The Immutable Laws of Security

These are similar if not the same as Microsofts official "laws of security."

#2 is the one I agree with most.

#7 is probably the one that most interests me.

 

Number 7 is especially true, when you consider that every bit of technology that is created can be used for or against you.

 

I think it's more of the idea that there's not a program in the world that will protect every computer equally (or rather properly) on its own. You can not simply install a program and have it lock down all the right places just the right way.

Policies are tailored to situations. Software alone can not create strong policy - only generic policy.

 

Those "laws" apply to conventional default-permit security policies and the average user. I don't accept "laws" 2,3,4, and 5.
2, Nothing on this PC is done the "easy way." It's all default-deny.
3, I haven't installed a security fix in ages. Very few of my user apps are up to date.
4, I have no virus scanner. They're unnecessary.
5, Eternal vigilance? Not needed when default-deny handles that for me. My "vigilance" is limited to obeying the policies I've set and testing the occasional zero-day. Beyond that, I don't worry about it.

IMO, these are the real laws. The Six Dumbest Ideas in Computer Security. They've served me well for many years.

 

=p and that's the problem with default-deny. Easy is important. It brings security into the users hands.

I agree that 5 isn't necessary.
I agree that 3 isn't necessary - though to a lesser extent.

 

The Microsoft version 2.0 is here and in my sig

 

Oh and I definitely disagree with some of those "Dumbest" ones.

 

If you're one who is always changing or updating your system, yes, default-deny can be a pain. If your system is equipped the way you want it and does what you need, which mine is, then you want it to be the same day after day, month after month. For me, default-deny enforces an even more basic policy, anti-change. Altering this system requires administrative passwords and performing a lot of steps in a very specific sequence in order to prevent changes from automatically being undone by a reboot. Without the passwords, the worst anything could do is drop useless files on it, which will be detected. I don't want it to be easy to casually alter it, even for me. My needs are simple. I want secure, reliable, and consistent performance.

 

I meant that default-deny brings it into the users-hands. I was really unclear.

Your needs are your needs =p and your solution fits it. I would always argue that "easy" security is the best though whether other methods work on a per-user basis or not.