Do you understand what’s least privilege all about? What is the hack 80/20 rule? And, wait, what is security != obscurity? If you are struggling to understand some of these basic yet fundamental concepts that Infosec professionals use in their reports, webinars, and white papers, it’s about time you pay attention.
This short blog is mostly targeted at young security professionals. So if you’re in the early years of the information security domain and willing to take an exam like CompTIA Security+, knowledge of these security principles would help you immensely.
Following are the five security principles that are most commonly used in day-to-day security practices.
- Principle of least privilege
- A chain is only as strong as its weakest link
- 80/20 Rule
- Security! = Obscurity
- Default deny all (Whitelisting > Blacklisting)
1. Principle of least privilege
The first key point is the principle of least privilege. We want to limit the amount of privileges that anyone can/ should have. People should only have access to things they absolutely need for doing their job. For example, if somebody in the HR team doesn’t need access to information or certain files from the research and development (R&D) then they shouldn’t have access to it. Simply put, the lesser the privileges, the better it is for data/ information security.
2. A chain is only as strong as its weakest link
As said, the chain is only as strong as its weakest link. This means meaning nothing is impenetrable. We may have great security all the way including perimeter security, firewalls, things that are looking for all different types of threats, analyzing traffic, observing anomalous behavior – the layered security approaches. But it takes just one person falling for a phishing email sent to them, which they click and a virus is automatically downloaded and the attacker gains access to the entire network.
3. 80/20 rule
Another important point is the 80/20 rule. Your primary focus should be on those 80% things that are likely to affect more and should be protected on priority rather than 20% of the esoteric stuff that is rarely attacked. There are plenty of reasons why we should take them seriously but we need to focus on the things that are constantly seen and being targeted at us. For example, we need to focus more on phishing, malware, viruses and use multi-factor authentication than to focus on things like the new speculative execution vulnerabilities like Specter or new side-channel attacks that are very rare. However, I would never recommend to outright ignore them.
4. Security != Obscurity
Security doesn’t equal obscurity. Many people use esoteric software and tools thinking if attackers come across those, they wouldn’t be able to attack. Just because attackers don’t see these things in the wild it doesn’t mean they can’t spend a few hours analyzing or looking at the code and reverse-engineer it. Many cybersecurity experts think using obscure software, tools, or operating system is a flawed idea. One should use software that is highly vetted and used by millions of people.
5. Default deny all (Whitelisting > Blacklisting)
Last but not least, by default deny all rule: Whitelisting is always stronger than blacklisting. Whitelisting only allows certain entities to do certain types of things but blacklisting, on the other hand, means only deny certain things/ actions but allow all others. And, it’s a lot easier to add things to our whitelist instead of continually updating the blacklist and making that not allowed. That’s just going to be very cumbersome very soon.