Security WatchRevisiting the 10 Immutable Laws of Security, Part 3

Jesper M. Johansson

You’re probably familiar with the “10 Immutable Laws of Security.” This is an essay on security that was published about eight years ago and remains important and popular to this day. That said, a lot has changed in the past eight years, so I have set out to examine these laws and see if they still hold true. In the previous twoinstallments of the Security Watch column, I discussed the first seven of these laws.

So far, those laws hold up quite well, despite the monumental advan­ces in security and connectivity we've seen in recent years. While a few of the laws may have a slightly different interpretation today, and while there may be some forms of partial mitigation for one or two of the laws, they still qualify as laws. They are still very useful in framing an information ­security strategy, and in a common law system we expect laws to grow with us.

This month I will discuss the last three laws and conclude with some insight on how the environment may have changed and created a new void that the laws no longer fill. And if, by chance, you haven't read the original essay, you can find it on TechNet.

Law #8: An out-of-date virus scanner is only marginally better than no virus scanner at all.

Of all the laws, this is the one that most shows its age. It is not that there are no viruses any longer—quite the opposite. Today the antivirus vendors claim they add several hundred thousand infectors per year. And in the "Symantec Global Internet Security Threat Report," published in April 2008, Symantec announced that it now detects more than 1 million different threats.

Where Law 8 shows its age is in that it specifies a virus scanner. Back in the late 1990s, viruses were pretty much what we had to worry about. However, the days when a Microsoft Word macro virus was the worst thing with which we had to contend are now long gone. Today we fight viruses, worms, spyware, adware, keystroke loggers, rootkits, phishing Web sites, spam, and bots. And if those aren't enough to keep you on your toes, you also have to watch out for fake anti-malware software.

Viruses are a fairly quaint technology compared to all the other malicious things we have to deal with today. Does it really matter, then, if your antivirus software is out of date if all you have is something that detects viruses? Obviously, there is virtually no anti-malware software available today that only detects viruses—but the law's emphasis here on virus scanner is where its age shows. To be even marginally useful, an anti-malware solution must detect much more than just viruses.

As noted in the last installment of my three-part series "Passwords and Credit Cards", this has led to a checkbox ecosystem where the various security software vendors compete based on the number of checkboxes they can claim to fill. One of the ways they fill those checkboxes is by protecting against all the different types of malware.

Most anti-malware software is available only as suites that do much more than anti-malware and include consoles to manage all the features. Figure 1 shows the console provided by Microsoft Windows Live OneCare, which includes antivirus, antispyware, and backup features; tracks the built-in phishing filter in Internet Explorer; and includes a separate firewall that is not based on the one built into Windows (a redundancy that is customary in security suites). Today, antivirus software is really anti-malware software typically with extras.


Figure 1 The Live OneCare console is quite typical of security suites today (Click the image for a larger view)

That's because there is more malware than ever before, and the criminals writing malware are getting better at disguising it as legitimate software. It has really become a hybrid of Trojan horse software and other malware.

The average user has an extremely hard time telling legitimate from malicious software. And a lot of malware is served up from legitimate Web sites, or sites that used to be legitimate, often in the form of advertisements. Some even do their evil deeds automatically, with no user interaction whatsoever beyond visiting the site.

Anti-malware software can help detect some of this malicious software. The best approach to keep this wave of criminality at bay is to use both anti-malware software and judicious computer practices. While some may argue that judicious practices are sufficient alone, this depends on good judgment and common sense—attributes that are, sadly, disturbingly uncommon.

Or consider another scenario: computer use by children. They have no relevant experience to call upon; moreover, many parents do not understand computer security well enough to impart its importance to their children. Furthermore, it is nearly impossible to supervise children every minute they are using a computer.

In that situation, anti-malware software provides at least a partial safety net—it forces the criminals to keep improving their practices. And while this can cause a vicious cycle where the malware becomes better and better, clearly it also keeps quite a bit of it at bay.

Anti-malware software may at least keep the most basic malware out of the ecosystem, allowing security professionals to focus on the more sophisticated attacks. If anti-malware software is removed entirely from the ecosystem, it is indeed likely that we would be absolutely overrun even by unsophisticated malware. The problem would be many orders of magnitude worse than today.

