[Hackfest::Archive] Les 10 lois immuables de la sécurité selon Microsoft (v2.0)

UPDATE (2024-08-03): Microsoft a remplacé la publication originale, par une version plus récente et adaptée… qui contient encore la version 2 originale. Les URL originales pointent maintenant vers archive.org et j’ai ajouté la nouvelle page de Microsoft. J’ai également ajouté, à la suite des 10 règles de la version 2, les 10 nouvelles règles qui sont plus adaptées au temps moderne.

UPDATE (2017-11-06): Maintenant plus d’une quinzaine d’années!!!

Il y a une dizaine d’années, Microsoft publiait les 10 lois immuables de la sécurité. Ces 10 lois m’ont beaucoup aidé à vendre mes dossiers par le passé. Depuis, ils ont décidé de les rafraichir au goût du jour, à la 2.0 😉 Croyez-vous qu’en 10 ans, nous avons beaucoup avancé sur ces 10 lois?

Immutable Laws of Security v2

• Law #1: If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore.
• Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
• Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
• Law #4: If you allow a bad guy to run active content in your website, it’s not your website any more.
• Law #5: Weak passwords trump strong security.
• Law #6: A computer is only as secure as the administrator is trustworthy.
• Law #7: Encrypted data is only as secure as its decryption key.
• Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
• Law #9: Absolute anonymity isn’t practically achievable, online or offline.
• Law #10: Technology is not a panacea.

Ten Laws of Cybersecurity Risk

• Security success is ruining the attacker’s ROI – Security can’t achieve a perfect secure state, so deter them by disrupting and degrading their Return on Investment (ROI). Increase the attacker’s cost and decrease the attacker’s return for your most important assets.
• Not keeping up is falling behind – Security is a continuous journey. You must keep moving forward because it will continually get cheaper for attackers to successfully take control of your assets. You must continually update your security patches, strategies, threat awareness, inventory, tooling, monitoring, permission models, platform coverage, and anything else that changes over time.
• Productivity always wins – If security isn’t easy for users, they work around it to get their job done. Always make sure solutions are secure and usable.
• Attackers don’t care – Attackers use any available method to get into your environment and access your assets, including networked printers, fish tank thermometers, cloud services, PCs, servers, Macs, or mobile devices. They influence or trick users, exploit configuration mistakes or insecure operational processes, or just ask for passwords in a phishing email. Your job is to understand and take away the easiest, cheapest, and most useful options, like anything that leads to administrative privileges across systems.
• Ruthless prioritization is a survival skill – Nobody has enough time and resources to eliminate all risks to all resources. Always start with what is most important to your organization or most interesting to attackers, and continuously update this prioritization.
• Cybersecurity is a team sport – Nobody can do it all, so always focus on the things that only you (or your organization) can do to protect your organization’s mission. If security vendors, cloud providers, or the community can do better or cheaper, have them do it.
• Your network isn’t as trustworthy as you think it is – A security strategy that relies on passwords and trusting any intranet device is only marginally better than lack of security strategy. Attackers easily evade these defenses, so the trust level of each device, user, and application must be proven and validated continuously, starting with a level of zero trust.
• Isolated networks aren’t automatically secure – While air-gapped networks can offer strong security when maintained correctly, successful examples are extremely rare because each node must be isolated from outside risk. If security is critical enough to place resources on an isolated network, you should invest in mitigations to address potential connectivity via methods such as USB media (for example, required for patches), bridges between the intranet network and external devices (for example, vendor laptops on a production line), and insider threats that could circumvent all technical controls.
• Encryption alone isn’t a data protection solution – Encryption protects against out-of-band attacks (for example, network packets, files, and storage), but data is only as secure as the decryption key (key strength + protections from theft/copying), and other authorized means of access.

• Technology doesn’t solve people and process problems – While machine learning, artificial intelligence, and other technologies offer amazing leaps forward in security (when applied correctly), cybersecurity is a human challenge, and will never be solved by technology alone.

  Références:

• June Advance Notification Service and 10 Immutable Laws Revisited
• Ten Immutable Laws Of Security (Version 2.0)
• The immutable laws of security