10 old-school security principles that (still) rule

If you’re always scrambling to keep your IT infrastructure updated, you might think that newer is always better when it comes to security: new patches, new and more secure hardware, new crypto techniques, etc. But when it comes to fundamentals, some things are eternal. For instance, according to Jeff Williams, CTO and co-founder of Contrast Security, “The design principles from Saltzer and Schroeder’s 1975 article ‘The Protection of Information in Computer Systems‘ are still incredibly useful and often ignored.”

These principles are worth a re-read, but are somewhat abstract (e.g., “least privilege,” “economy of mechanism,” and so on). But we spoke to a host of IT security pros with years of experience in the field to find out what they considered timeless and practical tips for securing your systems. Because even though there are always new vulnerabilities out there, at the base level there’s very little new under the sun.

1. Lock it down (physically)

Before we had computers to protect, we had to guard our buildings and our physical objects -- and that reality hasn’t changed with the computer age. Mario DiMarcantonio, the owner of a Dallas IT consulting firm, recommends door locks, cable locks and cameras (with both local and cloud storage of recorded video).

Gary G. Smith, Business Development Manager at consulting firm Graycon IT, tells a story that illustrates the importance of this. “I had a client with a server that sat in the employee lunch area, and one day, all the workstations lost connection to their line of business application. One of the owners went to check on the server to see if there was an error message -- and found a man trying to carry the server out the door, but hindered because the server connected to the shelf by a security lock. This could have been avoided with a better process, but securing their server slowed a would-be-thief enough so they could chase him away without his loot.”

2. Patch your systems

Scott Petry, CEO and co-founder of remote browser maker Authentic8, calls installing patches “the most fundamental of all advice.  It’s hard to name a large-scale exploit that didn’t rely on an unpatched resource somewhere in the chain. IT is too slow to adopt patches, and the bad guys rely on that.” Brian Redbeard Harrington, chief architect at CoreOS, gives an example: “For every Meltdown or Spectre there are hundreds of flaws like CVE-2017-5638, the vulnerability Equifax ignored for over two months in Apache Struts.”

Morey Haber, vice president of technology at BeyondTrust, does offer one old-school caveat. “The recommendation to always stay on the ‘latest-previous’ version is still sage. The latest security updates may protect you from the vulnerability of the week but can also cause tons of pain, from incompatibility to performance issues. Allow the early adopters to vet out whether a patch or maintenance release is safe and only rush to apply the latest update if the threat is imminent.”

3. Vaccinate yourself

Antivirus tools are technology that might seem quaint at this point, but they still have an important role to play and don’t deserve much of their bad reputation, says Laurence Pitt,  global security strategy director at Juniper Networks. “The latest toolkits feed information back to the cloud, ensuring that the best protection is always available,” he explains. “If a new threat is discovered, you will be protected in near real-time. Do not disable advanced features.”

And don’t listen to complaints that “antivirus slows down my computer,” either. “Back in the 1990s this was often the case,” says Pitt, “as the software was not as efficient as it is now. But computers are so powerful today, and the software so well managed, that it will not affect performance by more than two percent, which is barely noticeable.”

4. Defend the perimeter

The current conventional wisdom is that your perimeter will be breached and constant defense in depth is necessary. That’s not wrong, but it doesn’t mean you should just neglect your firewall protection. “A properly configured stateful packet inspection firewall is a security control that has stood the test of time,” says Stephen Gates, chief research intelligence analyst for Zenedge. “But sound inbound and outbound firewall policies are often overlooked. Organizations unknowingly open inbound holes to assets that should never be exposed to the Internet, while at the same time leaving every outbound port wide open, thus allowing hackers to easily maintain backdoors into their networks. Close every inbound port that isn’t absolutely necessary, limit the number of outbound ports that are allowed, and continuously monitor sources and destinations that are passing through the firewalls.”

[ Related: Redefining perimeter network security: The future is a hybrid ]

5. Emails are sketchy

Warnings about viruses attached to spam or phishing links probably seem like old hat to you, but you still need to make sure users aren’t opening tempting .zips and .docs or clicking on fake password-reset links willy-nilly. The basic, timeless rule is “Don't open what you're not expecting!” says Adam Sbeta, cyber security analyst and senior team leader at managed IT services provider RCE IT Resource. “If you're not expecting your password to be locked out, or your email to run out of space, or your bank account to be locked out, then always assume it's fake. If you get an email from your bank to login, close that email and type in YourBanksWebSite.com and open your account there.”

And John Scott-Railton, senior researcher at The Citizen Lab, shares a catchphrase developed within the Tibetan Buddhist community he works with, who are often the target of advanced persistent threats: “Detach from attachments.”

6. Be careful which networks you trust

We live in a world awash in ubiquitous Wi-Fi, but that doesn’t mean that the old adages about being suspicious of networks you don’t control go out the window. Don’t just connect to random networks, and even if you’re on your local coffee shop’s in-house Wi-Fi, be careful. “Probably one of the oldest but true methods to keep data on your computer safe is to not take digital information off-site and onto less secure networks,” says Lindsey Havens, senior marketing manager at PhishLabs. “Try to restrict the amount of data you’re accessing through a public Wi-Fi network or unknown computer.”

7. Always back up everything

Making sure all your data is backed up is a best practice from the dawn of the computer age, but isn’t often thought of as relating to security per se. But it’s crucial to your security profile, says Dodi Glenn, VP of cyber security for PC Matic. “With the rise of ransomware, the question is no longer if you will be infected, but when, and regular backups can save you from having to pay a ransom. We were using tape drives decades ago to back up data, and the only change now is that we can use hard drives, or host it in the cloud.”

8. Check your users’ privilege

Ignacio Martinez, VP of risk and compliance at cloud collaboration software provider Smartsheet, says the concept of least privilege, discussed in the Saltzer and Schroeder paper we mentioned earlier, is a crucial one. “Reducing risk by limiting the access and limiting data accessed in a security breach works hand in hand with prevention and detection,” he says. “Least privilege means the privileges given to both individuals and systems are the minimum required to perform assigned job functions. If an organization has eliminated unnecessary access rights, it reduces subsequent expansion of a breach in the event of a compromise.”

9. Know what you’re protecting

Chet Wisniewski, Principal Research Scientist at Sophos, lays out a fundamental security law: “You can’t protect what you don’t know you have.” As he explains, “Nearly every breach from the ’90s until today involves data that wasn’t protected because no one knew it was where it was. This can be due to mergers and acquisitions or carelessness, but it is always true that data or devices that aren’t well managed will fall into the wrong hands.”

“Several times in my career the company I worked for acquired a smaller company for some bit of technology or another and that was always the focus of the ‘due diligence’ that was done before the purchase,” he continues. “Only afterwards when IT rolled in to do an audit of what was there were the lax data management policies discovered, including e-commerce servers with unencrypted credit card information.”

10. The more things change…

Mark Twain once said, “History doesn’t repeat but it does rhyme.” And just so, many new technologies end up recreating the security foibles of the old. David Dingwall, VP of Fox Technologies, explains that modern container-based wrappers for applications operate on many of the same principles pioneered by multiprocessor UNIX systems running on minicomputers in the ’80s. Back then, he says, “admin and audit staff clearly understood that host server operating systems with uptimes of months were a great attack surface, and would be an easy route into the hosted banking applications. It is not clear that current operations staff completely get that message.” It never hurts to check the wisdom of the past when contemplating security’s future.