Since the first of the month, I’ve heard colleagues and others report each of the 10 security variants to Murphy’s Law listed below. Murphy is not only alive but has been reincarnated.
It’s worth reminding the gentle reader of various famous last words:
1. All documents will be out of date or simply missing
Documents will not be maintained. Documents will have pages missing. And authors shall be unavailable for any reason (deployed to Mt. Everest is preferred). No documents shall be in an understandable language, be edited, collated, or have referring URLs that do not 404, 401 or 5XX. Any good documentation shall be the only copy on a laptop that was stolen whilst unencrypted.
2. All backdoors shall be hard-coded in firmware comments
From the days of early EEPROMs, passwords, security certificates and unerring log-on instructions shall be in plaintext (no hex editors needed, please), along with very specific instructions on how to backdoor enter the device in question.
3. When in doubt, use open DNS
DNS should always be open and allow easy modification by all parties. And it should be as misconfigured as circumstances allow. Embedded SIP trunks should reveal as much directory service information as can be assembled, then be duplicated wherever possible to make VoIP configurations and VoIP APIs open to the entire world.
4. Use as few certificates as possible
In fact, one certificate is well used because they never wear out. They should be simple, perhaps 512 bytes long, and never use that tawdry hexadecimal stuff. Nursery school poems like Mary Had A Little Lamb and Shakespearean quotes (Alas, poor Yorick….) shall be all shared secrets and never be hashed or salted. (Sririacha sauce is fine, however.)
5. Scrambled ports are for sissies
Having to remember altered port numbers is for the birds and is never documented (see #1). So, always leave ssh, smtp, https, cifs and all listener ports where they’re supposed to be so that nmap can find them easily and Kali Linux can find them without probe failures. After all, life is short. Why not be found?
6. No network DMZs
Did you not eat your Wheaties this morning? We don’t need no stinking DMZs because firewalls and APIs are immortal and impenetrable, like Marvel’s Luke Cage. No milquetoast DMZs are necessary. Bring it on, baby.
7. Keep calm, and eschew directory services segmentation
Directory services schema segmentation is dangerous. Federated trusts are complicated. Flat is better and easier to maintain.
8. Wholesome certificate management is for dummies
Key repositories? You mean Excel can’t do that?
9. Intradepartmental liaison breeds contempt
Network security heads knows beans about Rails, JSP and Chef. Coders should hang with coders, gamers should hang with coders, network ops should stay the hell away, and CISO stands for Chief Information Stupid Octopus (other words can be substituted for “Stupid”). Keeping departments rigorously walled is the key to interdepartmental harmony and bliss, including such things as rational pay raises for equal effort problems.
10. Small systems breaches don’t need to be reported
Only the big breaches need to be reported. Or maybe the ones with data exfiltration need be reported—and only to those in “the need to know”—and always through back channels only. The rule of Inclined Planes, Circular Feces, and Gravitational Point Sources applies here: Stuff roles downhill, never up.