The Twelve Commandments of Security

Rick Butler

Well-known member
  • Aug 8, 2019
    2,101
    7
    3,754
    121,321
    Colorado Springs, CO
    www.intellitec.edu
    From tonight's TTT and other associated posts...feel free to comment...

    I would always print these out and display for Security Classes.

    The Twelve Commandments of Network Security
    1. There is no such thing as Absolute Security and there are no silver bullets
    2. The three goals of security are Confidentiality, Integrity, and Availability
    3. Always practice Defense in Depth as a security strategy.
    4. People, when left to themselves, make the worst security decisions.
    5. Security involves both Functional and Assurance requirements.
    6. Security through obscurity is never good policy.
    7. Security means risk management
    8. The controls of security are prevention, detection, and response.
    9. Complexity is the enemy of good security.
    10. Fear, Uncertainty, and Doubt are not good motivators for security.
    11. People, Processes and Technology are all necessary in order to have good security.
    12. Open disclosure is a good thing for security.
    /r
     
    #4 - I agree.
    A network is only as strong as the weakest link.
    The usual weak link is the people.
    I think it almost ALWAYS is, unless you have a security administrator who is totally incompetent, lazy, and making obvious mistakes. In fact, I'm sure there are a few stories of some horrific, you-gotta-be-kidding-me stories to share in this group.
     
    When I did IT for a school district in Northern Michigan, we had a science teacher at the high school level that my predecessor set as a power user in the network. My predecessor was no longer around when this incident occurred. This teacher thought he knew everything about computers and security, and did know a lot about how things work. The thing that he didn't know at that time was about the new "cryptolocker" viruses that were just starting to be used. I, being in IT, knew about it, and was working on an email to all staff stressing the importance of not clicking links in emails, or downloading files from unknown sources, etc. While working on writing the email, he calls me up on the phone saying that he downloaded a file, and things were acting weird on his system.

    You're likely saying to yourself at this point, "Really, David? A download that was a problem." It is truly a shock, I know.

    Well, the way that network was setup at some point before I started working there, is that they were using folder redirection to send everything from My Documents (including downloads, pictures, etc) straight to the SAN. So the virus went right from his email to our SAN, and immediately started encrypting files... a lot of files. By the time he let me know what was going on, almost two hours had already passed. I felt like Madagascar from the classic game Pandemic and I had to Shut down EVERYTHING.

    Users are always the weakest link. Never trust that your predecessors understand that users are the problem (and sometimes the solution too).
     
    • Like
    Reactions: Jarrel
    From tonight's TTT and other associated posts...feel free to comment...

    I would always print these out and display for Security Classes.

    The Twelve Commandments of Network Security
    1. There is no such thing as Absolute Security and there are no silver bullets
    2. The three goals of security are Confidentiality, Integrity, and Availability
    3. Always practice Defense in Depth as a security strategy.
    4. People, when left to themselves, make the worst security decisions.
    5. Security involves both Functional and Assurance requirements.
    6. Security through obscurity is never good policy.
    7. Security means risk management
    8. The controls of security are prevention, detection, and response.
    9. Complexity is the enemy of good security.
    10. Fear, Uncertainty, and Doubt are not good motivators for security.
    11. People, Processes and Technology are all necessary in order to have good security.
    12. Open disclosure is a good thing for security.
    /r
    Thank you for sharing this.