Over the weekend, I stumbled across a 23-year-old classic.
It wasn't a fine whisky, but the 10 Immutable Laws of Security Administration.
This hard-to-find blog post from 2000 lays out ten fundamental truths of cyber security.
Like many original ideas, it has been respun and rebooted. But, like most sequels, they never live up to the original.
These rules were written during Web 2.0, and I am astounded by how well they have aged.
So, I've reproduced the laws below, with my brief comments and some minor edits to update the terminology.
Remember, the idea of cloud computing had yet to be created 23 years ago.
Law #1: Nobody believes anything bad can happen to them, until it does
[JP]: I see this opinion regularly. The argument that it is not "a core part of my business" is fair, but this is about resilience.
Law #2: Security only works if the secure way also happens to be the easy way
[JP]: 100%. Some security vendors are starting to (finally) get to grips with this idea. It's only taken two decades...
Law #3: If you don't keep up with security fixes, your [data] won't be yours for long
[JP]: It was clear in 2000. It's clear today. Bugs, vulnerabilities and exploits are continually being found.
What's different now is the speed of bugs to exploits. A recent critical vulnerability in ManageEngine was acknowledged on 10 January 2023 and was seen being exploited in the wild by 19 January 2023.
Law #4: It doesn't do much good to install security fixes on a computer that was never secured to begin with
[JP]: One can put on a great show - being seen to do security. But if the complete picture isn't considered... it's seen for what it is. A show.
Law #5: Eternal vigilance is the price of security
[JP]: Security is a process, not a one-time fix. Make security a cost-effective and sustainable cost of doing business - just like finance, legal, and HR.
Law #6: There really is someone out there trying to guess your passwords
[JP]: This was about reverse engineering encryption and password cracking. But now it's about buying stolen passwords on the dark web.
Law #7: The most secure network is a well-administered one
[JP]: Forgetting to remove an account... Limiting access to data... The 2021 Colonial Pipeline attack exploited both these process failures and a compromised password. The end result was fuel shortages across the eastern US.
Law #8: The difficulty of defending a network is directly proportional to its complexity
[JP]: There was a time when administrators prided themselves on the complexity of their network. An architecture of "delicate elegance" that only they could control. Thankfully as cloud services, microservices and infrastructure-as-code have been adopted, this idea is now the rare exception.
Law #9: Security isn't about risk avoidance; it's about risk management
[JP]: A universal truth. You cannot get to vulnerability zero. And risk is a part of business and everyday life.
Law #10: Technology is not a panacea
[JP]: This is still the case - and why security awareness training is so essential.