Fundamental laws of information security

We all know about the fundamental laws of physics, discovered by Newton and Galileo. Probably at least a little from the school desks heard about Euclid 's axioms . Who decided to at least get closer to the position of homo universalis , (although in our XXI century it is very difficult) probably heard something about the laws of Danilevsky , Toynbee and / or Samuel Huntington ...

And what about Information Security? Do we, IB security workers, have their own fundamental laws? Yes there is! And in this article we will talk about them.

I must say that many readers will comment; because many laws were known long before I heard them from certain individuals ... Well, in this case, I refer to the Stigler's Law : "No scientific discovery is called after its original discoverer" .

Indyukov's law

The more time has passed since the last serious security incident, the greater the likelihood of hacking the system.

I first heard this law from one system administrator of a very large bank ...
That incident went through, they stole XX million rubles, they gave everyone their ass, they changed the passwords, ordered cool IB systems (in all spheres! On all fronts! ...). Calm down ...
Time passes, people relax ... And again 50-year-old aunts put 12345 password on the system or write it on paper and attach it to the monitor in orbit ... Again, many servers are clumsily set up on the network ... what kind of coffee the CEO drank ... And again ... And again ... And again ... Until something serious happened again ...

From the side it seems to be nonsense, but these are the realities of many, many large organizations, with a prevailing bureaucratic component . People relax. People in large bureaucratic offices behave like little boys, who in March are walking with their heads bare and without a scarf.
Boys catch a cold, snot and lie down with the flu or cold. Having recovered, they put on scarves and hats, but a year later everything repeats again.

I do not know how to defend myself from the Law of Indyukov . Have an opinion? - write in the comments.

Mitnick's Law

Even turned off the computer can be hacked

This is a famous quote from the book of Kevin Mitnik. The Art of Deception .
Do not think that you are protected. Always, even in the "obvious way of 100% protection" you can find a flaw.
Shut down the computer can be turned on. Hands Physically clicking on power. However, in order to hack it , you can not turn it on, you can just steal it, or steal a part of the computer (hard disk).

Sklyarov's law

If the cost of hacking object A is greater than the benefits of hacking object A, then the object will not be hacked

I heard the law from the Positive Technologes employee, Dmitry Sklyarov. The law is trivial and obvious, but ... looking at some, we will not point the finger at individuals who make strategic decisions in certain companies, I understand that Sklyarov's law is not known to everyone. Or it is severely ignored. They protect a hundred rubles, setting up an expensive safe ... Or, on the contrary, really interesting and valuable information is not protected at all.

Business must weigh the risks . Understand the value of this or that protected information and create (or buy) information security systems that provide potential hackers with more than a possible potential benefit for hacking.

The law has nuances:

1. The cost of hacking can fall sharply (for example, a new vulnerability has appeared or you have implemented an insider in the company's staff)
2. You can estimate the cost of hacking and / or the cost of profit inadequately .
3. Not everything can be measured in money and hackers are not always guided by monetary motives.

Law Bateniova

Having spoken about Sklyarov's law, we turn to the law formulated by Alexander Batenyov ( Group-IB ).

Suppose the conditions are true

1. There are various publicly known objects: A and B
2. The cost of hacking A is more than the cost of hacking B
3. The benefits of hacking A less from hacking B
   Law Batenova:
   Object A will not be hacked until Object B is hacked.

The law seems incredibly obvious (in principle, the way it is!) However, many and many business representatives are absolutely convinced that if they are not touched, they are therefore protected. Ahhh !!! This is not true!!! For example, if the RB of your bank is not cracked by hackers, then this only means that Sberbank and VTB, as well as smaller, but “advanced” banks, have not yet fully resolved all their security problems. They are just "tastier" than you! It's like a joke about the Elusive Joe . When you need someone, you may be hacked easily and quickly. Business, and business, do you need this?

It is the Law of Bateniov "protects" various infrastructures . Hackers simply can not benefit from hacking nuclear power plants, Shinkansen , and candle factories ...

This law was Alexander's answer to my question about the relevance of steganography . In his opinion, steganography is “of course cool,” but there are much simpler ways to achieve the same results ... But when “the world grows wiser ,” then “steganography and stegoanalyst will become extremely relevant . ” Well, then you can not argue. Apparently the way it is. It’s not time for my favorite steganography ... Eh ...

Dijkstra's Law

The deeper the stack of protocols (technologies used), the more vulnerable the system

In other words, the more complex and confusing the system, the easier it is to hack it.

Initially, Edsger Vibe Dijkstra formulated his law in relation to understanding the system as a whole,
bearing in mind that the times will come soon enough when the programmer will not understand all the details
the processes occurring in computing ... In principle, the way it turned out. Why are there details
unfortunately, and in general, not all programmers know how a computer works: (...

