10 Laws of Cybersecurity Risk

Security success is ruining the attacker (ROI) Security can’t achieve an absolutely secure state so deter attackers by disrupting and degrading their ability to realize Return on Investment (ROI). Increase the attacker’s cost and decreasing the attacker’s return for your most important assets

Security is a continuous journey. You must keep moving forward because it will continually get cheaper for attackers to successfully take control of your assets. You must continually update your security patches, strategies, threat awareness, inventory, tooling, monitoring, permission models, platform coverage, and anything else that changes over time.

If security isn’t easy for users, they work around it to get their job done. Always make sure solutions are secure and usable.

Attackers use any available method to get into your environment and access your assets, including networked printers, fish tank thermometers, cloud services, PCs, servers, Macs, or mobile devices. They influence or trick users, exploit configuration mistakes or insecure operational processes, or just ask for passwords in a phishing email. Your job is to understand and take away the easiest, cheapest, and most useful options, like anything that leads to administrative privileges across systems.

Nobody has enough time and resources to eliminate all risks to all resources. Always start with what is most important to the organization, most interesting to attackers, and continuously update this prioritization.

Nobody can do it all, so always focus on the things that only you (or your organization) can do to protect the organization’s mission. For things that others can do better or cheaper, have them do it (security vendors, cloud providers, community)

A security strategy that relies on passwords and trusting any intranet device is only marginally better than no security strategy at all. Attackers easily evade these defenses so the trust level of each device, user, and application must be proven and validated continuously starting with a level of zero trust

While air-gapped networks can offer strong security when maintained correctly, successful examples are extremely rare because each node must be completely isolated from outside risk. If security is critical enough to place resources on an isolated network, you should invest in mitigations to address potential connectivity via methods such as USB media (e.g. required for patches), bridges to intranet network, and external devices (e.g. vendor laptops on a production line), and insider threats that could circumvent all technical controls.

Encryption protects against out of band attacks (on network packets, files, storage, etc.), but data is only as secure as the decryption key (key strength + protections from theft/copying) and other authorized means of access.

Attackers use any available method to get into your environment and access your assets, including networked printers, fish tank thermometers, cloud services, PCs, servers, Macs, or mobile devices. They influence or trick users, exploit configuration mistakes or insecure operational processes, or just ask for passwords in a phishing email. Your job is to understand and take away the easiest, cheapest, and most useful options, like anything that leads to administrative privileges across systems.