Do you trust me?
Why wouldn't you? I'm honest, have strong credentials in cybersecurity, and helped design security solutions for top technology companies and government entities.
But hold on — you don't know me from a hole in the ground. Am I fictitious? The advanced degrees in my office — are they real? My six patents — real or exaggerated? You have to trust your instincts on whether I'm trustworthy.
That's the central problem everyone faces in information security today. Casual hackers, organized crime, government-sponsored hackers, secret backdoors, malicious insiders, corrupt supply chains, and porous technological defenses all contribute to our predicament. You can listen to experts, hire security professionals, buy technologies from the right companies, and still lose the security battle. Bulletproof solutions would be prohibitively expensive, and standard off-the-shelf solutions may not keep you safe.
The Rules of Trust
You already make trust decisions based on a framework every day. You let hotel staff clean your suite but don't leave cash out on the dresser. You give your credit card to Amazon.com, but not to that dubious character selling designer-brand watches on the sidewalk. You invest in established mutual funds but not the get-rich-quick scheme that your friend's cousin swears is a sure 1,000% return on investment.
How do you make those decisions? Simple: You follow three Rules of Trust:
That's it. You're set. Easy, right?
You know better; trust is no precise science. Even if you follow the rules carefully, you'll get burned sometimes for being too trusting, or miss out on something for not trusting enough. Yet on the whole, following these three Rules of Trust will help you make better cybersecurity decisions.
Rule 1: "All things being equal, trust as little as possible."
In other words, allow attackers fewer ways to compromise you. Make life harder for them. Reduce your "attack surface."
Making data inaccessible is the best kind of security. If your secrets are not on — or passing through — your computer, bad guys probably can't get them. When feasible, keep super-sensitive stuff on paper or an external drive that is usually disconnected from your computers. Anything transmitted could be stolen before it arrives. When you send a private e-mail or post in a closed community assume it will be read by unintended parties. Our collective defenses are too weak to assume anything else. Despite your carefulness, many people and organizations (sadly) could get malware onto your computer, if they targeted you.
No doubt you load all your favorite software on your computer, and 20+ apps on your smartphone, and access email on both devices, probably using public Wi-Fi. Fine. Being untrusting doesn't mean being a digital hermit. To be productive, we all sometimes need sensitive material on our devices — so we all must learn to gauge trustworthiness.
Rule 2: "Use evidence and experience to measure trustworthiness."
A few tips to measure risk levels:
Distrust and Verify
When you must trust, Rule 3 is important:
Rule 3: "Distrust proportionally to the level of risk."
Your risk level is based on an attacker's cost and motivation to take what's yours — and on the value of your assets to you. If you treasure that data, and criminals want it, distrust much — and verify more. High risk? Then attacks are coming. Consider two-factor authentication, and remember your measure of trustworthiness; verify that you really trust the software and hardware you use.
The security you have today is probably sufficient, if your assets have low value to attackers — or if the attack costs more than the assets are worth. Most attackers seek profit, after all.
Every day, keeping anything secure requires being smart about trust. Stay alert, evaluate continually, and adjust security as things change. Your decisions about trust will factor into almost every choice you have. The rules of trust will keep you and your data safer. Trust me; I'm a security CTO. Maybe.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.