Computer insecurity is inevitable, and technology alone cannot save us. Here are 10 essential processes every organization should follow to help stay secure.
7. Secure the weakest link
Look at the entire
vulnerability landscape
and create an attack tree:
find the weakest link and secure it.
Then worry about the next
weakest link and so on.
9. Use choke points
A choke point forces users into a
narrow channel, one that you can
more easily monitor
and control. Firewalls
and login screens are
some examples.
11. Provide defense in depth
This is about creating
layers of security,
such as a firewall
combined with an
intrusion detection
system and strong cryptography.
13. Fail securely
Systems should fail in such
a way as to be more secure,
not less. (For example, if
an ATM’s PIN verification system
fails, it should fail in such a way
as to not spit money out the slot).
15. Leverageunpredictability
There’s no reason to
broadcast your network
topology to everyone
that asks. If networks are
unpredictable, attackers won’t be
able to wander around so freely.
19. Enlist the users
Security measures that aren’t
understood and agreed to by
everyone don’t work.
Enlist their support
as much and as often
as possible.
21. Assure
What we really need
is assurance that our
systems work properly.
This involves a structured design
process, detailed documentation,
and extensive testing.
23. Question
Constantly question security.
Question your assumptions and
decisions. Question your
trust and threat models.
Keep looking at your attack trees.
Trust no one, especially yourself.
24. Find out how to build
secure systems in
by Bruce Schneier
Secrets & Lies
Digital Security in a Networked World