[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The Laws (was the principles) of secure information systems design
-----BEGIN PGP SIGNED MESSAGE-----
On 07/12/2016 05:19 PM, Peter Fairbrother wrote:
> I've been revising the principles, and came up with this. It's an
> early version.
[ ... ]
> The Laws of secure information systems design:
> Law 0: It's all about who is in control Law 1: Someone else is
> after your data Law 2: If it isn't stored it can't be stolen Law 3:
> Only those you trust can betray you Law 4: Attack methods are many,
> varied, ever-changing and eternal Law 5: The entire system is
> subject to attack Law 6: A more complex system has more places to
> attack Law 7: Holes for good guys are holes for bad guys too Law 8:
> Kerckhoffs's Principle rulez! - usually... Law 9: A system which is
> hard to use will be abused or unused law 10: Design for future
> threats Law 11: Security is a Boolean Law 12: People offering the
> impossible are lying Law 13: Nothing ever really goes away Law 15:
> "Schneier's law c"  holds illimitable dominion over all...
> including these laws
I call these "Network Security Axioms." You will recognize most of
them, I am sure. A couple are originals.
Everything is under control; your control or someone else's.
A trusted system is one that can break your security model.
A hardened perimeter is easily broken; a hardened system, not so much.
The laws of nations are easily broken; the laws of physics, not so much.
In God we trust, all others provide full source code for peer review.
Given enough observers, all bugs are shallow.
To make a system stronger, attack it.
Physical access can compromise any network security model.
A failed data backup may cost more than a successful break-in.
An unexamined assumption is a ticking time bomb.
User refusal is the principal barrier to secure networking.
Three years old, but holding up fairly well:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
-----END PGP SIGNATURE-----