Reexamining the “5 Laws of Cybersecurity” | #malware | #ransomware | #hacking | #aihp

Nearly a year ago, journalist Martin Banks codified “Five Laws of Cybersecurity”. Cybersecurity is a complicated field, and any way to simplify its many facets into short, easy-to-remember maxims is always welcome. The five laws are a very good start towards developing a robust security program. The laws are:

1. Treat everything like it’s vulnerable.
2. Assume people won’t follow the rules.
3. If you don’t need something, get rid of it.
4. Document everything and audit regularly.
5. Plan for failure.

Of course, compliance with real rules does not necessarily equal security, but these general cybersecurity “laws” are a useful reference.  Still, like real regulations, some depth, and background can provide meaningful value. In some cases, the origins of these unofficial laws can add to lively debate by even the staunchest cybersecurity practitioner.

Treat Everything Like It’s Vulnerable

The first rule of cybersecurity is to treat everything as if it’s vulnerable because, of course, everything is vulnerable. Every risk management course, security certification exam, and audit mindset always emphasizes that there is no such thing as a 100% secure system.  Arguably, the entire cybersecurity field is founded on this principle.

Since many organizations fail to meet this standard in full, the rise of zero trust security has become the new benchmark of mature cybersecurity practice. Zero trust, by design, denies access to everything without verifying its authority.  This is similar to what you may see in a spy movie, where access to any and all rooms requires authorization.  Zero trust goes even farther, by re-checking that permission at various stages of a session. Identity access management (IAM) for both users and devices, as well as steps such as update verification, are the bedrock of a zero trust environment. No device, program, or user should have access to anything without verification and revalidation.

Assume People Won’t Follow the Rules

I prefer to reframe this rule as “People may bypass rules”, as its original wording is too accusatory. This rule-bending mindset as it relates to computers dates back to the original “hacker” circles, started way back at the MIT Model Railroad Club. Since complying with some security protocols is often inconvenient, employees may find ways to bypass these safeguards, which leads to vulnerabilities.

Statistics back up this principle, with 94% of U.S. and U.K. organizations suffering insider data breaches in 2020. Similarly, 84% of IT leaders cite human error as the most common cause of serious incidents.  As social-engineering attacks have become more common, this rule has become increasingly relevant. Anti-phishing measures, password requirements, and similar rules are only effective if people follow them.

Businesses must go beyond implementing stricter cybersecurity policies. That means enforcing these rules while making it easier to comply with them by using tools such as password managers. Still, as this particular law states, security professionals must understand that technical controls are also required to strengthen security. Access restrictions and similar protections are necessary to mitigate insider breaches.

If You Don’t Need It, Get Rid of It

The third law of cybersecurity, originally popularized as one of Brian Krebs’ 3 Rules for Online Safety, aims to minimize attack surfaces and maximize visibility. While Krebs was referring only to installed software, the ideology supporting this rule has expanded.  For example, many businesses retain data, systems, and devices they don’t use or need anymore, especially as they scale, upgrade, or expand. This is like that old, beloved pair of worn out running shoes that sit in a closet.  This excess can present unnecessary vulnerabilities, such as a decades-old exploit discovered in some open source software.

Most companies have roughly only 75% visibility over their OT operations. Retaining redundant or irrelevant assets prevents 100% visibility. If they would let go of old systems and data, they could gain more insight into their operations, which could accelerate vulnerability, and breach detection.

Document Everything and Audit Regularly

This rule is actually two rules in one.  Part of maximizing visibility and uncovering vulnerabilities is regular and consistent internal auditing. To most security professionals, an audit is a tedious, and painful process.  Unfortunately, too many businesses still fall short, making audits a necessary part of cybersecurity. For example, some attackers control victims’ machines for months or years before anyone notices due to insufficient logging processes.  The auditing process should include not only configuration reviews, but active testing to check for unmitigated, or new vulnerabilities.

Documentation, often heralded as one of the most arduous tasks of cybersecurity, is essential, both for current staff, and succession planning.  Too often, engineers are pressured to get a system up and running, leaving the documentation as an “after-action” event.  Unfortunately, this event never occurs, as the day-to-day work exceeds the time to accurately document each component of a complex system.  Change management also falls under this element. The more businesses record, the easier it is to track, and remediate suspicious activity, and implement new systems.

Plan for Failure

The final law of cybersecurity states that organizations should prepare for the worst. This is perhaps truer than ever, given how rapidly cybercrime is evolving. The risks of a zero-day exploit are too high for businesses to assume they’ll never become the victims of a breach. Fortunately, the doomsday mentality that was previously trumpeted as the “two types of organizations . . .” trope has been replaced with one of a resilience mindset. 

All of this indicates that organizations must enact strong preventive measures, as well as detailed recovery plans. The average cost of a ransomware attack is seven times higher than the ransom itself, so prevention is better than a cure. Businesses must balance both to ensure they are as safe as possible.

Backups and emergency response plans must be a standard part of every company’s security practice. However, it’s important to ensure that these are, in fact, backup plans and that businesses don’t skimp on their perimeter defenses.

The 5 Laws of Cybersecurity Are Not a Conclusive List

One may wonder, why the need to restate and reconsider these five rules?  For one thing, the five laws of cybersecurity remain as relevant as ever. Also, it is important to recognize that cybersecurity is never a “check-the-box”, or static activity.  Organizations must continuously and carefully review and apply these practices.

Cybercrime is continuously evolving and the risks are too severe to overlook potential vulnerabilities.  These five guidelines are precisely that: guidelines. While they help to remind us about what a reliable security plan should include, organizations must remember, and implement the finer details to remain safe.

About the Author: Dylan Berger has several years of experience writing about cybercrime, cybersecurity, and similar topics. He’s passionate about fraud prevention and cybersecurity’s relationship with the supply chain. He’s a prolific blogger and regularly contributes to other tech, cybersecurity, and supply chain blogs across the web.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.