5 Laws of IT Security

By EventTracker Guest Blog

There are five laws of IT security.

1. There is no such thing as perfect security: Systems designed by humans are vulnerable to humans. Bugs exist. Mistakes are made. The things that make your computers useful–that is, communication, calculation and code execution–also make them exploitable. Information security is the management of risk. A good infosec design starts with a risk profile, and then matches solutions to the likely threat.

2. Your defenses must be perfect every time; the attacker needs to be lucky only once: Attackers look for the easy way. The best firewall in the world will not prevent a hard drive from being stolen. Your security policy must take a holistic approach to your systems, and then minimize the impact of an exploit. If you doubt this, see law No. 1.

3. Your administrator’s account security is critical: These days, most data centers have good physical security, but none of that matters if the administrator has full remote control of his systems. Install a key-logger on the admin box, and you own the network. Forcing privileged users to sit in an unrestricted cube farm with the rest of your employees is just asking for trouble. A variation on this theme is, “Don’t give out admin privileges out like they are Halloween candy.”

4. Hackers are usually driven by the profit motive: An unmotivated attacker will always lose to a diligent defender. Hackers are lazy, and they go after the low-hanging fruit first. Minimize your public profile, and you will reduce the number of attacks. A Web server that is filtered by a firewall and only allows port 80 and 443 looks a lot less attractive than an unprotected Web server that also responds to a couple dozen other ports. Reducing the number of attack vectors reduces the number of attacks and attackers. But, if the bad guy wants in, and has enough motivation, he will get in. Period. Why do the best protected networks of the DoD still get compromised? Because the motivation to get in is sky high, and the attacker has unlimited time. Defend accordingly.

5. Usability increases security: The best security controls are the ones that are mandatory and transparent to the end user. The worst controls are difficult to use and require the user to change his or her behavior. Automatically redirecting your Web pages to pages that use SSL increases privacy while being effortless on the part of your user. Requiring users to have a 36-character password with special characters, and forcing them to change it every seven days, may seem more secure, but it forces users to write the new password down and tape it to their monitor just so they can remember how to log in. Don’t confuse complexity with security. Usually, the opposite is true.

Guest blogs such as this one are published monthly and are part of MSPmentor’s annual platinum sponsorship.