September 30, 2016

Microsoft Updates the Ten Immutable Laws Of Security

Ten years ago Microsoft penned the “Ten Immutable Laws of Security“, a document that’s been central to much of how Microsoft thinks about security. Since it was written lots has changed with regards to the technology we use day to day including the rise of cloud computing, the popularity of social networking, and widespread smartphone adoption.

So Microsoft have updated the document to the Ten Immutable Laws of Security version 2.0. The original ten laws where:

  1. If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore.
  2. If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
  3. If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
  4. If you allow a bad guy to upload programs to your website, it’s not your website any more.
  5. Weak passwords trump strong security.
  6. A computer is only as secure as the administrator is trustworthy.
  7. Encrypted data is only as secure as the decryption key.
  8. An out of date virus scanner is only marginally better than no virus scanner at all.
  9. Absolute anonymity isn’t practical, in real life or on the Web.
  10. Technology is not a panacea.

The version 2.0 lists is (with bold marking the changes):

  1. If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore.
  2. If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
  3. If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
  4. If you allow a bad guy to run active content in your website, it’s not your website any more.
  5. Weak passwords trump strong security.
  6. A computer is only as secure as the administrator is trustworthy.
  7. Encrypted data is only as secure as its decryption key.
  8. An out-of-date antimalware scanner is only marginally better than no scanner at all.
  9. Absolute anonymity isn’t practically achievable, online or offline.
  10. Technology is not a panacea.

The explanations have also been expanded to reflect the changes in the laws and to add more information when necessary. Here is a summary of some of the changes:

Added to law 2:

In modern operating systems, default settings largely prevent anyone but administrators from making such bedrock changes. Preventing rogue programs from gaining administrative-level access is the best way of protecting the operating system. That’s best accomplished by not operating your computer from an account with administrative privileges except when specific tasks make it absolutely necessary – and logging out of that high-privilege mode as quickly as possible once your task is complete.   Home users should consider creating an “everyday” account set to operate with standard-level user permissions. On those relatively rare occasions when you really do need to make big changes, you can log into the administrative account, do whatever needs to be done, and switch back to the safer account when you’re finished.

The list of sample things a bad guy can do to your computer if he gets his hands on it has grown:

  • He could mount the ultimate low-tech denial of service attack, and smash your computer with a sledgehammer.
  • He could unplug the computer, haul it out of your building, and hold it for ransom.
  • He could boot the computer from removable media, and reformat your hard drive. But wait, you say, I’ve configured the BIOS on my computer to prompt for a password when I turn the power on. No problem – if he can open the case and get his hands on the system hardware, he could just replace the BIOS chip. (Actually, there are even easier ways).
  • He could remove the hard drive from your computer, install it into his computer, and read any unencrypted data.
  • He could duplicate your hard drive and take it back to his lair. Once there, he’d have all the time in the world to conduct brute-force attacks, such as trying every possible logon or decryption password. Programs are available to automate this and, given enough time, it’s almost certain that he would succeed. Once that happens, Laws #1 and #2 above apply.
  • He could add a recording device or transmitter to your keyboard, then monitor everything you type including your passwords.

Added to law 5:

If you have accounts for multiple computers and online services, you’ll need to balance requirements for unique and strong passwords, yet limit how many passwords you have to remember. For accounts that give access to your most critical information – financial accounts, regulated personal data, sensitive work access, and primary email accounts to name a few – use a unique password for each one, and follow their access management policies.  If you’re awash in multiple accounts that gather little personal information and have low value if lost, such as news sites that require free registration, consider developing one reasonably strong password and reusing it for most or all of them.

Added to law 9:

If you use any payment system other than cash or any transportation other than your own two feet, you leave a trail of data breadcrumbs that can be used to reconstruct a personally identifiable “portrait” of you with remarkable accuracy.