Over eight years ago, Scot Culp of Microsoft, published two white papers that get tossed around in security circles over and over. The 10 Immutable Laws of Security Administration and the 10 Immutable Laws of Security are often referenced in introductory security classes. Though these rules are dated, they are still relevant today. Just want to comment on a few of them and how we see them impacting our clients today.
10 Immutable Laws of Security Administration
- Law #1: Nobody believes anything bad can happen to them, until it does
- Law #2: Security only works if the secure way also happens to be the easy way
- Law #3: If you don’t keep up with security fixes, your network won’t be yours for long
- Law #4: It doesn’t do much good to install security fixes on a computer that was never secured to begin with
- Law #5: Eternal vigilance is the price of security
- Law #6: There really is someone out there trying to guess your passwords
- Law #7: The most secure network is a well-administered one
- Law #8: The difficulty of defending a network is directly proportional to its complexity
- Law #9: Security isn’t about risk avoidance; it’s about risk management
- Law #10: Technology is not a panacea
Law #1 Nobody believes anything bad can happen to them, until it does
This is probably the biggest stumbling block we encounter when working with small businesses. People like to think they are not targets, and to some extent, small businesses are not targets. The issue is that a significant amount of server compromises are not directed attacks but simply random scanning. If a bot scans your server and finds vulnerabilities, you quickly become a target. You don’t have to hang a “Can’t Hack This!” sign to solicit attention. If the random scanning turns up a juicy port or application, you become a target. So while you may not think it will happy to you, I can assure you that your server is being scanned frequently.
Law #3: If you don’t keep up with security fixes, your network won’t be yours for long
The key value of our Linux server management offerings is the software update service. Beyond the monitoring and help desk support, our routine application of security patches keeps minor exploits from becoming major ones and reduces the chance of a critical security failure. Staying on top of security threats and plugging holes is vital. The number one issue we see is web applications. While we can do everything to keep the server secure, if you don’t update your web applications, you can quickly become a victim. Web applications have quickly risen to the top of SAN’s Top 20 threats and will likely remain there until easier update methods emerge.
Law #6: There really is someone out there trying to guess your passwords
rackAID earns $1000’s per year fixing security issues that were directly attributed to poor password security. Nearly every month, we encounter some system with a very poor password or using the same password in multiple contexts. You can use Winguide’s Password Generator to make a strong password (8 characters with numbers, capitalization, and symbols). If you are worried about forgetting passwords, search for any number of password management tools.
Law #8: The difficulty of defending a network is directly proportional to its complexity
This is why when you want us to add some third party software we push back. Adding complexity should only be done when it is a business or technological necessity. As I pointed out with Red Hat Updates, keeping things stock is critical to easy server management.
Law #10: Technology is not a panacea
Too often people forget that there are other people out there trying to do bad things to their network. Clever security technology can be cracked by clever hackers. Planning for security, implementing those plans, and knowing what to do when something does go wrong is key. This is one reason we push our CDP backup services. By retaining older backups, we can easily roll back a system to a pre-intrusion state. Using our backups, we have restored many sites after they were hacked.
These are some of the key issues we see impacting our clients. I recommend you review the full list of 10 Immutable Laws of Security Administration and 10 Immutable Laws of Security. Though written years ago, they are still relevant today.