The Principles Of Security
Originally written on Dec 2017, and as part of The Laws Of Security website.
When you are confronted with a new system, environment, solution, or collection of things, it is easy to get overwhelmed and lose sight of the bigger picture. That’s where vulnerabilities and poor planning can happen. Keeping an eye on the basics and building a solid foundation has to be the first priority.
To simplify this process I put together a collection of principles that have served me well over the years. They may not apply to every single issue, but these are useful nonetheless for any security endeavor.
1. UNDERSTAND THE ENVIRONMENT
Know what you need to protect. Reduce a problem to its lowest abstraction, and understand the risk and threat landscapes. Have one single source of truth.
2. PEOPLE, PROCESS, AND TECHNOLOGY
Security begins with people. Technology and process complement the people, not replace them. Educate people, create processes, then implement technology. Pick the right people. Quality is better than quantity.
3. DEFENSE IN-DEPTH
Security is built around layers, with each layer being more difficult to penetrate. Make the invisible, visible, and always try your best to engage a threat at the outermost layer.
4. DON’T TRUST, ALWAYS VERIFY
Never trust input. Make sure you authenticate the source. Be wary of unknown output as well.
5. PREPARE FOR THE CRISIS YOU HAVE, NOT THE ONE YOU WANT
Consider what you need for the circumstances you are most likely to face, not the ones that are the easiest or most exciting to plan for. Plan ahead, and red team it. Remember: it’s too late to start planning once the crisis occurs.
6. KEEP IT SIMPLE
Have clear priorities and communicate them in a simple way. Strive for procedures and automation that are easy to follow and are repeatable. Security supports a larger objective, don’t develop in a vacuum.
7. ASK: WHAT CAN GO WRONG?
Search for the things that can go wrong, even if they appear as an impossibility. Understand the issues and proactively address them.