You may know that my team has defined ten laws of security. This is an extremely useful tool. We use it daily as heuristics. Of course, we are not the only ones to have such rules. Thus, I decided to start to collect the sets of 10 security rules.
Here is my first set.
1. Technology is not a panacea
2. If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore.
3. If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
4. If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
5. If you allow abad guy to upload programs to your web site, it’s not your website anymore.
6. Weak passwords trump strong security
7. A machine is only as secure as the administrator is trustworthy
8. Encrypted data is only as secure as the decryption key
9. An out-of-date virus scanner is only marginally better than no virus scanner at all
10. Absolute anonymity is not practical in real life or on the web.
I found there in a tutorial about ethical hacking. In fact, it seems that they come from Microsoft. Thus, if somebody can provide me with a pointer to the original source, I would be glad.
These rules are clearly with a computer and IT scope. They are interesting. Some rules have similarities with ours. Their law 1 looks like our law 10 (Security is not a product but a process). Law 6 is a case of our law 7 (Security is not stronger than its weakest link). Law 7 is an example of our law 6 (You are the weakest link). Law 8 is an illustration of Kerckoff’s law.
Law 2 to 5 are true. It nicely describes the extreme context as defined in software protection. Unfortunately, it is too often the reality. This is why software protection is difficult. Law 3 and Law 4 are the basic environment of any DRM system. The possible bad guys owns and controls the host (in fact, it is his machine).
If you know other sets of 10 rules of security, please forward them to me to complete my collection.