Do you trust me?
Why wouldn't you? I'm honest, have strong credentials in cybersecurity, and helped design security solutions for top technology companies and government entities.
But hold on — you don't know me from a hole in the ground. Am I fictitious? The advanced degrees in my office — are they real? My six patents — real or exaggerated? You have to trust your instincts on whether I'm trustworthy.
That's the central problem everyone faces in information security today. Casual hackers, organized crime, government-sponsored hackers, secret backdoors, malicious insiders, corrupt supply chains, and porous technological defenses all contribute to our predicament. You can listen to experts, hire security professionals, buy technologies from the right companies, and still lose the security battle. Bulletproof solutions would be prohibitively expensive, and standard off-the-shelf solutions may not keep you safe.
The Rules of Trust
You already make trust decisions based on a framework every day. You let hotel staff clean your suite but don't leave cash out on the dresser. You give your credit card to Amazon.com, but not to that dubious character selling designer-brand watches on the sidewalk. You invest in established mutual funds but not the get-rich-quick scheme that your friend's cousin swears is a sure 1,000% return on investment.
How do you make those decisions? Simple: You follow three Rules of Trust:
- All things being equal, trust as little as possible.
- Use evidence and experience to measure trustworthiness.
- Trust proportionally to risk.
That's it. You're set. Easy, right?
You know better; trust is no precise science. Even if you follow the rules carefully, you'll get burned sometimes for being too trusting, or miss out on something for not trusting enough. Yet on the whole, following these three Rules of Trust will help you make better cybersecurity decisions.
Rule 1: "All things being equal, trust as little as possible."
In other words, allow attackers fewer ways to compromise you. Make life harder for them. Reduce your "attack surface."
Making data inaccessible is the best kind of security. If your secrets are not on — or passing through — your computer, bad guys probably can't get them. When feasible, keep super-sensitive stuff on paper or an external drive that is usually disconnected from your computers. Anything transmitted could be stolen before it arrives. When you send a private e-mail or post in a closed community assume it will be read by unintended parties. Our collective defenses are too weak to assume anything else. Despite your carefulness, many people and organizations (sadly) could get malware onto your computer, if they targeted you.
No doubt you load all your favorite software on your computer, and 20+ apps on your smartphone, and access email on both devices, probably using public Wi-Fi. Fine. Being untrusting doesn't mean being a digital hermit. To be productive, we all sometimes need sensitive material on our devices — so we all must learn to gauge trustworthiness.
Rule 2: "Use evidence and experience to measure trustworthiness."
A few tips to measure risk levels:
- More code = more risk: Programs with 10,000 lines of code could actually be reviewed by careful developers. Software with 10 million lines of code (sorry, Microsoft) is going to have a lot of bugs and create more risk.
- More programs = more risk: Picking which permissions to grant your smartphone apps is complicated. Once you install more than a couple apps, risk balloons. It takes just one malicious app to compromise your system. One survey found companies average over 480 cloud and on-premises applications in use, and they're attacked 500 times per day.
- Hardware tends to be safer than software: It's very expensive to change hardware, so hardware vendors work hard to make sure it's exactly right before it reaches you. Security hardware often provides isolation capabilities that block malware on your machine from accessing data.
- Old technology and too-new technology may be vulnerable: Criminals eventually find ways around almost any security. You'll need to adopt new kinds of security over time, but don't always trust the salesperson, who may not know about vulnerabilities that haven't been fixed.
- Doing homework helps: Are your hardware and software from reputable vendors? Do people trust their security? Your intuition is often an accurate guide, too.
Distrust and Verify
When you must trust, Rule 3 is important:
Rule 3: "Distrust proportionally to the level of risk."
Your risk level is based on an attacker's cost and motivation to take what's yours — and on the value of your assets to you. If you treasure that data, and criminals want it, distrust much — and verify more. High risk? Then attacks are coming. Consider two-factor authentication, and remember your measure of trustworthiness; verify that you really trust the software and hardware you use.
The security you have today is probably sufficient, if your assets have low value to attackers — or if the attack costs more than the assets are worth. Most attackers seek profit, after all.
Every day, keeping anything secure requires being smart about trust. Stay alert, evaluate continually, and adjust security as things change. Your decisions about trust will factor into almost every choice you have. The rules of trust will keep you and your data safer. Trust me; I'm a security CTO. Maybe.
- Effective Pen Tests Follow These 7 Steps
- Establishing True Trust in a Zero-Trust World
- Trust the Stack, Not the People
- Security Doesn't Trust IT – and IT Doesn't Trust Security
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.