None of this answers the question on the table, however, which is "does Law 8 still hold?" Obviously, it depends on interpretation. From a purist perspective, the Law says that antivirus that is not up to date is only marginally better than no antivirus. However, with malware mutating as rapidly as it does, you could easily argue that antivirus software that is not up to date is entirely useless. This may be a bit of a hyperbole, but it's not an entirely unreasonable claim.

A much more realistic way to look at Law 8 is to reinterpret it for the modern world. Thus, I would restate it as "Anti-malware software must be used and kept up to date." If one takes that more pragmatic view of the Law, then Law 8 definitely holds. After all, even the most ardent opponents of anti-malware software can't argue successfully that we should banish it from the security ecosystem entirely.

I personally tend to take a fairly interpretive view of laws and would argue that Law 8 still holds. However, I would add that, with malware mutating more and more rapidly, it is absolutely critical to keep anti-malware software up to date.

Law #9: Absolute anonymity isn't practical in real life or on the Web.

When I think about this law, I find it difficult not to crack some joke about how our governments and large corporations make sure we have very little anonymity. The United States government and The TJX Companies together have made sure that personal information on about half of the U.S. population has entered into the portfolio of the criminal underground. While I would love to imagine that there is any such thing as anonymity, in all practicality, anonymity doesn't exist today (unless you're willing to completely disconnect, give up your bank accounts, move to a desert island, and drop off the radar entirely).

There is a vast amount of information about all of us that we either give away deliberately or that can be gleaned just from interacting with us. Social networking sites have collectively assured that most adults who use the Internet, and many children, have a wealth of personal information publicly available. Much of it is not necessarily information we want people to have access to. Some of it is embarrassing to us or others. (Remember that a prospective employer may see that incriminating photo of you).

Then there is information that can be downright damaging. Phone numbers, addresses, finances, and any other kind of personal information should be treated as sensitive. In one case, a user had come up with a really good way to track all the Internet sites he uses for banking, managing credit cards, and so on. He created a custom homepage with all the links he needed. To make it easy to remember all the right pieces of information, he also scanned all of his important documents, including a check with his bank account number printed on it, his credit cards (front and back), his driver's license, his passport, and even his social security card.

This would have worked well if he had put the Web page in a secure place. Unfortunately, his personal home page, which was hosted on his ISP, was not private. The URL showed up in the referrer string on every page he clicked on from his page. Following that URL back revealed personal information worth many thousands of dollars on the criminal market. This is an extreme case, but it highlights the point of how important it is that you carefully manage the information you allow to go online about yourself.

While social networking sites generally offer elaborate privacy options, they are often not turned on by default. Figure 2 shows the privacy controls for Facebook, albeit not in their default settings. The point is, while you cannot expect to have absolute anonymity, you can retain a certain measure of anonymity if you are careful.


Figure 2 Privacy settings on Facebook can be restricted if you change the defaults (Click the image for a larger view)

Privacy on the Internet, as in real life, is largely dependent on how you manage it. You can't help it when a government agency or corporation mishandles your personal information, but you can work on mitigating the impact of such a breach. And you can avoid handing over too much information when not absolutely necessary.

One very useful method of controlling your personal information is establishing a fraud alert with the major credit-reporting bureaus. Unfortunately, due to persistent and successful lobbying by credit bureaus, they are permitted to make these fraud alerts very onerous to obtain. They cost anywhere from $6 to $12 per bureau, per three-month period, and usually must be manually renewed. A better option is to use a third-party service, such as Debix (, and have them establish the fraud alerts for you.

If you do not need to obtain credit, you can set up a credit freeze, preventing anyone from pulling your credit report. However, the credit bureaus have ensured that credit freezes are not legal in most states, and in many other states they are restricted only to people who have already had their personal information stolen. Credit freezes also cost much more money and often have to be set up via certified mail. (Curiously, they can usually be lifted with a simple phone call.)

Another way to control your personal information is to restrict who gets it. Do not hand it over to organizations that do not need it. Stick to organizations you trust, and do not patronize organizations that have shown a disregard for your protection in the past. There is no reason for you to establish an account and provide credentials to get basic information. If access to a product manual requires you to register on a Web site, either do not use the product or use fake information to register. If you need an e-mail address to do so, use a free Web mail service to set up a temporary fake account.

