What is a maxim? It’s an expression of a general truth or principle. A principle or rule of conduct.
Disclaimer from the original text: "While these security maxims are not theorems or absolute truths, they are in my experience essentially valid 80-90% of the time in physical security and nuclear safeguards. They probably also have considerable applicability to cybersecurity. Note that some of these maxims are obviously hyperbole and/or tongue-in-cheek, but that does not necessarily make them untrue."
Interestingly, Dr Johnston wrote these maxims from a physical security perspective. I think they apply to the world of computer security quite well too.
Ignorance and the Dunning-Kruger effect:
- Big Heads Maxim: The farther up the chain of command a (non-security) manager can be found, the more likely he or she thinks that (1) they understand security and (2) security is easy.
- Troublemaker Maxim: The probability that a security professional has been marginalised by his or her organisation is proportional to his/her skill, creativity, knowledge, competence, and eagerness to provide effective security.
- Comment: It's often hard for people with deep technical knowledge to communicate the business risk associated with the identified weaknesses.
Which is a nice bridge to Bruce Schneier's and Richard Feynman's maxims:
- Feynman’s Maxim: An organisation will fear and despise loyal vulnerability assessors and others who point out vulnerabilities or suggest security changes more than malicious adversaries.
- Comment: An entertaining example of this common phenomenon can be found in “Surely You are Joking, Mr. Feynman!”, published by W.W. Norton, 1997. During the Manhattan Project, when physicist Richard Feynman pointed out physical security vulnerabilities, he was banned from the facility, rather than having the vulnerability dealt with (which would have been easy). Feynman broke into offices (undetected) and demonstrated how easy it was to get to files and folders stored in desks, which was as simple, in some cases, as removing the backside of drawers.
- Schneier’s Maxim #1 - Don’t Wet Your Pants: The more excited people are about a given security technology, the less they understand (1) that technology and (2) their own security problems.
- Schneier’s Maxim #2 - Control Freaks: Control will usually get confused with Security.
- Comment: Even when control doesn’t get confused with security, lots of people and organisations will use security as an excuse to grab control, e.g., the Patriot Act.
This boils down to where to position security:
- Band-aid (Bolt-on) Maxim: If a (security) device, system, or product isn’t designed from the beginning with security in mind, it will never be secure.
- Comment: Security is something you have to design in, not add on as an afterthought via a “band-aid” or “bolt-on” approach.
This applies outside of computer security as well. For example, the crumple zones of a car are intentionally designed to absorb the energy of a crash to limit the effects on the driver and passengers.
If a design is simple and effective, then it's low-cost to implement. A higher level of security is also easier to realise.
This brings us to the following tandem of maxims; "Yippee" and "Arg":
- Yippee Maxim: There are effective, simple, and low-cost (or at least partial) counter-measures to most vulnerabilities.
- Arg Maxim: But users, manufacturers, managers, and bureaucrats will be reluctant to implement them for reasons of inertia, pride, bureaucracy, fear, wishful thinking, and/or cognitive dissonance.
- Comment: "But it's not enterprise-grade nor part of our 'security-suite' of products we use here".
It's all about focus and real risk, where risk consists of a proper understanding of the realities around threats, vulnerabilities and the impact on the organisation.
- That’s Cold Maxim: An adversary who attacks cold (without advance knowledge or preparation) is stupid and amateurish, often too much so to be a real threat. Moreover, he almost never has to attack cold.
- Comment: Thus, don’t overly focus on this kind of attack, or use it as an excuse not to fix vulnerabilities.
- Shannon’s (Kerckhoffs’) Maxim: The adversaries know and understand the security hardware, software, algorithms, and strategies being employed.
- Comment: This is one of the reasons why open source security (e.g., open source cryptography) makes sense.
- Corollary to Shannon’s Maxim: Thus, “Security by Obscurity”. I.e., security based on keeping long-term secrets, is not a good idea.
- Comment: Short-term secrets can create useful uncertainty for an adversary, such as temporary passwords and unpredictable schedules for guard rounds. But relying on long-term secrets is not smart. Ironically — and somewhat counter-intuitively — security is usually more effective when it is transparent. This allows for discussion, analysis, understanding, outside review, criticism, accountability, buy-in, and improvement.
If someone asks me how to get into the security industry, I say it boils down to perseverance, ingenuity, and most importantly curiosity. E.g. "Hack to learn, don't learn to hack."
Security can also be a high-stress environment. In order to survive, you'll also need a good sense of humour.
- A Priest, a Minister, and a Rabbi Maxim: People lacking imagination, scepticism, and a sense of humour should not work in the security field.
- Thinking Outside the Bun Maxim: Any security manager who cannot think of a new place to have lunch oversees a poor security program.
One must also be capable of critical thinking, since logical fallacies are lurking everywhere:
- Absence of Evidence as Evidence of Absence Maxim: The fact that any given unimaginative bureaucrat or security manager cannot immediately envision a viable attack scenario will be taken as proof that there are no vulnerabilities.
- I Question This Maxim Maxim: Scepticism about security (if not all-out cynicism) is almost always warranted. Moreover, it is a powerful tool for analysing or evaluating security.
- Backwards Maxim: Most people will assume everything is secure until provided strong evidence to the contrary — exactly backwards from a reasonable approach.
It's all about the people! Yes, but:
- Awareness Training: Most security awareness training turns employees against security and/or hypocritically represents the organisation as having a good security culture when it does not.
Most awareness programmes distribute a long list of don'ts and threats if you'd do, scaring people out of raising issues and asking critical questions. An approach I've seen work more effectively is gamification.
Replace the Hall of Shame with the Hall of Security Fame. See something phishy or witness a security incident? Make it known to the Security Officer and be in the running for the "good security intel of the week" trophy.
A final one:
- Cowboy Maxim: You can lead a jackass to security, but you can't make him think.
Enjoy the full (22 page) list here.