The Eleven Immutable Laws of Security Explained

About ten years ago, Microsoft published The Ten Immutable Laws of Security to try to raise awareness of security issues and the importance of incorporating security at all levels of the organisation, back around and in all aspects of a system. I was one of the speakers in the Philadelphia market that got to stand up in front of hundreds of Microsoft customers and preach the gospel of security, at a time when most folks couldn’t say "Microsoft" and "security" in the same breath, unless of course they stuck "has no" in between.

Say what you will about Microsoft security circa 2000, the laws as they were stated back then are still every bit as relevant today. I was recently asked to put together some security talking points to discuss with some systems admins, and I went straight back to the source, for I have found nothing better.

So, in the hope that others might find these useful, I am posting them here. I have changed some of the wording from the originals, condensed the main content to bullet points suitable for including in a slide deck, included my own speaker notes in italics beneath, and expanded the set to eleven because that’s how I roll. The original material, linked above, has a lot more supporting content if you are in need of inspiration, or want to see the originals.

1. Security starts with the admins…

It also ends with the admins.
There’s lots of hardware, software, data, people, and processes in between.
The secure choice will be the default only when it is the obvious, or the easiest. Security is a process, not a checkbox. While admins hold the ultimate responsibility for security, there are lots of pieces between A and Z that can make or break any security posture. Admins must lead by example, provide training to end users and junior staff, and ensure that everyone knows the right choices when it comes to security. While we could probably come up with an endless list of security concepts, there are ten fundamental concepts that we’ll cover here.

2. If a bad guy can get you to run his program on your computer, it’s not your computer anymore.

Always scan your downloads.
If in doubt, test them in a sandbox before deploying them into production.
Scan removable media every time you use it. Trojan horses are programs that do one thing up front, but another behind the scenes. Back doors, key loggers, and scanners that look for credit card numbers and other confidential data to upload to the bad guys are commonplace. Your best defence is a layered one, to include safe surfing habits, good antivirus software that scans all files and updates frequently, firewalls that check outbound and prevent inbound traffic, and good user awareness training to make sure users understand why they aren’t supposed to run that cute little game program someone emailed them.

3. If a bad guy can alter the operating system on your computer, it’s not your computer anymore.

One infected system can impact an entire network.
People make mistakes; patches fix those.
‘Safe’ sites are compromised every day. Sure, you can run without antivirus, patch when you feel like it, and think your safe because you don’t surf to questionable sites, download programs, or run peer to peer. You can also drive without wearing a seatbelt, go years between medical check ups, and feel safe because you watch what you eat. I like to call that security through naiveté. Don’t be that guy. A single compromised system on your network can spew enough traffic to slow everything down. Do you run processes using domain admin accounts? Use the same admin password on multiple machines? If so, you’re just begging for that one infected system to spread malware throughout your network. Antivirus, operating system patching, AND application patching are all CRITICAL to the overall health of your network, both at work and at home.

4. If a bad guy has unrestricted physical access to your computer, it’s not your computer any more.

Alternate boot media or key loggers can get past most security.
Brute force attacks against encrypted drives are only a matter of time.
A stolen system is the ultimate denial of service attack, and eBay doesn’t ask for proof of purchase. Unless you use file or disk encryption, there is no protection you can place on your computer that can’t be circumvented by someone with physical access. Boot disks and keyloggers can be discrete, and may go unnoticed. Theft, while obvious, is a very straight forward means of gaining access to data on the disk, or making a quick buck. Secure your servers and network hardware in restricted access datacenters. Lock up USB drives, optical media, and print outs when you are not actively using them, and treat your laptop like you would your wallet or purse. Implement whole disk encryption for all laptops, and restrict what data may be stored on anything that leaves the four walls of your office.

5. If you allow a bad guy to upload data to your website, it’s not your website anymore.

Existing and potential customers see your website long before they see you.
A compromised website speaks volumes about how you treat data security.
You get one chance to make a first impression, and Google cache is forever. That should be ‘enough said’ but it’s not. Outsourcing your web hosting may shift the blame if your website is compromised, but that is little comfort if potential customers go elsewhere because they no longer trust you to protect their data. Even the most basic compromise, fixed as soon as it is noticed, leaves footprints amongst things like Google’s safebrowsing diagnostics, that may take month’s to fade. If you’re very, very lucky, a potential customer might give you the opportunity to explain. Do you want to take that chance?