This is sad. Loss of control over the integrity of perception of reality makes many and many elements of a really large system look like black boxes or, at best, like very gray boxes. Even if the functionality of each mailbox is known to one or another developer and each of them can guarantee (I wonder what?) The safety of "one's own beds" , this does not mean at all that the system consisting of safe elements is itself safe. The whole is not the sum of its parts.

Dijkstra's law is not just an inevitable evil. This law forces us to change the paradigm of our attitude to information security. Without hesitation, we, the security guards, simply "stole" the paradigm from the military and tried to build strict systems that are completely, completely protected. Even in the mathematical sense, they tried to invent something stern ... Well, remember the Bella-Lapadule model , the Beeba model , the Clark-Wilson model , the Harrison-Ruzzo-Ulman model, and so on. In the framework of this classic paradigm, if a user is broken, then this is not a problem of IB systems, this is a problem of curved personnel, unreliable passwords and social engineering! ..

But the world is changing and the systems become very large. They begin to live their own lives. You can imagine an organization with more than 1500 different DBMSs on the internal network! Can you imagine THIS!? .. That's how you can manage all this and be confident in security?! ..

What to do? I think the only way out is to switch from passive to active systems. Those. work "ahead of the curve". The modern criminal cyber world no longer consists of ingenious lone hackers. This is a whole system. Need to study and explore this system. I do not urge to abandon the "classic" antivirus solutions, DLP, tokens, SFTP, etc. Not! I simply urge to declare these measures insufficient by virtue of the Dijkstra Act .

As well as the fight against terrorism is not only checking bags at airports and train stations, but also in the work of special services; likewise, in the world of information security, active actions need to be launched not only when the information security incident has already occurred. It is necessary to work regularly and systematically in this direction, creating active "solutions" in information security.

Ashmanov-Masalovich law

The man is also subject to hacking. Perhaps it is the person who needs to be protected first.

After hearing the wonderful lectures of Igor Ashmanov and Andrei Masalovich, I could not write about this fundamental law. Who has not yet seen “ Big data in social networks: special NSA surveillance is not required for you ” and “ Life after Snowden. Modern Internet intelligence tools ” - urgently eliminate gaps.

Initially, it all grew out of the information wars . Honestly, there was a great temptation to cheat anything out of politics ... But ... the habr rules forbid it. Therefore, I will give an example from the business field:

In December 2014, Sberbank of Russia experienced an unprecedented attack on its customers. They got hundreds
thousands of SMS with a warning that Visa cards issued by Sberbank will no longer be serviced. There were also stuffing in social networks: it was said that Sberbank faced liquidity problems and was unable to issue money. Clients, instantly oriented, ran to withdraw their deposits. About 300 billion rubles. - this was the price of a well-planned information attack, the traces of which, according to representatives of the Bank of Russia, led to Ukrainian Internet resources. And again, the business remembered the security post factum, having started an investigation into the incident.
Alexey Lukatsky . IB for business: How to sell stealth

In general, any social engineering is a consequence of the Ashmanov-Masalovich Law .

Berezina law

Until the thunder clap, business will not give money to the IB

The law is known to all. And constantly talking about it. And no one can do anything. Well, do not want a business to spend money on IB. And all because the IB does not bring profit and it is very mysteriously and incomprehensibly reduces costs. But if you dig a hole not with a spoon but with a shovel, then everything is clear! We buy a shovel, throw out spoons! And with information security is not clear. Berezin believes that it will be forever . Personally, I completely agree with him. And you?

Since this article is the first thing that jumped out of my search engine, and then we will call this law in honor of A. Berezin.

Simon Singh's Law of Systematic Historical Injustice

Everything in information security is invented at least twice: once the results are published in closed sources, the second time in open sources

You know that RSA was not invented by Rivest, Shamir and Adleman; and the Diffie-Hellman algorithm was invented before Diffie and Hellman? Just before the advent of open work, these tasks were solved by the mathematicians of the leading special services and their work was classified ... You know that Alan Turing did not invent Colossus, and the famous film is a fake . In fact, Marian Rejewski , Jerzy Rozhytsky and Heinrich Zygalsky invented the first computing computer in 1938 ... Later, these brilliant Polish inventors were transferred to Great Britain, where, to put it in modern terms, under the management of Turing, they finished their solution and created Colossus.

Here is such a historical injustice. In principle, there is nothing surprising in this, because information security is a very sensitive topic! .. The discrete logarithm problem may have already been solved, or somewhere (of course deep underground, so that no one can see) the quantum computer created by someone already considers his puzzles. ..

Conclusion

Every joke has some truth.

All those who took everything written too seriously - congratulations on the holiday ! But you must admit that although many thoughts are obvious and banal, and sometimes they are just ridiculous ... but on the whole are fair . And, unfortunately, it is still incredibly relevant!

Perhaps these "laws" will always be relevant and the truth. In this case, why not declare them fundamental? I'm serious! At the end of this post submitted a question to the "referendum";) Be sure to vote.

And what laws do you know? Feel free to write in comments!

_{^{Let's make the text better together! If you found a typo - write in a personal.}}