This week there is breaking news in the world of information security that you will read about in this and 50 different blogs. It is ground-breaking stuff that will astonish and astound you, and more than likely you will read it and be amazed. AMAZED I say!
What is this revelation in the world of security? What could so many be writing about this week? It is this:
Security of information is mostly about doing the basics.
If you read 50 articles on information security, you will discover a common thread among them all: in one way or another they are talking about limiting rights, locking things up, reviewing access rights, and limiting exceptions to the rules. While this is not rocket science, it does take time to complete, and more importantly, the effort to do it.
The most surprising part is that this is not new stuff. Last week while perusing a text1, I found the following security principles regarding coding and IT: Seven Design Principles of Computer Security:
- Least privilege: access rights should be explicitly provided, with a general denial of access as the default rule.
- Economy of mechanism: keep it simple [so it can be simply managed].
- Complete mediation: check rights for proper authorization.
- Open design: know all the security risks and don't have unknown or undocumented back doors.
- Separation of Privilege: have separate accesses to separate programs, not complete access as a rule [put simply].
- Least Common Mechanism: users are separated in the system: you cannot see what other users are doing, and vice-versa.
- Psychological acceptability: security controls must be easy to use, so that they are used. Don't require a 27 character password that includes 11 special characters.
These are concepts that everyone knows and writes about, and yet we still see many cases where failure to perform these types of security activities has led to a breach. What is most important in all of this is not that the activity does not work, but that the activity was not done.
It takes a person to setup and review security.
If you do not setup the users correctly, review the user rights, or separate privileges and duties, your system will not be secure because you did not secure it. This is as true today as it was in 1975 when the article I referenced was written, 35 years ago.
1 Saltzer, J.H. and Schroeder, M.D., "The Protection of Information in Computer Systems," Proceedings of the IEEE, September 1975.