Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Ari Singer
Ari Singer
Connect Directly
E-Mail vvv

The 3 Cybersecurity Rules of Trust

Every day, keeping anything secure requires being smart about trust. The rules of trust will keep you and your data safer.

Do you trust me?

Why wouldn't you? I'm honest, have strong credentials in cybersecurity, and helped design security solutions for top technology companies and government entities.

But hold on — you don't know me from a hole in the ground. Am I fictitious? The advanced degrees in my office — are they real? My six patents — real or exaggerated? You have to trust your instincts on whether I'm trustworthy.

That's the central problem everyone faces in information security today. Casual hackers, organized crime, government-sponsored hackers, secret backdoors, malicious insiders, corrupt supply chains, and porous technological defenses all contribute to our predicament. You can listen to experts, hire security professionals, buy technologies from the right companies, and still lose the security battle. Bulletproof solutions would be prohibitively expensive, and standard off-the-shelf solutions may not keep you safe.

The Rules of Trust
You already make trust decisions based on a framework every day. You let hotel staff clean your suite but don't leave cash out on the dresser. You give your credit card to Amazon.com, but not to that dubious character selling designer-brand watches on the sidewalk. You invest in established mutual funds but not the get-rich-quick scheme that your friend's cousin swears is a sure 1,000% return on investment.

How do you make those decisions? Simple: You follow three Rules of Trust:

  • All things being equal, trust as little as possible.
  • Use evidence and experience to measure trustworthiness.
  • Trust proportionally to risk.

That's it. You're set. Easy, right?

You know better; trust is no precise science. Even if you follow the rules carefully, you'll get burned sometimes for being too trusting, or miss out on something for not trusting enough. Yet on the whole, following these three Rules of Trust will help you make better cybersecurity decisions.

Be Untrusting
Rule 1: "All things being equal, trust as little as possible."

In other words, allow attackers fewer ways to compromise you. Make life harder for them. Reduce your "attack surface."

Making data inaccessible is the best kind of security. If your secrets are not on — or passing through — your computer, bad guys probably can't get them. When feasible, keep super-sensitive stuff on paper or an external drive that is usually disconnected from your computers. Anything transmitted could be stolen before it arrives. When you send a private e-mail or post in a closed community assume it will be read by unintended parties. Our collective defenses are too weak to assume anything else. Despite your carefulness, many people and organizations (sadly) could get malware onto your computer, if they targeted you.

Measure Trustworthiness
No doubt you load all your favorite software on your computer, and 20+ apps on your smartphone, and access email on both devices, probably using public Wi-Fi. Fine. Being untrusting doesn't mean being a digital hermit. To be productive, we all sometimes need sensitive material on our devices — so we all must learn to gauge trustworthiness.

Rule 2: "Use evidence and experience to measure trustworthiness."

A few tips to measure risk levels:

  • More code = more risk: Programs with 10,000 lines of code could actually be reviewed by careful developers. Software with 10 million lines of code (sorry, Microsoft) is going to have a lot of bugs and create more risk.
  • More programs = more risk: Picking which permissions to grant your smartphone apps is complicated. Once you install more than a couple apps, risk balloons. It takes just one malicious app to compromise your system. One survey found companies average over 480 cloud and on-premises applications in use, and they're attacked 500 times per day.
  • Hardware tends to be safer than software: It's very expensive to change hardware, so hardware vendors work hard to make sure it's exactly right before it reaches you. Security hardware often provides isolation capabilities that block malware on your machine from accessing data.
  • Old technology and too-new technology may be vulnerable: Criminals eventually find ways around almost any security. You'll need to adopt new kinds of security over time, but don't always trust the salesperson, who may not know about vulnerabilities that haven't been fixed.
  • Doing homework helps: Are your hardware and software from reputable vendors? Do people trust their security? Your intuition is often an accurate guide, too.

Distrust and Verify
When you must trust, Rule 3 is important: 

Rule 3: "Distrust proportionally to the level of risk."

Your risk level is based on an attacker's cost and motivation to take what's yours — and on the value of your assets to you. If you treasure that data, and criminals want it, distrust much — and verify more. High risk? Then attacks are coming. Consider two-factor authentication, and remember your measure of trustworthiness; verify that you really trust the software and hardware you use.

The security you have today is probably sufficient, if your assets have low value to attackers — or if the attack costs more than the assets are worth. Most attackers seek profit, after all.

Every day, keeping anything secure requires being smart about trust. Stay alert, evaluate continually, and adjust security as things change. Your decisions about trust will factor into almost every choice you have. The rules of trust will keep you and your data safer. Trust me; I'm a security CTO. Maybe.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Ari Singer, CTO at TrustiPhi and long-time security architect with over 20 years in the trusted computing space, is former chair of the IEEE P1363 working group and acted as security editor/author of IEEE 802.15.3, IEEE 802.15.4, and EESS #1. He chaired the Trusted Computing ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...