
One of the classic articles of computer security came from Microsoft in an era when security was not their strong suit. The article "10 Immutable Laws of Security 1.0" by Scott Culp relates rules that ring as true today as they did in 2000 when the article was written. As we all know so well, over the last eleven years computing has changed and, recently, Microsoft updated the “10 Immutable Laws of Security 2.0”. Quickly the laws are:
- Law#1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer any more.
- Law#2: If a bad guy can alter the operating system on your computer, it's not your computer any more.
- Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer any more.
- Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.
- Law #5: Weak passwords trump strong security.
- Law #6: A computer is only as secure as the administrator is trustworthy.
- Law #7: Encrypted data is only as secure as its decryption key.
- Law #8: An out-of-date anti-malware scanner is only marginally better than no scanner at all.
- Law #9: Absolute anonymity isn't practically achievable, online or offline.
- Law #10: Technology is not a panacea.
Let’s focus on Law 10, not only because technology does amazing things, but because it tends to be thought of as the silver bullet. (We are not fighting werewolves.) The last couple of years have seen the development of more affordable and more powerful hardware, software that harnesses that hardware to open new avenues for computer users, and services that change our expectations for both, as well as advancements in cryptography and other sciences.
This trend is evident in our Transport Access Control (TAC). With a lot of vision and looking at technology from a different perspective, we had the opportunity to bring to market a game-changing security product. It's tempting to believe that technology can deliver a risk-free world, if we just work hard enough. However, this is simply not realistic.
Short of a pair of wire cutters, there isn’t a notion of perfect security. Why? Because perfect security requires a level of perfection that simply doesn't exist and, in fact, isn't likely to ever exist. This is true for software as well as virtually all fields of human interest. Software development is an imperfect science, and all software has bugs. Some of those bugs can be exploited to cause security breaches. That's just a fact of life. But even if software could be made perfect, it wouldn't solve the problem entirely.
Most attacks involve, to one degree or another, some manipulation of human nature—a process sometimes referred to as social engineering. Raise the cost and difficulty of attacking security technology, and bad guys respond by shifting their focus away from the technology and toward the human being at the console. It's vital for each one of us to understand our role in maintaining solid security, or each one of us becomes the chink in our own systems' armor.
What to do? The solution is to recognize two essential points.
First, security consists of combining both technology and policy that ultimately determines how secure your systems are.
Second, security is a journey, not a destination. It isn't a problem that can be "solved" once and for all, but a constant series of moves and countermoves between the good guys and the bad guys. The key is to ensure that you have good security awareness and exercise sound judgment. Combine great technology with sound judgment, and you'll have more effective security.
Unfortunately, this now brings us back to the beginning. How many organizations today don't know the Laws #1 through #9?