6. Weak passwords trump strong security.

Avoid using clear-text protocols whenever possible.
Shared credentials void accountability.
Passwords are like a toothbrush, you never want to let someone else use yours, and you should change it frequently. Account lockout policies and complex password requirements don’t stop users from writing passwords down. Configuring your network devices to authenticate against Active Directory is great, until you use telnet to connect. We all love simplified sign-on to web based apps, but not when they use http. Telling your users not to share passwords is worthless if the first thing the help desk does is ask them for their credentials to begin troubleshooting. Unless you are using two-factor authentication schemes, the password is the most vulnerable aspect of your security, and the most important topic to cover with your end user training.

7. A computer is only as secure as the administrator is trustworthy.

Lead by example.
“Do as I say, not as I do” is a career limiting decision.
Everything you do while logged on as an admin has the potential for disastrous impact. As admins, we set the tone for the entire user base. If we preach one thing, but consistently practice another, we render useless any and all security awareness training we provide, as well as best practices we advocate. If we cannot walk the walk while we talk the talk, we’re not really in the right line of work. Things like sudo, runas, UAC, and enhanced security configuration mode are all intended to limit the opportunity for damage caused by careless actions taken while logged on as a privileged user. Embrace those for the protection they provide; do not scorn them for the brief interruption that they cause when you are on a roll.

8. Encrypted data is only as secure as the decryption key.

Without reliable data, the systems are useless.
Breaking encryption is only a matter of time, and weak passwords make the bad guys’ life easy.
Securing the keys is as important as securing the data. More than any other technology buzzword, encryption calls up images of eldritch magick, with 1’s and 0’s floating through the ether like something out of the Matrix. We can encrypt data at rest, to keep it safe in the event of a physical loss; and we can encrypt data in motion, to protect it from prying eyes. But if we use simple dictionary words for our keys, if we hard code those keys into our conf files, if we readily share those keys or reuse them across systems, the question becomes when, not if, we’ll notice our information has been compromised.

9. An out of date virus scanner is only marginally better than no virus scanner at all.

It can provide a false sense of confidence.
New a/v definitions are released daily.
Real-time scanning prevents bad things from happening. Scheduled scans only catch them after the fact. With an average of three new viruses or variants discovered daily, failing to update your definitions is a recipe for disaster. You think you’re safe, which might lead to risky actions like downloading programs from the Internet, opening attachments, etc. Disabling the real-time scanning is even worse, as that is what prevents infections. Scheduled scans only fix things after the damage is done.

10. Absolute security isn’t practical, in real life or on the Web.

You can’t eliminate risk, but you can mitigate it.
As long as humans are involved, mistakes will be made.
The worst mistake you can make is not learning from a mistake you already made. Want to know how to make a web server completely immune to hacks? Unplug it. Of course, that makes all the money you spent on that spiffy website kind of a waste. Eventually, you will work an incident. Someone will make a mistake, misconfigure a service, forget to change a default, open an attachment they shouldn’t have, or miss a patch. Don’t set out to rake them over the coals, but at the same time don’t ignore what happened. Use the incident as an opportunity to raise awareness. You don’t have to single them out to let everyone know what happened, what policies were in place that would have prevented the problem if they were followed, and how to make sure it doesn’t happen again.

11. Technology is not a panacea.

Remember that the systems are tools, not end goals.
Humans can augment, or circumvent, any technical control.
It comes down to education, awareness, and understanding; for admins and end users. In closing, remember that the network is a living, breathing, evolving and changing ecosystem. But it exists to help the business to reach its goals, obtain its objectives, and all the myriad pieces and parts are used by humans every day. Your co-workers are your customers. Treat them as you would like to be treated, and remember that they can help you or hinder you, and which way they trend is within your control. Help them be better users of the technology and they will help you run a tighter ship.

You can download security screensavers from Microsoft; both the Ten Immutable Laws of Security, and Ten Immutable Laws of Security Administration are available for download here. If you would like a copy of this as a RetroHack branded pptx or pdf, please leave a comment and I will be happy to email you a link.

No YouTube vid this time, just my favourite comic from my favourite comic.

Yes, that was me you saw standing on stage either in the Philly market at Microsoft product debuts for 2000 and 2003, or at the Security Roadshow. Or maybe you saw me at SANS conferences in Baltimore or Orlando. Either way, feel free to say hi by leaving a comment. I’d love to hear from you.