10 immutable laws of security administration redux
Feb 03, 2022
I love a good “Whoa” moment.
At the beginning of my sysadmin career, I was so enamored by the 10 Immutable Laws of Security Administration by Scott Culp that I stuck them on my cubicle wall to keep me reminded during my daily duties. Two decades later, I rediscovered the article in an archived part of Microsoft TechNet. I have analyzed each law with a tinge of nostalgia to see how they stack up against today’s security landscape. Below are my findings.
Law #1: Nobody believes anything bad can happen to them, until it does
This first law is still absolutely true. I often hear, “I’m a small business guy; why would anyone want to waste time trying to hack me?” While he may think he has a valid point, many incidents these days begin with internet-wide automated vulnerability scanning and exploitation scripts, along with drive-by attacks on compromised sites or employees clicking on phishing links spread via spam to millions of addresses. Any business can also be caught up in a supply-chain attack, like the recent Kaseya incident, through no fault of its own. Everyone is at risk of a security incident.
Law #2: Security only works if the secure way also happens to be the easy way
Ding ding, another winner! This law also stands the test of time. Users will always find the path of least resistance to do their jobs, whether it be turning off an EDR or VPN because it’s too slow, or if using an unsanctioned file-sharing or messaging app because it’s easier and quicker than what you’ve prescribed.
Law #3: If you don't keep up with security fixes, your network won't be yours for long
Law #4: It doesn't do much good to install security fixes on a computer that was never secured to begin with
Laws three and four are even more important today than 20 years ago. Zero-day exploits rule the headlines and if you do not have an aggressive patching program, you’ve already lost. While #4 in 2000 applied to PCs and servers, today you also need to consider network appliances and all the other black-box items on the network with some of the crafty exploits being published. Can you still trust an exposed box after a zero-day publication? Can a box vendor gain your trust? How can you independently verify?
Law #5: Eternal vigilance is the price of security
Since Culp released his laws, two technologies have been born: Security information and event management (SIEM) and security orchestration, automation, and response (SOAR). Combining these solutions with machine learning (ML) is the next frontier in cyber defense to help enterprises react faster and more effectively to advanced threats. The cycle of cyberthreat and solutions can’t stop and won’t stop.
Law #6: There really is someone out there trying to guess your passwords
You bet and there are still people out there today without some type of MFA. Go figure. Password sprays are easy and even a purchasable service these days.
Law #7: The most secure network is a well-administered one
The term “network” can be limiting as what is implied in this law includes infrastructure, architecture, or even ecosystem fit. The author writes that procedures are the most important tool. “If your procedures are sloppy, it can be difficult or impossible to keep track of these details, and the result will be more holes for a bad guy to slither through.” I would double down on that while adding in automation and CI/CD-based administration as crucial to keeping today’s operating environments secure. Hands-on button clicking to administer systems daily should ideally be a remnant of the past.
Law #8: The difficulty of defending a network is directly proportional to its complexity
Number eight is immutable indeed, but the landscape and options to simplify are plentiful compared to 20 years ago. Today’s threats are different from 20 years ago, but many still rely on the same architectures.
Zero trust architecture (ZTA) is the new kid on the block, with secure service edge (SSE) implementations promising to be the panacea to the challenges faced by the traditional network perimeter (or “castle and moat”) architectures. Zero trust architectures isolate workloads by removing the implicit trust previously placed within corporate networks, greatly reducing the impacts of a breach. Referring back to law #7, one of the keys behind a truly successful ZTA is a front-loaded effort with automation and CI/CD deployments, replacing complex and often manual JIT administration in traditional networks.
Law #9: Security isn't about risk avoidance; it's about risk management
So true. Zero trust’s mantra is to assume breach. Assume that the user is going to click that dirty link. Assume that app or device has an exploited zero-day. IT security today comes down to managing those risks and reducing the blast radius when it happens.
Law #10: Technology is not a panacea
See what I did in #8? Though not a complete panacea, technology advancements for cloud computing and zero trust lower the bar significantly for organizations to operate more securely in today’s world. Cloud companies like Microsoft, Google, Salesforce, and ServiceNow now offer complete application platforms and take care of many of the security challenges that IT pros once needed to perform themselves 20 years ago.
The more things change, the more they stay the same
When I first saw this list 20 years ago, I pinned a printout of it to my cubicle wall because of how it resonated with me. Today, I look at it and admire the way it has stood the test of time and is in fact immutable.
What to read next