Monday, December 29, 2014

What are Security Truisms?

What are Security Truisms?
(What is a truism? Self-evident truth, the real facts.)

 The points to be noted are:


  • There is no such thing as absolute security: We can try achieving the best but no one can give 100% (absolute) guarantee.
  • Security is always a question of economics: How much time, effort and money should be spend on security will depend on the value (monitory or degree of importance)

  • Keep the level of all your defenses at about the same height: There is no point in making one door to the castle highly protective while other doors are week.

  • An attacker doesn’t go through security, but around it: Their goal is first to find the weakest hole and then attack it. Not necessarily the main door!

  • Put your defenses in layers: If the attacker somehow cracks the first layer he should be trapped in the second. It should not be the case that the hackers cracks one layer and he directly hits the pot!

  • It’s a bad idea to rely on “security through obscurity”.  It would be stupid to assume that the hacker would not know this (security arrangement). Do not assume such things. Do not make that as the only protection.

  • Keep it simple: Complex things are harder to understand, audit, explain and get right. Try to make security into simple and manageable pieces.

  • Programming is hard: It is hard to write a bug-free program. The difficulty increases with size. The crucial security programmes should be only a page long. Long security sensitive programs have been a constant and reliable source of a security problems
  • Security should be an integral part of the original design. The security that is added after the initial design is seldom as reliable.

  • If you do not run a program, it does not matter if it has security holes: Exposed machine should run as few programs as possible and the one it runs should be as small as possible.

  • A program or protocol is insured unless proven secure: Assuming the other way round that “all protocol are safe unless proved unsafe” would be very dangerous.
  • A chain is only as strong as the weakest link:
  • Security is a trade-off with convenience: One cannot be stronger than the organisation culture would permit. The security should be strong yet as unobtrusive as possible

  • Do not underestimate the value of your assets: Often day-to-day is under estimated. The things may be so simple and obvious for you; it may not be for the other party.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)