It is easy to criticize, in fact many have built their entire careers on the foundation of “Monday morning quarter-backing”, not only is it human nature to look for improvements at the detriment of old ideas, but it is also far more humorous to point out what is wrong than to espouse the virtues of what works.
I recently posited what I believed to be the “11 Worst Ideas in Security” (here), but to every yin a yang, to every bad a good, to every Joker a Dark Knight, for the purpose of finding balance, I give to you the 7 Greatest Ideas in Information Security…
7. Microsoft and Security as part of the SDL (Lord Vader finds your lack of faith disturbing)
The greatest flaw in information security is that we try to build security on top of a fundamentally weak foundation, whether we are talking about the core routing infrastructure, the open standards and protocols that drive them or the operating systems themselves, the majority of the Information Security industry is squarely aimed at resolving issues of past incompetence. Nowhere has this been more apparent than the decades plus of vulnerabilities found in Microsoft products. Crappiness exists in other products and is not an attribute solely patented by Microsoft, they just happen to power everything from my Mom’s computer to the Death Star, so when they fail it is almost always epic.
The Microsoft SDL (here) and the work that folks like Michael Howard (here) have done to develop security into a critical aspect of the SDL is not only admirable, it is inspiring. To have witnessed a company the size of Microsoft essentially redesign internal processes to address what was seen as a fundamental deficiency and to then continue to develop these processes changes into thought leadership sets an example for all of us, small business and world dominating enterprise alike. Implementing security as part of the SDL and utilizing concepts such as threat modeling to identify weaknesses and eradicate them before releasing code to the public is arguably one of the greatest ideas in security.
6. The Principle of Least Privilege (Not all of us can know Zarathustra)
Since Saltzer and Schroeder formulated the concept as part of computing we have been striving to achieve it. It is neither new nor is it novel, but it is critical to how we design computing systems and how we develop and implement security controls. It contradicts our own Nietzschean side to feel like constraints and rules are important for the common man, but shouldn’t apply to us personally, but nothing should be afforded more privilege than needed and this is one of the “laws of security”.
5. Segmentation (Your Mendelian trait is in my algorithmic reasoning)
Segmentation of duties, of networks, of memory, of code execution, of anything and everything that should never mix. Combine lack of segmentation with a lack of implementing the principle of least privilege and you turn a simple browser based buffer overflow into a highly damaging payload that can easily replicate throughout the Internets. For us to truly realize improvements in security, as defined by less successful security incidents – real and imagined – and marked by an increase in visibility and control over all of our computing systems, segmentation of everything is an ideal to strive for.
4. Inspect what You Expect (Question everything)
Also known as “trust but verify” as used by the Gipper in his dealings with the Russians during the cold war. Trust is important, but it is even more important to validate that trust. One of the most significant changes every software developer can make today, whether they are developing COTS or internal applications, is to allow security persons to inspect that the application is functioning, being accessed, and managed to the controls that the organizations expects. From networking to applications to users to virtualization to quantum anything, this principle must extend across every layer and concept of computing today and tomorrow,
3. Independent Security Research (So, I’ve been playing with something…no not that)
The ridiculous vulnerability disclosure debate aside, independent security research has had a significant benefit on the security industry. The best example is the recent DNS vulnerability that has been discussed, dissected, and covered ad nauseam. Since it’s disclosure it has not only resulted in providing more awareness of the fundamental flaws in the core infrastructural protocols like DNS and assisted in the implementation of countermeasures, but it has actually driven government policy as the OMB (Office of Management and Budget) has recently mandated the use of DNSSEC for all government agencies (here) – Sweet!
2. Cryptography and Cryptanalysis (From Bletchley with Love)
From the Greek Historian Polybios to the German surrender in May of 1945 to ECHELON, cryptography and cryptanalysis has played a major role in our lives. It has shaped the outcome of wars and changed foreign and domestic policy. It is becoming the cornerstone of the highly distributed, intermittently connected world of technical gadgetry we live in and can make the difference between coverage on the front page of the Wall St. Journal vs. a brief mention in a disgruntled employees blog – Although I wouldn’t argue that encryption as a technology is without flaw, the theory and practice of hiding information and it’s dance partner code breaking, continue to drive some of the greatest advances in information security.
