Nearly a year ago, journalist Martin Banks codified “Five Laws of Cybersecurity”. Cybersecurity is a complicated field, and any way to simplify its many facets into short, easy-to-remember maxims is always welcome. The five laws are a very good start towards developing a robust security program. The laws are:

  1. Treat everything like it’s vulnerable.
  2. Assume people won’t follow the rules.
  3. If you don’t need something, get rid of it.
  4. Document everything and audit regularly.
  5. Plan for failure.

Of course, compliance with real rules does not necessarily equal security, but these general cybersecurity “laws” are a useful reference.  Still, like real regulations, some depth, and background can provide meaningful value. In some cases, the origins of these unofficial laws can add to lively debate by even the staunchest cybersecurity practitioner.

Treat Everything Like It’s Vulnerable

The first rule of cybersecurity is to treat everything as if it’s vulnerable because, of course, everything is vulnerable. Every risk management course, security certification exam, and audit mindset always emphasizes that there is no such thing as a 100% secure system.  Arguably, the entire cybersecurity field is founded on this principle.

Since many organizations fail to meet this standard in full, the rise of zero trust security has become the new benchmark of mature cybersecurity practice. Zero trust, by design, denies access to everything without verifying its authority.  This is similar to what you may see in a spy movie, where access to any and all rooms requires authorization.  Zero trust goes even farther, by re-checking that permission at various stages of a session. Identity access management (IAM) for both users and devices, as well as steps such as update verification, are the bedrock of a zero trust environment. No device, program, or user should have access to anything without verification and revalidation.

Assume People Won’t Follow the Rules

I prefer to reframe this rule as “People may bypass rules”, as its original wording is too accusatory. This rule-bending mindset as it relates to computers dates back to the original “hacker” circles, started way back at the MIT Model Railroad Club. Since complying with some security protocols is often inconvenient, employees may find ways to bypass these safeguards, which leads to vulnerabilities.

Statistics back up this principle, with 94% of U.S. and U.K. organizations suffering insider data breaches in 2020. Similarly, 84% of IT leaders cite human error as the most common cause of serious incidents.  As social-engineering attacks have become more common, this rule has become increasingly relevant. Anti-phishing measures, password requirements, and similar rules are only effective if people follow them.

Businesses must go beyond implementing stricter cybersecurity policies. That means enforcing these rules while making it easier to comply with them by using tools such as password managers. Still, as this particular law states, security professionals must understand that technical controls are also required to strengthen security. Access restrictions and similar protections are necessary to mitigate insider breaches.

If You Don’t Need It, Get Rid of It

The third law of cybersecurity, originally popularized as one of Brian Krebs’ 3 Rules for Online Safety, aims to minimize attack surfaces and maximize visibility. While Krebs was referring only to installed software, the ideology supporting this rule has expanded.  For example, many businesses retain data, systems, and devices they don’t use or need anymore, especially as they scale, upgrade, or expand. This is like that old, beloved pair of worn out running shoes that sit in a closet.  This excess can present unnecessary vulnerabilities, such as a decades-old exploit discovered in some open source software.

Most companies have roughly only 75% visibility over their OT operations. Retaining redundant or irrelevant assets prevents 100% visibility. If they would let go of old systems and data, they could gain more insight into their operations, which could accelerate vulnerability, and breach detection.

This article “Reexamining the ‘5 Laws of Cybersecurity’” by Dylan  Berger, first appeared on Tripwire The State of Security