Ten Immutable Laws of Security (Version 2.0)

Back in another life I was the IT Manager for a company that held security above all else. While sitting through yet another computer security seminar, an interesting slide hit the screen. It was titled “Ten Immutable Laws of Security”. The “laws” were put out by the Microsoft Security Response Center that monitors reports of security vulnerabilities. Some reports were the result of flaws in the software so the Center would then create patches for the software. Some reports were due to mistakes by the person using the software – these could be resolved with training not programming. But many reports would fall somewhere in between these two scenarios – not flaws or mistakes but vulnerabilities due to the nature of how computers work.

But as the report that issued this list of ‘laws” stated, “…don’t abandon all hope yet…” simply being aware of these vulnerabilities is the first step in preventing them. The “Immutable Laws” have been updated since back then to more closely resemble modern computing and they still hold true. Details and explanations can be found on the site listed below.

The 10 Immutable Laws

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore.

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.

Law #4: If you allow a bad guy to run active content in your website, it’s not your website any more.

Law #5: Weak passwords trump strong security.

Law #6: A computer is only as secure as the administrator is trustworthy.

Law #7: Encrypted data is only as secure as its decryption key.

Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.

Law #9: Absolute anonymity isn’t practically achievable, online or offline.

Law #10: Technology is not a panacea.


http://technet.microsoft.com/en-us/library/hh278941.aspx


David Descoteaux
Technology Support Specialist/Customer Services