The 12 Immutable Laws of Information and Computer Security
As active technology security professionals, we regularly deal with a variety security issues that arise from various causes. While sometimes these security breaches are due to a product flaw – more often than not the real reason for a security breach comes from natural human error, or a lack of knowledge about good security practices (note: this isn’t an intelligence thing, it’s really more a perspective thing).
Something we have noticed over the years is that we find certain commonalities among the causes of these security issues. Accordingly (and with a little inspiration from Microsoft) we’ve put together a pretty solid list of important security concepts that people really should keep in mind at all times.
So here are the 12 things you should always keep in mind when thinking about your computer / information security. The following tips will save you a lot of later head and heartache:
- It is impossible for technology vendors to “fix” every single possible security issue
- Absolute privacy is not practically achievable, whether online or offline
- If someone can run programs on your computer – it is not your computer anymore
- If someone can alter your computer operating system – it is not your computer anymore
- If someone has unrestricted physical access to your computer – they can do anything they want to your (former) computer
- If someone can run active content on your website / hosted application – then it’s not your website / hosted service anymore
- Your computer or network is only as secure as far as you can trust your administrator
- Encrypted data is only as secure as its decryption key
- Out-of-date security software is only marginally better than no security software at all
- A weak password makes even the best security systems irrelevant
- Technology cannot solve what is ultimately a human issue
- Overly strict and impractical security policies are counterproductive
1. It is impossible for technology vendors to “fix” every single possible security issue
The sad reality is that software vendors (like Microsoft, Google, and everyone else) really do try as hard as possible to prevent and patch security issues as soon as they find out about them (which is why you should ALWAYS report issues to the relevant company).
It is however impossible to create an absolutely secure system, because almost all security exploits work by utilizing functions that are doing exactly what they are supposed to do. The only difference is that one person is authorized to do so, and the other person is not (hence a security breach).
This concept strikes at the very heart of computer science, because it is not the technology that is at fault – but how the technology is being used. This is why you should not always rely on the vendor to fix all your security issues – because oftentimes it is not even their fault, or due to tragic circumstance impossible to predict.
2. Absolute privacy is not practically achievable, whether online or offline
Privacy has been a big issue this past year, so some people are not going to be happy to hear this. All human interaction ultimately involves exchanging data of some kind, and is someone (i.e. anyone) weaves together enough of this information – they will be able to identify you.
Think about it for a moment. Whenever you visit a website – data about what you are doing and requesting HAS to make its way to the website’s server – otherwise the internet would not function at all. For example requesting a page from the menu or address bar, watching a video, or checking out a picture gallery all require you to send a request to someone’s server – and that server has to respond back to you!
True there are a lot of things you can do to disguise these requests e.g. masking your IP address, using VPNs, subscribing to anonymizing services, using public internet kiosks, and so on. All of these things make it harder for someone to track you, but none of these make it impossible – especially to someone sufficiently motivated.
Does this mean privacy is a lost cause? Certainly not – just don’t expect a guarantee of privacy to be your security net, and don’t expect technology to give you privacy. The best course to protect your privacy is to treat your internet sessions as if meeting someone in real life i.e. you change your behavior so that you only give out information to another party that you want them to have.
3. If someone can run programs on your computer – it is not your computer anymore
It is a simple truth of computer science: when a computer program runs, it will do what it is programmed to – regardless of how you feel about it. If the program is designed to read all your emails, monitor your keystrokes, and send this data back to a criminal database – this is exactly what will happen.
This is why you should never run any program from an untrusted source, and you should also strictly limit the ability of others to run programs on your machine. It sounds obvious, but when was the last time you looked at your permissions settings? Mac users click here.
4. If someone can alter your computer operating system – it is not your computer anymore
To quote Microsoft’s support library “In the end, an operating system is just a series of ones and zeroes that, when interpreted by the processor; cause the computer to do certain things. Change the ones and zeroes, and it will do something different.” This was exactly why the Android Master Key exploit was such a big concern – because if you control the operating system of a computer, you can do anything you want with that computer.
To prevent such a thing from happening, you need to prevent rogue programs from accessing and manipulating your system files and registry. The easiest way to do this is to create a basic user account (with standard-level user permissions) which you use every day, and setup an administrator account that you only use when you need to make big changes. This way even if your everyday account is compromised, they won’t be able to make changes to the core software running your computer.
5. If someone has unrestricted physical access to your computer – they can do anything they want to your (former) computer
A few examples of what one can do to a computer with unrestricted physical access:
- Smash it with a baseball bat
- Steal it and hold it for ransom / sell the information
- Remove the hard drive, install it on their own computer, and read all the data
- Duplicate the hard drive, and read all the data
- Install a monitoring device
This is of course why you should always physically protect your computers in a way consistent with the value of that computer (remember that data also has value!). Laptops and mobile devices are especially vulnerable to this form of security breach, though there are a lot of things you can do to protect these nowadays e.g. install a kill switch, some form of GPS tracking, whole drive encryption etc.