All of this really serves as proof that Law 9 most definitely still holds. Your ability to keep things private on the Web, and in real life, has not gotten any better in recent years; it has really gotten quite a bit worse. Since the original laws were published, virtually everything has gone online and the Internet is now used as the conduit for a tremendous amount of business that uses your information.

Thus, it is now more important than ever to keep track of your personal information. The one modification I might make to Law 9 is to rewrite it as "Absolute anonymity is impossible on the Web, but you are in control of how close to anonymous you get."

Law #10: Technology is not a panacea.

Law 10 is a catch-all. It is meant to point out that there is no big, blue secure-me-now button—or at least not one that works. Technology alone is incapable of assuaging our security concerns. This is a serious issue because so much of the security industry has tried its best to convince people that technology, in fact, is a panacea. The recurring message is that all you need is the latest version of the right security suite and you can stop worrying about everything else.

That is not actually where Scott Culp was going with Law 10 when it was originally written, but as with all great laws, they grow and evolve with the times. The original intent was to point out that technology itself will not be perfect, and even if it were, the attackers would go elsewhere. Back when the laws were written, the technical security record was far from stellar. Microsoft was under siege, and Law 10 was, in some ways, a way for Microsoft to explain its security record.

Law 10, however, was also prescient in many ways. The explanation includes the statement that if you raise the cost and difficulty of attacking security technology, bad guys will respond by shifting their focus away from the technology and toward the user.

That is exactly what has happened. Technology is too hard to break; humans are not. So the criminals are attacking human beings with various social engineering and phishing techniques. In a world where insecurity can be monetized, that is the natural progression of things.

Law 10 not only holds, it was very much ahead of its time—so much ahead of its time, that is, that while the law is as true today, the explanation seems a bit dated. Perhaps the law simply had a different connotation when it was written. Today it still holds, but the meaning has changed and the interpretation needs to grow. We must look beyond technology and work on the process part of security and the people side of the equation. To be successful, we must figure out how to secure those portions of the ecosystem.

Now What?

The laws have proven to be remarkably resilient. They all hold eight years hence. A few, notably Law 10, seem like they have even grown with the times and could just as easily have been written yesterday. The final law, being a catch-all for all practical purposes, was visionary (or at least turned out that way). It seems to have foreseen the new branch of soft security that is so critical to a healthy ecosystem.

Technology truly is no panacea. Only by understanding that fact could the Laws have been formulated in the first place. Only by taking into account the fact that technology is fallible can a person fully appreciate all the other laws. In fact, if you look at Laws 1 through 9, at some point they all come down to soft security and process. All of them are essentially about misconfiguration, a missing patch, a vulnerability introduced by a human being, or some other form of mishandling of the system or the data it protects.

When I first set out to write this three-part series, I had every intention of adding a few laws of my own. In the course of analyzing the laws, however, I have come to realize that doing so is unnecessary. Law 10 sums up all the others and covers anything I might have added. In fact, rather than adding, I would simply restate Law 10 as "Technology is not a panacea, and moving beyond this misperception is essential to security."

Remember that these laws come from a time when the IT environment was shifting from a Y2K mind-set to a world of auditing experts. Security has now overtaken all mindshare.

Why is that? It is largely because of the explosive growth of criminal enterprises. The criminals, many of them operating in the open in countries without a legal system interested in protecting us, realized that they could monetize lax computer security. This has touched the drug trade, the mafia in the former Eastern Bloc, terrorist groups, and so on.

Computer crime is now driven purely by three factors: greed, ideology, and national supremacy. To combat these new attacks, we must operate within the framework of the immutable laws. We must also make difficult trade-offs, but I will save that discussion for a future column.

Jesper M. Johansson is a Principal Security Architect for a well-known Fortune 200 and is a contributing editor to TechNet Magazine. He holds a Ph.D. in Management Information Systems, has more than 20 years experience in security, and is a Microsoft Most Valuable Professional (MVP) in Enterprise Security. His latest book is the Windows Server 2008 Security Resource Kit.