1. Planning, Preparation, and Expectation Setting (Caution: Water on Road, may make road slippery)
Yes a bit of a yawner but since the beginning of forever more failures, more disastrous outcomes and more security incidents result from a lack of proper planning, preparation and expectation setting than all the exploits of all the hackers of all the world combined. As an analyst it became shockingly clear that the majority of failed technology deployments were not the result of a failure in the technology, but a result of poor planning, a lack of preparing and little to no expectation setting, the entire “trough of disillusionment” is riddled with the waste of mismatched technological expectations. The greatest idea in security is not sexy, funny, or terribly enlightened, but it is simple, achievable, repeatable and can be immediately implemented today – plan, prepare and set the proper expectations.
Some may argue that something has been forgotten or that the order is wrong, but I would argue that we must learn to develop securely, implement the proper security controls, verify the functioning of these controls, leverage the research of the greater community, ensure that what cannot be protected is hidden, and from the beginning to the end properly plan, prepare, and set the right expectation – these are the greatest ideas in security and if we learn to embody these principles, we would be moving the industry forward as opposed to constantly feeling like we can only clean up the incompetence that surrounds us.
Something, something this way blogs 
Pingback: Emergent Chaos
Pingback: Google Chrome Takes Aim at the Microsoft OS « Amrit Williams Blog
No, the best outcome for Independent Security Research was 10 years ago people picking on Microsoft leading to 5 years ago Microsoft implementing the SDL leading to improvements today in Vista and Server 2008.
@Ryan Russell
Well as much as I hate to disagree with you that is like comparing the effects of wind erosion on a mountain vs. using dynamite. As you pointed out it took almost a decade of constant and sustained pressure to move Microsoft to change and in the end I do not believe that they changed because it was the right thing to do, they changed to address market pressures, many of which were not coming from security researchers themselves but their current and future install base – in effect economic pressure forced Microsoft to change over the course of a decade = wind erosion
In the case of DNS and the OMB mandate for using DNSSEC, this was a clear response to security research and a desire to address security concerns = dynamite
I’d be tempted to add risk as a great security idea. It is a unique tool that allows a common language between ‘security’ and ‘the core business’. The risk rosetta stone is a key bridge between different security disciplines and those with a business (or project) centric mind set. Although it can be dangerous to put absolute values (financial and probability) on less tangible assets with a level of immaturity, it is an illuminating notion/process quantitatively or qualitatively applied. Risk helps to make security part of the ‘business’ process, not just a remediation.
@Ben,
I am not sure that risk is a tool. I think it is more a state or condition.
I understand what you are getting at though, but I think that the language of business is about relative trust relationships. ( I trust Jill, but I don’t trust Jack). Risk seems to be implied in those statements. Alex Hutton says risk is a metric for trust. I say you can operate on the basis of relative trust without having to guestimate probable figures to make your business rules; the trick is to make your business rules in the language of business also.
@Rob
I do think risk (and it’s analysis) is a tool, or at least a perspective, as well as a state/condition. It is part of the narrative model within people’s heads (albeit applied somewhat inconsistently) – part of the filters for our understanding. It has much to do with human desire and intention as actors, as well as inherent properties of systems. Maybe I’m being too wooly, or too naïve, but I do think it is part of people’s response mechanisms, and will affect the resultant decisions that they make (with or without attendant expensive calculations).
I’m not long enough in the tooth to fully appreciate the semantics of business language (save to say that the word ‘synergies’ leaves me stone cold and Lucy Kellaway makes me laugh – http://podcast.ft.com/media/452.mp3) – though it is something I’m working on. I agree business is fundamentally about relationships (relative and absolute) and would add that it is primarily concerned with the capacity of those relationships to make money within the context of other relationships also making money (to paraphrase Mr Schweitzer). Trust is part of the currency of relationships (although not the only constituent – power, relative autonomy, commonality of understanding etc all play a part) and if the relationship has a value then that trust (by implication) has a value. Risk is equally applicable to trust as it is to anything where loss has an impact and/or gain has a value.
Perhaps the proximity of the two lexicons brings its own dangers. I recall the story (the source unfortunately long forgotten) of an international business man where his greatest risk of being misunderstood was between the British and the Americans – two nations divided by a common language (ask to see an English girls pants will result in a slap if said without irony or asking to borrow an American’s rubber will not help to remove erroneous English pencil marks). But risk is the only real candidate I can see for getting the chthonian shroud removed between our esoteric disciplines and the wider fee paying audience. As a ‘tool’ it can attract money by persuasively fostering a common understanding and, yes, increasing our understanding of what we trust.