6. If someone can run active content on your website / hosted application – then it’s not your website / hosted service anymore
Even worse than downloading and running a malicious program, is letting someone use your computer / network / website / web service / hosted application to send malicious programs to others. This is what happens with illegal botnets for example, or in poorly regulated mobile app stores.
You need to limit what people are able to do when they visit your website or utilize your application. A properly administered web host or cloud service will already take many of these risks into account (such as disallowing scripts or programs that can affect other user accounts) – however this does not let you off the hook from taking care of administrative matters on your end.
7. Your computer or network is only as secure as far as you can trust your administrator
A system administrator (or sysadmin) is someone who is able to make fundamental changes to your software, this includes but is not limited to configuring the operating system, managing user accounts, and applying security policies as appropriate. This includes of course related sub-administration fields such as database, network, and security administration.
When hiring an administrator to take charge of your systems, you need to recognize that this is a position of trust – and accordingly you need to hire people who warrant that trust. For example checking references, reviewing their work history, and especially looking closely at any security incidents they have been involved in.
In short – don’t give administrator privileges to anyone who hasn’t been properly vetted. It’s also a good general idea to intentionally limit the power that one person has over the operation of your systems, and to also include policies to keep “honest people honest” e.g. logging server access.
8. Encrypted data is only as secure as its decryption key
Even if you’ve encrypted your data with absolute best encryption software that money can buy – if you leave the decryption key lying around for anyone to easily find – then there was hardly a point encrypting the data in the first place.
This is a case where convenience must be balanced with security. For example, while most cryptographic security products give you the option to store cryptographic keys on your computer – any sufficiently motivated person can easily find them given time. Not good enough for really sensitive data.
A better solution would be to store keys in a protected repository, which is physically separated from the computer containing the encrypted data. Your own brain will be the best “protected repository”, though there are also sufficiently secure technological solutions if you’re willing to do a little research.
9. Out-of-date security software is only marginally better than no security software at all
Security software (such as antivirus and antimalware) works by comparing known virus / malware “signatures” against files that are stored on your machine. Since new virus and malware are being released all the time (or new variations thereof), it is vital that you keep your “signature” files as up-to-date as possible – because otherwise your scanner will be unable to detect them, let alone fix them.
Malware always does the most damage at the very beginning of its release, simply because there is no way to detect or remove them. Once the word spreads that new malware is on the loose, the antimalware companies will release a new signature file as soon as they can (usually within hours or days).
Virtually all antimalware providers have a way for you to get updated signature files for free – such as via their website or through some dedicated update service. Usually you can automate these updates, or enable push notifications so you’ll be immediately alerted that a new signature file is available.
10. A weak password makes even the best security systems irrelevant
The logon process works by identifying a user, and allowing / disallowing access to system resources based on their authorized privileges. If someone gains access to your password, as far as any system or computer is concerned – that person logging on is YOU.
Therefore, no matter how strong your security system is, this becomes meaningless as soon as someone figures out your password. What you need to do is:
- Make sure all your accounts have a password (you’d be amazed how many accounts don’t have one)
- Pick a strong password – there is actually a relevant XKCD comic about this subject
- Don’t write down your password – though if you really must, keep it in a secure place such as your wallet, a safe, or a locked drawer i.e. not on a post-it attached to your monitor or keyboard
- Never give out your password to anyone – no reputable service will ask you for your password
- If feasible – employ multi-factor authentication
11. Technology cannot solve what is ultimately a human issue
While technology can do many amazing things, it is ultimately an imperfect science. Flaws will creep into any system, security and convenience are a continuous balancing act, and ultimately it’s a simple fact of life that striving for a “fool-proof system” inevitably ends up creating a better class of “fool”.
Even if technology could someone be made “perfect” – there is still the human factor to consider. Mobile devices get stolen, passwords get cracked, people get tricked, and ultimately a sufficiently motivated criminal will somehow “find a way” if given enough time.
The most important thing to understand here is that technology is not the “be-all-end-all” solution to your security needs. Security policies and the human factor must be accounted for in any decent security program, and this must be paired with the understanding that security in of itself is something of a chess game i.e. a series of moves and countermoves between the “good guys” and the “bad guys”.
13. Overly strict and impractical security policies are counterproductive
It is something of a counterintuitive idea, but it is so important to keep in mind. If you make your security procedures too bothersome and cumbersome for people to use (even if it IS the ultimate security system money can buy) – people will find a way to bypass these procedures, even though these policies are meant to protect them as much as the company.
We’ve touched upon this topic already several times in this post – that security and convenience must be balanced together to create an effective security system. If you find that people are bypassing your security policies with alarming regularity – you should probably take a hard look at your policies rather than simply punish the perpetrators.