Ten laws

N°1: Attackers will always find their way

Whatever system, an attacker will find one day a weakness. Thus, during design, renewability of security is a mandatory feature.  An example of renewability is the use of removable secure modules such as smart cards.  This explains how pay TV survived numerous attacks for two decades.

N°2: Know the assets to protect

It is important to know the assets to protect., the potential attackers and the threats. Before starting any design, it is mandatory to perform a threat analysis.  The threat analysis identifies the most probable threat and the associated potential losses.  Unfortunately, there is no established methodology;

N°3: No security by obscurity

In XIXth century, KERCKHOFFS Auguste issued his famous law:  The security of a system should rely on the secrecy of its keys and not of its algorithms.  Many examples proof the truth of this law.  The secret keys are probably the most important asset to protect.   Recent attacks on AACS once more highlighted it.

N°4: Trust no one

A key element is the trust model.  It lists all the hypotheses on which security rely.  These hypotheses are the foundations of the system.   The more there are hypotheses, the higher the probability that one of them will fail.  Thus, trust no one.

N°5: Si vis pacem, para bellum*

Due to law 1, there will always be successful attacks.  Thus, it is important to design countermeasures before occurrence of the attacks.   Two possible strategies: waiting until the attacks occurs to deploy the countermeasure, or update continuously update the target to weaken the attack. The choice depends on many factors such as cost, losses and acceptable risks.
It is mandatory to know our opponents.  Thus it is mandatory to survey the scene and the darknet to learn about the latest exploits and the newest hacking tools..
“* Who wants peace, prepares war”

N°6: You are the weakest link

People are often the weakest link of any secure system.  The simplest illustration is the management of passwords.  Useless to remind stories of weak or lost passwords, or post it near the computer’s screen.  Unfortunately, social engineering is a underestimated threat.  Social engineering gains unauthorized access or secret information through human interaction, often through impersonation.
The best countermeasure is to design the security to be as transparent as possible for the users.  Training the users is another countermeasure.

N°7: Security is not stronger than its weakest link

Indeed a trained hacker will look for this weakest point to attack. It is paramount to know the robustness of each parts of a secure system. If investment is possible, put it on this point.
For instance, it is useless to put a vault door to a house if the windows are not protected and easily reachable.

N°8: If you are connected to the Internet, then the Internet is connected to you

A door in a fence is also a potential opening for an attacker. Thus, it is important to follow some rules:

  • Never let a door open when unused
  • Monitor any opened door

Internet offers many opportunities but also a wealth of potential threats.

N°9:  Quid custodient ipsos custodies ?*

This rule has two aspects.  It is mandatory to have security policies that define mutual controls.  It is also important to assess the right implementation of these policies.
Good practices in security require to log all events in files.  These files are useless if not used. The analysis may happened once an incident was detected.  But it would better to analyze the logs to detect suspicious events.
“*Who guards the guardians?”

N°10: Security is not a product but a process

Security is a mindset and is in continuous motion.  Security is an endless race with attackers.  It requires continuous monitoring of the attackers, of the newest exploits, and assessment of the efficiency of the deployed solutions.

Genesis of the 10 laws

For 15 years, together with my security team, I have defined and refined this set of ten laws for security.  These laws are simple but powerful.  Over the years, I discovered that these laws were an excellent communication tool when meeting other security experts, solution providers, or potential customers.  They allowed quickly to benchmark if both parties shared the same vision about security.  Many meetings successfully started by introducing these rules, and helped to build reciprocal respect between teams. I discovered that these laws were also an excellent educational tool.  Each law can introduce different technologies and principles of security.  It is an entertaining way to present security to new security students or to introduce briefly security.  Furthermore, these laws are mandatory heuristics that should drive any design of secure systems.  There is no valid rationale reason that a system should violate one of these rules.  As such, this set of laws is a reasonable initial sieve for snake oil vendors.

I am currently writing a book about security using these ten laws as framework.  The book will be published in 2015 by Springer.   If you want to propose some examples to be incorporated in the book, you’re  welcome.